Your message dated Sun, 08 Aug 2021 08:16:02 +0000
with message-id <[email protected]>
and subject line Bug#984949: fixed in xmlgraphics-commons 2.4-2~deb11u1
has caused the Debian Bug report #984949,
regarding xmlgraphics-commons: CVE-2020-11988: SSRF due to improper input
validation by the XMPParser
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
984949: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984949
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: xmlgraphics-commons
Version: 2.4-1
Severity: important
Tags: security upstream
Forwarded: https://issues.apache.org/jira/browse/XGC-122
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for xmlgraphics-commons.
CVE-2020-11988[0]:
| Apache XmlGraphics Commons 2.4 is vulnerable to server-side request
| forgery, caused by improper input validation by the XMPParser. By
| using a specially-crafted argument, an attacker could exploit this
| vulnerability to cause the underlying server to make arbitrary GET
| requests.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-11988
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11988
[1] https://www.openwall.com/lists/oss-security/2021/02/24/1
[2]
https://github.com/apache/xmlgraphics-commons/commit/57393912eb87b994c7fed39ddf30fb778a275183
[3] https://issues.apache.org/jira/browse/XGC-122
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: xmlgraphics-commons
Source-Version: 2.4-2~deb11u1
Done: Markus Koschany <[email protected]>
We believe that the bug you reported is fixed in the latest version of
xmlgraphics-commons, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <[email protected]> (supplier of updated xmlgraphics-commons
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 07 Aug 2021 17:33:57 +0200
Source: xmlgraphics-commons
Architecture: source
Version: 2.4-2~deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Markus Koschany <[email protected]>
Closes: 984949
Changes:
xmlgraphics-commons (2.4-2~deb11u1) bullseye-security; urgency=medium
.
* Team upload
* Rebuild for bullseye-security.
.
xmlgraphics-commons (2.4-2) unstable; urgency=high
.
* Team upload.
* Fix CVE-2020-11988:
Apache XmlGraphics Commons is vulnerable to server-side request forgery,
caused by improper input validation by the XMPParser. By using a
specially-crafted argument, an attacker could exploit this vulnerability to
cause the underlying server to make arbitrary GET requests.
(Closes: #984949)
Checksums-Sha1:
53608a9a0f0d5b2770983d1aefb0c5cc8c09e98a 2538
xmlgraphics-commons_2.4-2~deb11u1.dsc
c60e3051743229a062c560703e591530e06bc114 1057052
xmlgraphics-commons_2.4.orig.tar.xz
ad932dc92723408104a25629f63afbef381c923e 8424
xmlgraphics-commons_2.4-2~deb11u1.debian.tar.xz
a2f81ce4e7c1e66f65552f2aa753076d1b52202e 13984
xmlgraphics-commons_2.4-2~deb11u1_amd64.buildinfo
Checksums-Sha256:
c0133622b4d5192e026ba94afba8edd46dfed6e0ec980ae8ec31c15b05b96b3f 2538
xmlgraphics-commons_2.4-2~deb11u1.dsc
4099b5520c8a8ffbe96b3947a1c8d652600b376f5a43bd1f80782b00b6360d42 1057052
xmlgraphics-commons_2.4.orig.tar.xz
a8e0084702108eb6bcc0e9a1ce347160d985a02406901e691ae0cb9373390f79 8424
xmlgraphics-commons_2.4-2~deb11u1.debian.tar.xz
df9963bad367ac89d2da8f6e0e4d29fef32b86f317a47270f90043a7932ffaca 13984
xmlgraphics-commons_2.4-2~deb11u1_amd64.buildinfo
Files:
3580d076487fdbfb58f8c57d040c8e67 2538 java optional
xmlgraphics-commons_2.4-2~deb11u1.dsc
65198c53972356174c80b118efe6b716 1057052 java optional
xmlgraphics-commons_2.4.orig.tar.xz
1fe8f684e457341935f5237fbe0b047b 8424 java optional
xmlgraphics-commons_2.4-2~deb11u1.debian.tar.xz
97f4ad8cf45e114468d7ae0c0441ef7b 13984 java optional
xmlgraphics-commons_2.4-2~deb11u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmEOq0pfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HksrMQALUNkuEPoDE60p83gUulsCc76GrMeiTfnQvJ
BlCLN2zpwYfOhCFWy29aannAZjBcarMJKnBdiQ4e9wO75oMgLw5/+ISyhlO9PrlB
O+LiLyusx+8jgd1RQHdeaujPkiRN3qKLGKRQc6mw/Nz58wbKUgnUPi0wMbXzKRFw
ZhejQnJ4SkkM9mtXGN/qAo1yA/uye8QtnkK92Aqw3M9Z6bP410jY6foKv5e8CTko
XNGhau+2ZGj3Y5dg/pcZ2X8pac2CtrgwZNenncMKgAUMlTRlJzoNVTBxRQVMSc1K
g2ygRAO9GxM4rwB57+/l1cHIfQBZBtVj3fwbo5lJaiPoay/k48kebIRypHldTOX0
iuPp1meIYhVfcynUVXTv1umC9FmQ2W9IYkb08Kaxk0ixWEn+3N7LmKQgB9wkxhR3
j9/NdAakYvAecOHEWAoRJWDHvOGrGZdXmC9K1Az4ElSbebxvN3B4wOkPMoksYRXF
sJAk1eZJJpklNYByg9FmCfn0aRy1acBIxZgCbYBUcllAwsFF5dkChawMJWYx/gWl
2ERRoQDOux5Hd7vVYoTyjfMgfAcaG3+xZEBgnSZO8z3ZM7Cs1Da/xiZA8zGs41Cv
nAAh/Lr4c8iWb7w5O3+5cJ3X+ExlS5v/iCUNWfsmTRVB+TjOKiM6XY27E6+gHy1f
CcWsu2X9
=QumA
-----END PGP SIGNATURE-----
--- End Message ---
