Register | Log in

msgpack-java

MessagePack for Java

Choose email to subscribe with

general

source: msgpack-java (main)
version: 0.9.6-1
maintainer: Debian Java Maintainers (archive) (DMD)
uploaders: Andrius Merkys [DMD]
arch: all
std-ver: 4.6.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 0.8.22-2
oldstable: 0.9.3-1
stable: 0.9.6-1
testing: 0.9.6-1
unstable: 0.9.6-1

versioned links

0.8.22-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.9.3-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.9.6-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libmsgpack-java

action needed

A new upstream version is available: 0.9.11 high

A new upstream version 0.9.11 is available, you should consider packaging it.

Created: 2025-11-26 Last update: 2026-01-10 06:30

1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:

CVE-2026-21452: MessagePack for Java is a serializer implementation for Java. A denial-of-service vulnerability exists in versions prior to 0.9.11 when deserializing .msgpack files containing EXT32 objects with attacker-controlled payload lengths. While MessagePack-Java parses extension headers lazily, it later trusts the declared EXT payload length when materializing the extension data. When ExtensionValue.getData() is invoked, the library attempts to allocate a byte array of the declared length without enforcing any upper bound. A malicious .msgpack file of only a few bytes can therefore trigger unbounded heap allocation, resulting in JVM heap exhaustion, process termination, or service unavailability. This vulnerability is triggered during model loading / deserialization, making it a model format vulnerability suitable for remote exploitation. The vulnerability enables a remote denial-of-service attack against applications that deserialize untrusted .msgpack model files using MessagePack for Java. A specially crafted but syntactically valid .msgpack file containing an EXT32 object with an attacker-controlled, excessively large payload length can trigger unbounded memory allocation during deserialization. When the model file is loaded, the library trusts the declared length metadata and attempts to allocate a byte array of that size, leading to rapid heap exhaustion, excessive garbage collection, or immediate JVM termination with an OutOfMemoryError. The attack requires no malformed bytes, user interaction, or elevated privileges and can be exploited remotely in real-world environments such as model registries, inference services, CI/CD pipelines, and cloud-based model hosting platforms that accept or fetch .msgpack artifacts. Because the malicious file is extremely small yet valid, it can bypass basic validation and scanning mechanisms, resulting in complete service unavailability and potential cascading failures in production systems. Version 0.9.11 fixes the vulnerability.

Created: 2026-01-03 Last update: 2026-01-03 17:31

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2026-21452: MessagePack for Java is a serializer implementation for Java. A denial-of-service vulnerability exists in versions prior to 0.9.11 when deserializing .msgpack files containing EXT32 objects with attacker-controlled payload lengths. While MessagePack-Java parses extension headers lazily, it later trusts the declared EXT payload length when materializing the extension data. When ExtensionValue.getData() is invoked, the library attempts to allocate a byte array of the declared length without enforcing any upper bound. A malicious .msgpack file of only a few bytes can therefore trigger unbounded heap allocation, resulting in JVM heap exhaustion, process termination, or service unavailability. This vulnerability is triggered during model loading / deserialization, making it a model format vulnerability suitable for remote exploitation. The vulnerability enables a remote denial-of-service attack against applications that deserialize untrusted .msgpack model files using MessagePack for Java. A specially crafted but syntactically valid .msgpack file containing an EXT32 object with an attacker-controlled, excessively large payload length can trigger unbounded memory allocation during deserialization. When the model file is loaded, the library trusts the declared length metadata and attempts to allocate a byte array of that size, leading to rapid heap exhaustion, excessive garbage collection, or immediate JVM termination with an OutOfMemoryError. The attack requires no malformed bytes, user interaction, or elevated privileges and can be exploited remotely in real-world environments such as model registries, inference services, CI/CD pipelines, and cloud-based model hosting platforms that accept or fetch .msgpack artifacts. Because the malicious file is extremely small yet valid, it can bypass basic validation and scanning mechanisms, resulting in complete service unavailability and potential cascading failures in production systems. Version 0.9.11 fixes the vulnerability.

Created: 2026-01-03 Last update: 2026-01-03 17:31

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2026-21452: MessagePack for Java is a serializer implementation for Java. A denial-of-service vulnerability exists in versions prior to 0.9.11 when deserializing .msgpack files containing EXT32 objects with attacker-controlled payload lengths. While MessagePack-Java parses extension headers lazily, it later trusts the declared EXT payload length when materializing the extension data. When ExtensionValue.getData() is invoked, the library attempts to allocate a byte array of the declared length without enforcing any upper bound. A malicious .msgpack file of only a few bytes can therefore trigger unbounded heap allocation, resulting in JVM heap exhaustion, process termination, or service unavailability. This vulnerability is triggered during model loading / deserialization, making it a model format vulnerability suitable for remote exploitation. The vulnerability enables a remote denial-of-service attack against applications that deserialize untrusted .msgpack model files using MessagePack for Java. A specially crafted but syntactically valid .msgpack file containing an EXT32 object with an attacker-controlled, excessively large payload length can trigger unbounded memory allocation during deserialization. When the model file is loaded, the library trusts the declared length metadata and attempts to allocate a byte array of that size, leading to rapid heap exhaustion, excessive garbage collection, or immediate JVM termination with an OutOfMemoryError. The attack requires no malformed bytes, user interaction, or elevated privileges and can be exploited remotely in real-world environments such as model registries, inference services, CI/CD pipelines, and cloud-based model hosting platforms that accept or fetch .msgpack artifacts. Because the malicious file is extremely small yet valid, it can bypass basic validation and scanning mechanisms, resulting in complete service unavailability and potential cascading failures in production systems. Version 0.9.11 fixes the vulnerability.

Created: 2026-01-03 Last update: 2026-01-03 17:31

1 security issue in bullseye high

There is 1 open security issue in bullseye.

1 important issue:

CVE-2026-21452: MessagePack for Java is a serializer implementation for Java. A denial-of-service vulnerability exists in versions prior to 0.9.11 when deserializing .msgpack files containing EXT32 objects with attacker-controlled payload lengths. While MessagePack-Java parses extension headers lazily, it later trusts the declared EXT payload length when materializing the extension data. When ExtensionValue.getData() is invoked, the library attempts to allocate a byte array of the declared length without enforcing any upper bound. A malicious .msgpack file of only a few bytes can therefore trigger unbounded heap allocation, resulting in JVM heap exhaustion, process termination, or service unavailability. This vulnerability is triggered during model loading / deserialization, making it a model format vulnerability suitable for remote exploitation. The vulnerability enables a remote denial-of-service attack against applications that deserialize untrusted .msgpack model files using MessagePack for Java. A specially crafted but syntactically valid .msgpack file containing an EXT32 object with an attacker-controlled, excessively large payload length can trigger unbounded memory allocation during deserialization. When the model file is loaded, the library trusts the declared length metadata and attempts to allocate a byte array of that size, leading to rapid heap exhaustion, excessive garbage collection, or immediate JVM termination with an OutOfMemoryError. The attack requires no malformed bytes, user interaction, or elevated privileges and can be exploited remotely in real-world environments such as model registries, inference services, CI/CD pipelines, and cloud-based model hosting platforms that accept or fetch .msgpack artifacts. Because the malicious file is extremely small yet valid, it can bypass basic validation and scanning mechanisms, resulting in complete service unavailability and potential cascading failures in production systems. Version 0.9.11 fixes the vulnerability.

Created: 2026-01-03 Last update: 2026-01-03 17:31

1 security issue in bookworm high

There is 1 open security issue in bookworm.

1 important issue:

CVE-2026-21452: MessagePack for Java is a serializer implementation for Java. A denial-of-service vulnerability exists in versions prior to 0.9.11 when deserializing .msgpack files containing EXT32 objects with attacker-controlled payload lengths. While MessagePack-Java parses extension headers lazily, it later trusts the declared EXT payload length when materializing the extension data. When ExtensionValue.getData() is invoked, the library attempts to allocate a byte array of the declared length without enforcing any upper bound. A malicious .msgpack file of only a few bytes can therefore trigger unbounded heap allocation, resulting in JVM heap exhaustion, process termination, or service unavailability. This vulnerability is triggered during model loading / deserialization, making it a model format vulnerability suitable for remote exploitation. The vulnerability enables a remote denial-of-service attack against applications that deserialize untrusted .msgpack model files using MessagePack for Java. A specially crafted but syntactically valid .msgpack file containing an EXT32 object with an attacker-controlled, excessively large payload length can trigger unbounded memory allocation during deserialization. When the model file is loaded, the library trusts the declared length metadata and attempts to allocate a byte array of that size, leading to rapid heap exhaustion, excessive garbage collection, or immediate JVM termination with an OutOfMemoryError. The attack requires no malformed bytes, user interaction, or elevated privileges and can be exploited remotely in real-world environments such as model registries, inference services, CI/CD pipelines, and cloud-based model hosting platforms that accept or fetch .msgpack artifacts. Because the malicious file is extremely small yet valid, it can bypass basic validation and scanning mechanisms, resulting in complete service unavailability and potential cascading failures in production systems. Version 0.9.11 fixes the vulnerability.

Created: 2026-01-03 Last update: 2026-01-03 17:31

debian/patches: 2 patches to forward upstream low

Among the 2 debian patches available in version 0.9.6-1 of the package, we noticed the following issues:

2 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2023-11-19 09:39

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.3 instead of 4.6.2).

Created: 2024-04-07 Last update: 2025-12-23 20:00

news

[2023-10-31] msgpack-java 0.9.6-1 MIGRATED to testing (Debian testing watch)
[2023-10-26] Accepted msgpack-java 0.9.6-1 (source) into unstable (Andrius Merkys)
[2023-08-12] msgpack-java 0.9.5-1 MIGRATED to testing (Debian testing watch)
[2023-08-07] Accepted msgpack-java 0.9.5-1 (source) into unstable (Andrius Merkys)
[2023-07-29] msgpack-java 0.9.4-1 MIGRATED to testing (Debian testing watch)
[2023-07-24] Accepted msgpack-java 0.9.4-1 (source) into unstable (Andrius Merkys)
[2022-07-05] msgpack-java 0.9.3-1 MIGRATED to testing (Debian testing watch)
[2022-06-30] Accepted msgpack-java 0.9.3-1 (source) into unstable (Andrius Merkys)
[2022-06-26] msgpack-java 0.9.2-1 MIGRATED to testing (Debian testing watch)
[2022-06-21] Accepted msgpack-java 0.9.2-1 (source) into unstable (Andrius Merkys)
[2022-03-13] msgpack-java 0.9.1-1 MIGRATED to testing (Debian testing watch)
[2022-03-08] Accepted msgpack-java 0.9.1-1 (source) into unstable (Andrius Merkys)
[2022-03-01] msgpack-java 0.9.0-2 MIGRATED to testing (Debian testing watch)
[2022-02-23] Accepted msgpack-java 0.9.0-2 (source) into unstable (Pierre Gruet)
[2021-09-12] msgpack-java 0.9.0-1 MIGRATED to testing (Debian testing watch)
[2021-09-07] Accepted msgpack-java 0.9.0-1 (source) into unstable (Andrius Merkys)
[2020-12-26] msgpack-java 0.8.22-2 MIGRATED to testing (Debian testing watch)
[2020-12-21] Accepted msgpack-java 0.8.22-2 (source) into unstable (Andrius Merkys)
[2020-12-21] Accepted msgpack-java 0.8.22-1 (source) into unstable (Andrius Merkys)
[2020-09-21] msgpack-java 0.8.21-1 MIGRATED to testing (Debian testing watch)
[2020-09-16] Accepted msgpack-java 0.8.21-1 (source) into unstable (Andrius Merkys)
[2020-08-16] msgpack-java 0.8.20-2 MIGRATED to testing (Debian testing watch)
[2020-08-11] Accepted msgpack-java 0.8.20-2 (source) into unstable (Andrius Merkys)
[2020-03-16] msgpack-java 0.8.20-1 MIGRATED to testing (Debian testing watch)
[2020-03-10] Accepted msgpack-java 0.8.20-1 (source) into unstable (Andrius Merkys)
[2019-11-30] msgpack-java 0.8.19-1 MIGRATED to testing (Debian testing watch)
[2019-11-25] Accepted msgpack-java 0.8.19-1 (source) into unstable (Andrius Merkys)
[2019-11-17] msgpack-java 0.8.18-2 MIGRATED to testing (Debian testing watch)
[2019-11-11] Accepted msgpack-java 0.8.18-2 (source) into unstable (Andrius Merkys)
[2019-11-11] Accepted msgpack-java 0.8.18-1 (source) into unstable (Andrius Merkys)

1
2

bugs [bug history graph]

all: 1
RC: 0
I&N: 1
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 0.9.6-1build1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing