Your message dated Thu, 05 Oct 2023 05:34:05 +0000
with message-id <[email protected]>
and subject line Bug#1053474: fixed in snappy-java 1.1.10.5-1
has caused the Debian Bug report #1053474,
regarding snappy-java: CVE-2023-43642
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1053474: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053474
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: snappy-java
Version: 1.1.8.3-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for snappy-java.
CVE-2023-43642[0]:
| snappy-java is a Java port of the snappy, a fast C++
| compresser/decompresser developed by Google. The SnappyInputStream
| was found to be vulnerable to Denial of Service (DoS) attacks when
| decompressing data with a too large chunk size. Due to missing upper
| bound check on chunk length, an unrecoverable fatal error can occur.
| All versions of snappy-java including the latest released version
| 1.1.10.3 are vulnerable to this issue. A fix has been introduced in
| commit `9f8c3cf74` which will be included in the 1.1.10.4 release.
| Users are advised to upgrade. Users unable to upgrade should only
| accept compressed data from trusted sources.
Please double check as mainly filling the issue to make you aware of
the upstream issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-43642
https://www.cve.org/CVERecord?id=CVE-2023-43642
[1]
https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917b9f10ceb5
[2]
https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: snappy-java
Source-Version: 1.1.10.5-1
Done: tony mancill <[email protected]>
We believe that the bug you reported is fixed in the latest version of
snappy-java, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
tony mancill <[email protected]> (supplier of updated snappy-java package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 04 Oct 2023 22:03:02 -0700
Source: snappy-java
Architecture: source
Version: 1.1.10.5-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: tony mancill <[email protected]>
Closes: 1053474
Changes:
snappy-java (1.1.10.5-1) unstable; urgency=medium
.
* Team upload.
* Update debian/watch to detect new tagging format
* New upstream version 1.1.10.5
- Mitigates CVE-2023-43642 (Closes: #1053474)
Checksums-Sha1:
53448a763197edca566b41c564ca1080851299c8 2163 snappy-java_1.1.10.5-1.dsc
3d1ec183db3b086b2326f0be1f45d6bfb1785eaa 982428
snappy-java_1.1.10.5.orig.tar.xz
57d67416b44bf647aefd555baf550df260b8b991 7292
snappy-java_1.1.10.5-1.debian.tar.xz
68c41bd9343f8734be5d328e6620bc93e44878eb 14912
snappy-java_1.1.10.5-1_amd64.buildinfo
Checksums-Sha256:
3279f621cef7e697e7467f9befb372294f26667624b730a7a1e8522f1f2c7545 2163
snappy-java_1.1.10.5-1.dsc
01ab2cc675e466853b55ec3d0ae3e02057e590921f55803e40798f4094711ed2 982428
snappy-java_1.1.10.5.orig.tar.xz
a82d3d8df9f866292593ed2456203f9e5cc2f253db532d09b31f776ee9238e78 7292
snappy-java_1.1.10.5-1.debian.tar.xz
342ba58a452fa2d4f345f4d3c7b4bf0529659fac7043776aaa0451494694d7cf 14912
snappy-java_1.1.10.5-1_amd64.buildinfo
Files:
1330c5ee51912d4ccfd87196f62a759f 2163 java optional snappy-java_1.1.10.5-1.dsc
7f2efd27a11107d6bf6b1294190a1307 982428 java optional
snappy-java_1.1.10.5.orig.tar.xz
efe597dec0d1d9b4b636d2dd982ac7f4 7292 java optional
snappy-java_1.1.10.5-1.debian.tar.xz
57ee67cc4596894993ffd4fbc384939e 14912 java optional
snappy-java_1.1.10.5-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAmUeRb0UHHRtYW5jaWxs
QGRlYmlhbi5vcmcACgkQIdIFiZdLPpaCaxAAnt0atLc+Aqgz1uqQ6qQ6awY0ORhO
vavFzxtblwao7zfOItMawvl7WUXlFY9g1MNekF5hMdTJ8kypBXNzkb9YhRFrg0Jo
Y3melSdxVvPkpr3n1eHiPdXqUM28yaVB0dQw/32TNPmd0Y4Ws7ERfJnnAHhDL5xw
23KW3oj+S1qzHDRRPjfSibearZELEx3Rl5K6pZMC49jEIPMvzNOXmXrfBQoWRlaG
O3NLPXkFn5bW8MgBF8en3Jcs0dnle5uhf3cWYtU+1pFBk7WcaW26D2Z+pBQUevwx
7+zQ49fS9jJJJRPP/9DBzCdQnSO7iiQ/StX9Q0wADSUTbzJqEp/40reirjn6WNDU
ZD6hBi2so8OjZXN7RRj9XqmfEkk0ujvBXcrelLX84zoVOVauGTJtVbSCjiLMmHUV
YYIsHBdhro7pdk/ykHi6WQGWaIdUsmAzp87Jnydpz7TUGyXKhsbJky6Ynv0dcX0n
qO+XBpQek95IS7SeP9GHUz4I/M6cQkvxlcC6L1YqlSR63+9Rev2muOm3cnULEsdc
k9iXqtdwKqZfEFCzvwvofRwAvENC8RWwFt28mgyDs82e3u40FV+YvvYtQlyPTSZm
PCTLLcvCODGNukmUgQvHRUOrsjflEm2i4ArGJq1ZlgPYBI+A01twxTe78V9NwGKt
6ieyXluR6goOJ28=
=NT/f
-----END PGP SIGNATURE-----
--- End Message ---
