Your message dated Sat, 07 Sep 2019 14:37:11 +0100
with message-id
<17351b82f829eb6917f78885cb849c4060b0a4a6.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 9.10 point release
has caused the Debian Bug report #928553,
regarding stretch-pu: package libthrift-java/0.9.1-2.1~deb9u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
928553: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928553
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: [email protected]
Usertags: pu
The fix for CVE-2018-1320 was in sid (0.9.1-2.1) before the package got
removed, and is in jessie-lts (0.9.1-2+deb8u1), leaving stretch at an
older version than jessie-lts. So let's get it in stretch to restore
monotonic version ordering.
Andreas
diff -Nru libthrift-java-0.9.1/debian/changelog
libthrift-java-0.9.1/debian/changelog
--- libthrift-java-0.9.1/debian/changelog 2014-10-17 00:28:43.000000000
+0200
+++ libthrift-java-0.9.1/debian/changelog 2019-05-07 03:44:09.000000000
+0200
@@ -1,3 +1,22 @@
+libthrift-java (0.9.1-2.1~deb9u1) stretch; urgency=medium
+
+ * Non-maintainer upload.
+ * Rebuild for stretch.
+
+ -- Andreas Beckmann <[email protected]> Tue, 07 May 2019 03:44:09 +0200
+
+libthrift-java (0.9.1-2.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Fix CVE-2018-1320:
+ It was discovered that it was possible to bypass SASL negotiation
+ isComplete validation in the org.apache.thrift.transport.TSaslTransport
+ class. An assert used to determine if the SASL handshake had successfully
+ completed could be disabled in production settings making the validation
+ incomplete. (Closes: #918736)
+
+ -- Markus Koschany <[email protected]> Wed, 06 Feb 2019 19:04:12 +0100
+
libthrift-java (0.9.1-2) unstable; urgency=low
* Use 3.0 (quilt) source format.
diff -Nru libthrift-java-0.9.1/debian/patches/CVE-2018-1320.patch
libthrift-java-0.9.1/debian/patches/CVE-2018-1320.patch
--- libthrift-java-0.9.1/debian/patches/CVE-2018-1320.patch 1970-01-01
01:00:00.000000000 +0100
+++ libthrift-java-0.9.1/debian/patches/CVE-2018-1320.patch 2019-02-06
19:04:12.000000000 +0100
@@ -0,0 +1,32 @@
+From: Markus Koschany <[email protected]>
+Date: Wed, 6 Feb 2019 18:59:31 +0100
+Subject: CVE-2018-1320
+
+Bug-Debian: https://bugs.debian.org/918736
+Origin:
https://github.com/apache/thrift/commit/d973409661f820d80d72c0034d06a12348c8705e
+---
+ src/org/apache/thrift/transport/TSaslTransport.java | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/src/org/apache/thrift/transport/TSaslTransport.java
b/src/org/apache/thrift/transport/TSaslTransport.java
+index b54746c..2f62016 100644
+--- a/src/org/apache/thrift/transport/TSaslTransport.java
++++ b/src/org/apache/thrift/transport/TSaslTransport.java
+@@ -268,7 +268,7 @@ abstract class TSaslTransport extends TTransport {
+ if (message.status == NegotiationStatus.COMPLETE &&
+ getRole() == SaslRole.CLIENT) {
+ LOGGER.debug("{}: All done!", getRole());
+- break;
++ continue;
+ }
+
+ sendSaslMessage(sasl.isComplete() ? NegotiationStatus.COMPLETE :
NegotiationStatus.OK,
+@@ -276,8 +276,6 @@ abstract class TSaslTransport extends TTransport {
+ }
+ LOGGER.debug("{}: Main negotiation loop complete", getRole());
+
+- assert sasl.isComplete();
+-
+ // If we're the client, and we're complete, but the server isn't
+ // complete yet, we need to wait for its response. This will occur
+ // with ANONYMOUS auth, for example, where we send an initial response
diff -Nru libthrift-java-0.9.1/debian/patches/series
libthrift-java-0.9.1/debian/patches/series
--- libthrift-java-0.9.1/debian/patches/series 1970-01-01 01:00:00.000000000
+0100
+++ libthrift-java-0.9.1/debian/patches/series 2019-02-06 19:04:12.000000000
+0100
@@ -0,0 +1 @@
+CVE-2018-1320.patch
--- End Message ---
--- Begin Message ---
Version: 9.10
Hi,
The fixes referenced by each of these bugs were included in today's
stretch point release (9.10).
Regards,
Adam
--- End Message ---
