Your message dated Wed, 22 Aug 2018 20:58:19 +0000
with message-id <[email protected]>
and subject line Bug#906301: fixed in libcommons-compress-java 1.18-1
has caused the Debian Bug report #906301,
regarding libcommons-compress-java: CVE-2018-11771: denial of service
vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
906301: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906301
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libcommons-compress-java
Version: 1.9-1
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for libcommons-compress-java.
CVE-2018-11771[0]:
| When reading a specially crafted ZIP archive, the read method of
| Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail
| to return the correct EOF indication after the end of the stream has
| been reached. When combined with a java.io.InputStreamReader this can
| lead to an infinite stream, which can be used to mount a denial of
| service attack against services that use Compress' zip package.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-11771
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11771
[1] http://www.openwall.com/lists/oss-security/2018/08/16/2
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libcommons-compress-java
Source-Version: 1.18-1
We believe that the bug you reported is fixed in the latest version of
libcommons-compress-java, which is due to be installed in the Debian FTP
archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <[email protected]> (supplier of updated libcommons-compress-java
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 22 Aug 2018 21:43:55 +0200
Source: libcommons-compress-java
Binary: libcommons-compress-java
Architecture: source
Version: 1.18-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Markus Koschany <[email protected]>
Description:
libcommons-compress-java - Java API for working with compression and archive
formats
Closes: 906301
Changes:
libcommons-compress-java (1.18-1) unstable; urgency=medium
.
* Team upload.
* New upstream version 1.18.
- Fix CVE-2018-11771.
When reading a specially crafted ZIP archive, the read method of Apache
Commons Compress ZipArchiveInputStream can fail to return the correct EOF
indication after the end of the stream has been reached. When combined
with a java.io.InputStreamReader this can lead to an infinite stream,
which can be used to mount a denial of service attack against services
that use Compress' zip package. Thanks to Salvatore Bonaccorso for the
report. (Closes: #906301)
* Declare compliance with Debian Policy 4.2.0.
Checksums-Sha1:
e7edd17a8c96324ce991125159421d34648b216c 2523
libcommons-compress-java_1.18-1.dsc
0cb89bb5f56874d1d2ba75e6d918488fea738dbe 9039040
libcommons-compress-java_1.18.orig.tar.xz
164d9b33787c24b6dcdc67ccdfaa69d3ec0a3f36 5828
libcommons-compress-java_1.18-1.debian.tar.xz
2e8dc0863e573b74ced9c98af0f555bc45ef0392 16444
libcommons-compress-java_1.18-1_amd64.buildinfo
Checksums-Sha256:
1db8cba1436736d2d6b8ce36d46090169fe5343916072cb1483187778fac2210 2523
libcommons-compress-java_1.18-1.dsc
41dff7f5877a3d4d6a9848db3cac1cc7b527cddd1ed50ae258e6ee2b6090a157 9039040
libcommons-compress-java_1.18.orig.tar.xz
d5933da5f42a8e1dde1e70b9ca79c4c6a03fef247736219cd37b11e3881c2aea 5828
libcommons-compress-java_1.18-1.debian.tar.xz
4c19ed4d523b8e2bfa54b8913c11aa073bafcfadbba5665a6ed6da12030538f3 16444
libcommons-compress-java_1.18-1_amd64.buildinfo
Files:
1e0563e1c5d4271d7b1103c9d4ca88fd 2523 java optional
libcommons-compress-java_1.18-1.dsc
7db6a265d3578d3d9b509e8dd0088ae2 9039040 java optional
libcommons-compress-java_1.18.orig.tar.xz
a3701eb55777f8cbe38221c8cc380808 5828 java optional
libcommons-compress-java_1.18-1.debian.tar.xz
eda4919db2469212afadc5f021f1a32f 16444 java optional
libcommons-compress-java_1.18-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlt9v19fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkBZgP/j5T+jZtJHnAXDjPWnbZiZCWjVsTW4w8A+Gb
aGLo2WcNykcZU5+4kIS38tS8mvEigMpN2gP7W6z29Z75+zIHJdCB0Q8vbfgcdEkS
038Z6QTU4nxvS8DcJl7CozmyNZu/suAzFy4xlu1EtdeB0k/G4djJyOrSJYMUkdhV
iY/5WGKFifMf2H/pYcLJ5qM4nq+U2DIcp3+DR+uVPcPhFMJEPFQsRGUm3H5A4ZcP
YSLidQwLn6KrPbMpfuFOPFXFbDYoJssHMO8rxrKJ1u6XDwezcQeki4JPedIpKHRL
cimxS2jRBijD7zojg+RG7v2utxiujymBDb6O+O6Q7b1RLjNVU35etMZoJBABB6Jx
ej7ngTSlNnLQbb8Y1PjHCpuMYroQLBdvNEuaXl9772Jr47mlRf4qI1fzkaH889cB
gL2zyq/MFbldDQ3anGNqUOK/JDJR5QE78UN78ZGICLAYHbpBz3vQKrglG2/WXR9k
NDN/tXYvIEqB5mMndPrCYw2SDk1373LvnVoxSNpb/eFIg4kojmbshJLWwz8iA9NK
ilpIVb0LJ3DGI0gFHVlkejgEeIuwRMDx9d6bSq8tBuQ4CueTa3nPE2Y+ewIfL/ay
keqEmXQ0DeRXsrREa4lttzgzSME7ubx/R1QRdvYyNfCYcJKmS0e49b/6bsM/UgTv
h3KUBMjY
=rp99
-----END PGP SIGNATURE-----
--- End Message ---
