Your message dated Mon, 22 Dec 2014 18:03:06 +0000
with message-id <[email protected]>
and subject line Bug#773463: fixed in jasper 1.900.1-7+squeeze3
has caused the Debian Bug report #773463,
regarding jasper: CVE-2014-8137 CVE-2014-8138
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
773463: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773463
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: jasper
Version: 1.900.1-7
Severity: grave
Tags: security upstream
Hi,
the following vulnerabilities were published for jasper.
CVE-2014-8137[0]:
double-free in in jas_iccattrval_destroy()
CVE-2014-8138[1]:
heap overflow in jp2_decode()
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2014-8137
[1] https://security-tracker.debian.org/tracker/CVE-2014-8138
[2] http://www.ocert.org/advisories/ocert-2014-012.html
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: jasper
Source-Version: 1.900.1-7+squeeze3
We believe that the bug you reported is fixed in the latest version of
jasper, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thorsten Alteholz <[email protected]> (supplier of updated jasper package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 22 Dec 2014 16:20:04 +0100
Source: jasper
Binary: libjasper1 libjasper-dev libjasper-runtime
Architecture: source i386
Version: 1.900.1-7+squeeze3
Distribution: squeeze-lts
Urgency: high
Maintainer: Roland Stigge <[email protected]>
Changed-By: Thorsten Alteholz <[email protected]>
Description:
libjasper-dev - Development files for the JasPer JPEG-2000 library
libjasper-runtime - Programs for manipulating JPEG-2000 files
libjasper1 - The JasPer JPEG-2000 runtime library
Closes: 773463
Changes:
jasper (1.900.1-7+squeeze3) squeeze-lts; urgency=high
.
* Non-maintainer upload by the Squeeze LTS Team.
* Add 05-CVE-2014-8137.patch patch.
CVE-2014-8137: double-free in in jas_iccattrval_destroy(). (Closes:
#773463)
* Add 06-CVE-2014-8138.patch patch.
CVE-2014-8138: heap overflow in jp2_decode(). (Closes: #773463)
Checksums-Sha1:
acacab34a553f821da022c3567195f215542b234 1844 jasper_1.900.1-7+squeeze3.dsc
a20dc389f5962661b7ab81777c8316f8faee3a99 1143400 jasper_1.900.1.orig.tar.gz
b802d115f420ce04a404bd7a4bca68199f9f980c 53813
jasper_1.900.1-7+squeeze3.diff.gz
1317f8d48f3b51ca0a5d34ae7237cad046cdd646 145216
libjasper1_1.900.1-7+squeeze3_i386.deb
d9b9e6061b1c5676356396f03a97aec2b7437755 550998
libjasper-dev_1.900.1-7+squeeze3_i386.deb
4df4f092722c02bf2388e872a557ca8410d65493 24098
libjasper-runtime_1.900.1-7+squeeze3_i386.deb
Checksums-Sha256:
3cf9d45eddbe1a71241bda184aa0c4c9860dcaa30a164857d65f0d6890cff00e 1844
jasper_1.900.1-7+squeeze3.dsc
6cf104e2811f6088ca1dc76d87dd27c55178d3ccced20db8858d28ae22911a94 1143400
jasper_1.900.1.orig.tar.gz
be3c229f99a6144a5830506ac52161d758ca1d11fe420877b551d232d92f9bcc 53813
jasper_1.900.1-7+squeeze3.diff.gz
7c602c62967a0cdea35c7329ea90ebe3def5afbe4404388c6ea9f0b1cb1704ce 145216
libjasper1_1.900.1-7+squeeze3_i386.deb
745f293b6a626480ac3d43e82bbcc6b18e5a14d458b1b6c506e28e669cb32adc 550998
libjasper-dev_1.900.1-7+squeeze3_i386.deb
fa2f3fa5d8b5afb1e3aa82f9b23b091412068d62db963cebb8c4064dca72237c 24098
libjasper-runtime_1.900.1-7+squeeze3_i386.deb
Files:
e16307b23e6974decec6ffcd43a1e086 1844 graphics optional
jasper_1.900.1-7+squeeze3.dsc
4ae3dd938fd15f22f30577db5c9f27e9 1143400 graphics optional
jasper_1.900.1.orig.tar.gz
b61923746650c9237675cc395acb04b8 53813 graphics optional
jasper_1.900.1-7+squeeze3.diff.gz
b0cfb9fcbf7fd77dd6590d801a14bacb 145216 libs optional
libjasper1_1.900.1-7+squeeze3_i386.deb
43726387b0ab32b07d63aeb585041d2b 550998 libdevel optional
libjasper-dev_1.900.1-7+squeeze3_i386.deb
247ea3888c269fc4315e069623d975ce 24098 graphics optional
libjasper-runtime_1.900.1-7+squeeze3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQJ8BAEBCgBmBQJUmEIKXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHp68QAIOcetOKU4I92bYbkDfAB8hM
oZqVFNqNaT4KYQNG/dr+LJ2sZ19F2w0S3M3mkVmsJe9Tcgj5ZSZJsqsCFc/To7bV
cPZB+VKE4XE7fgTJ1JQAoIk2pPMIVK4Kq0cuGYgRgHFDfQbLsTDo8pAPc4aljdGA
kYumXY+wqcv63E0DdQ5gS5+x6el+Tsr2HTGnAXxw1OXgJ925oh47khWJdVC4hybh
wEM0WkKtX7c2NZVscY/cCSSxvfMnj0lkOWGscv87HJkbZjkcy3XRmjrVLYuEzlLE
L40jMWCNZNaLZmSM0qkYRe9YfthQomSz9V8/tkpZ1AfVC2NKbnKVR6bKsb449TpS
CYitsZSuFQITluRkZvMCkhbgPNkZ1VfBdeKhmqDogTGeaaiM1UoVSB1TNCSpqlyP
6AL65QVPKdMv3IM7uPbhcdtWNwkrtKdhTlqgamGvnBcf0TWc2TZUyL9sgh3WJuot
NqfspluhocHhkPnnPcNjGNdJ2foi+15wiensMofD7XT7jwMlWa7v8hdtCCaw1YpN
tik270nFYYH2VejTnktvHq6CakrTZkaN4E8rc4GYb/er0JkjLYl5EQVk6kcuXyL8
Qw8HS3Fg91uvvbN5Y88KNQczXkQhYE9FintENe1WIkgXnTaVBPmp9MqSD/wDxBmE
99o+jSYXStlz2DUBUDRa
=g43B
-----END PGP SIGNATURE-----
--- End Message ---
