-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4619-1 security@xxxxxxxxxx https://www.debian.org/security/ Salvatore Bonaccorso February 06, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libxmlrpc3-java CVE ID : CVE-2019-17570 Debian Bug : 949089 Guillaume Teissier reported that the XMLRPC client in libxmlrpc3-java, an XML-RPC implementation in Java, does perform deserialization of the server-side exception serialized in the faultCause attribute of XMLRPC error response messages. A malicious XMLRPC server can take advantage of this flaw to execute arbitrary code with the privileges of an application using the Apache XMLRPC client library. Note that a client that expects to get server-side exceptions need to set explicitly the enabledForExceptions property. For the oldstable distribution (stretch), this problem has been fixed in version 3.1.3-8+deb9u1. For the stable distribution (buster), this problem has been fixed in version 3.1.3-9+deb10u1. We recommend that you upgrade your libxmlrpc3-java packages. For the detailed security status of libxmlrpc3-java please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libxmlrpc3-java Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl48hNhfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TKMQ//VAIMT+y/PGlPLV5C2P82ZxHCNwKYwkPT7s9nI/jvqVH5CkL0kGjvW5Ng eFpZTW6hPMboDrUkSltRTawlYlwlMP1am8whOEL7EwZXYi5s3iixSZCI8lafDDT7 VyQ+ELFu0y5Y+WZtECvdZDLDVzWggCW+ZeQFK9WRFT32GrevAb/BFyDlHMGKREFq m9iQQ8D4+dPqOnF/RecCiohITV2++AECr8x4WzOHq/QCkYl/5PbQlZ9JGA1unDTC dt5wsjWLUGmwEW0Iy9h0AzlvuMfGnQ/5KkOu1ZfYwf2c5V7FXEg+Jj7M3ai+X+9f 6pcj+FyAUBD2dgS8psKSO4LbtGYDt826HZ/KxAp7W6gd5v1l3kEzKQsAsvQwaaxi X68AgwkXs94X1yiAAjAdAFc7js1aJr+1/aSzN0JP7jWX1SjWmLquEolKuOQF2pH2 enFo/TQixaLGrs3h5Oh41+a0i4kSBqxV1LiNMLaI9k8lOMlMaadJtkCF6umHh7SX bACOeVlVS25vnk/Bn9xgr5JyPTQdeR8VfZVgld2N5vOlfNIrRJcy/mqJfv5OmuG8 kTIsFP/ON/NMuyvDy6xfY3B+cVZzw9K2hmD41k6oRcaKjvYqWToDXZSaNT+wzHcc aqbVSHlL/jS7+1gRFsCX50p/JmtLGhlZtCF0FXhLamM7glyhLXk= =lpO+ -----END PGP SIGNATURE-----