Your message dated Sun, 07 Apr 2019 22:33:37 +0000
with message-id <[email protected]>
and subject line Bug#926088: fixed in robocode 1.9.3.3-2
has caused the Debian Bug report #926088,
regarding robocode: CVE-2019-10648
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
926088: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926088
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: robocode
Version: 1.9.3.3-1
Severity: important
Tags: security upstream
Forwarded: https://sourceforge.net/p/robocode/bugs/406/
Hi,
The following vulnerability was published for robocode.
CVE-2019-10648[0]:
| Robocode through 1.9.3.5 allows remote attackers to cause external
| service interaction (DNS), as demonstrated by a query for a unique
| subdomain name within an attacker-controlled DNS zone, because of a
| .openStream call within java.net.URL.
The respective upstream issue[2] is unfortunatley forbidden to access
but the commit [3] is associatd with it. Not sure on the severity so
choosing important for now.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-10648
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10648
[1] https://sourceforge.net/p/robocode/bugs/406/
[2]
https://github.com/robo-code/robocode/commit/836c84635e982e74f2f2771b2c8640c3a34221bd#diff-0296a8f9d4a509789f4dc4f052d9c36f
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: robocode
Source-Version: 1.9.3.3-2
We believe that the bug you reported is fixed in the latest version of
robocode, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <[email protected]> (supplier of updated robocode package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 08 Apr 2019 00:13:19 +0200
Source: robocode
Architecture: source
Version: 1.9.3.3-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Markus Koschany <[email protected]>
Closes: 926088
Changes:
robocode (1.9.3.3-2) unstable; urgency=medium
.
* Fix CVE-2019-10648:
Robocode allows remote attackers to cause external service interaction
(DNS), as demonstrated by a query for a unique subdomain name within an
attacker-controlled DNS zone, because of a .openStream call within
java.net.URL. (Closes: #926088)
Checksums-Sha1:
43b06d6c5f328e33beb493e3c864a2192893d908 2334 robocode_1.9.3.3-2.dsc
2083afb70f3fc607427415954d93a6d62a43428c 14636 robocode_1.9.3.3-2.debian.tar.xz
28eba5fd0350b3f5c2840b898d2a7387f8869247 13799
robocode_1.9.3.3-2_amd64.buildinfo
Checksums-Sha256:
abf939f2c1b4df2f57b54d6d0053df1a4e541d51c4ada7832bed454fe33eb07f 2334
robocode_1.9.3.3-2.dsc
42340bae5a641b003c7090fab9dcbdb18e70a89850cd03007ae4377ba92e9e50 14636
robocode_1.9.3.3-2.debian.tar.xz
d9c4adaea8298f671f76cc6137dcb4ba99497a789200413f97a3b640c196cead 13799
robocode_1.9.3.3-2_amd64.buildinfo
Files:
4ef25e12fe3778f5abb3b9636fd084d9 2334 games optional robocode_1.9.3.3-2.dsc
e45e55f52838805861a71cd3c0999f84 14636 games optional
robocode_1.9.3.3-2.debian.tar.xz
9399dd5f6890a6f4fcb9398805320029 13799 games optional
robocode_1.9.3.3-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlyqd81fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkQFgQANGfkFVNgDxepwcEDE1UPFPgE6AyF8X6Lc+V
ioaYnjW5VsD1q1lO52n23iLBlmaT7o92bHIjjTwzbvz6K2ojlX8XiJiwY4hpZhIn
G6h/A+R0/ouDCoIB9EhcNWAr+/q/J1YrqMFETc7i1mT4CfuAgn0Ujuo3Xwh13Ger
/MwHZ8sps2Sb+1DKASJxJE0IywhxV0pbS+h16E5CnJB7YEvrAdLisCGmPhzUvgge
jl6OF2rKSVwL4h0jopoMNlZVsfj6amOGlTrkBXi3XLpd1Bag+69S8UUtUMo06PKk
WXUL/0ENkFqFSDNWEfISechSOiwsrzCLwwC2dtQ4977l0LTwp2kyz528z1X7Kvxh
/vbgF2Wx1rj41cM6tvDxRrlTnZqgKgqjxu62GEmCjWxZscnog6qfBl/NHBz3jhgz
HPVo2N5ZWTAw/PdLhgjHOLNTQk7vlFSYokXD3CImbQoMy2H55at9cIuVoiJFQOPA
okc6NQb/VxP1vJsTrg4JW+NuUEsllIPZ7xCeGItyQlm4Img/8sNasLxy9QbyFuLw
Jl83tLcE1P5WutLvM2/+x3ero2YB+6B30u1dNh7iTrbwcK/A8cnkGjI7yAfX0IYA
Gs/cGE0s2sTGjyRr6A0YkczhgAoXEasqi23P/g2IW59K5fcpWdNuqYO/5faXOTYs
DaoZekJN
=JfcV
-----END PGP SIGNATURE-----
--- End Message ---
