Your message dated Sat, 23 Dec 2023 13:49:07 +0000
with message-id <[email protected]>
and subject line Bug#1057343: fixed in debian-security-support 1:13+2023.12.23
has caused the Debian Bug report #1057343,
regarding Mark tiles as only supported for building applications shipped in
Debian
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1057343: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057343
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: tiles
Version: 3.0.7-5
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], [email protected], [email protected], Debian
Security Team <[email protected]>
Hi,
The following vulnerability was published for tiles.
CVE-2023-49735[0]:
| ** UNSUPPORTED WHEN ASSIGNED ** The value set as the
| DefaultLocaleResolver.LOCALE_KEY attribute on the session was not
| validated while resolving XML definition files, leading to possible
| path traversal and eventually SSRF/XXE when passing user-controlled
| data to this key. Passing user-controlled data to this key may be
| relatively common, as it was also used like that to set the language
| in the 'tiles-test' application shipped with Tiles. This issue
| affects Apache Tiles from version 2 onwards. NOTE: This
| vulnerability only affects products that are no longer supported by
| the maintainer.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
The project is dead-upstream TTBOMK, so not sure if/what we can do at
all for this issue. Removal seems not possible as per:
carnil@respighi:~$ dak rm --suite=unstable -n -R tiles
Will remove the following packages from unstable:
libtiles-java | 3.0.7-5 | all
libtiles-java-doc | 3.0.7-5 | all
tiles | 3.0.7-5 | source
Maintainer: Debian Java Maintainers
<[email protected]>
------------------- Reason -------------------
----------------------------------------------
Checking reverse dependencies...
# Broken Build-Depends:
libspring-java: libtiles-java (>= 3.0)
Dependency problem found.
carnil@respighi:~$
But maybe we can set it as "no-dsa", is it only used as build
dependency for libspring-java and not sensible outside?
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-49735
https://www.cve.org/CVERecord?id=CVE-2023-49735
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: debian-security-support
Source-Version: 1:13+2023.12.23
Done: Holger Levsen <[email protected]>
We believe that the bug you reported is fixed in the latest version of
debian-security-support, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Holger Levsen <[email protected]> (supplier of updated debian-security-support
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 23 Dec 2023 14:35:23 +0100
Source: debian-security-support
Architecture: source
Version: 1:13+2023.12.23
Distribution: unstable
Urgency: medium
Maintainer: Debian Security Team <[email protected]>,
Changed-By: Holger Levsen <[email protected]>
Closes: 1057343
Changes:
debian-security-support (1:13+2023.12.23) unstable; urgency=medium
.
* Add tiles to security-support-limited.deb(13|12|11|10), Closes: #1057343.
Checksums-Sha1:
2fe5a66af734b0760c9d7d4358fd10e1c098a317 1909
debian-security-support_13+2023.12.23.dsc
96403ce2785162865858c17eea03c3cf398fc7dd 34448
debian-security-support_13+2023.12.23.tar.xz
4e13444a1cbb30e41ade2f085a74768cd3b78c2b 7497
debian-security-support_13+2023.12.23_source.buildinfo
Checksums-Sha256:
a916432090190b7586a7263334466b487a0c7fea38f07e6805a2452b32c6a86c 1909
debian-security-support_13+2023.12.23.dsc
4c14a48583198de4a275aa637130aa8c4aa4af58754fc93fb64c50762cd73a65 34448
debian-security-support_13+2023.12.23.tar.xz
62557caea01797dbe0a5a644afacc6ba949f7acda20035f6176ac1f368672c13 7497
debian-security-support_13+2023.12.23_source.buildinfo
Files:
23b27b8b5d838d5ec024f1787425461f 1909 admin optional
debian-security-support_13+2023.12.23.dsc
3117669116032bc998a38154ce59747d 34448 admin optional
debian-security-support_13+2023.12.23.tar.xz
d7cfbcb2254ddef11c2cabe78f0d531b 7497 admin optional
debian-security-support_13+2023.12.23_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmWG4osACgkQCRq4Vgaa
qhyhQw/+Mxb0K2zNUkrLkG3ES/ONLaaRBBYd3rFDaNXsDwR6AiBd8qKMXPOuqDWf
B0C9qI/w/5DdDMgbN5T85WEBAjSnMa9eJEj4qbsywKPX0pCTrIN0MebJfo9IrJv2
4YjOr69nha/dssCWE3bW3lxGM0xDnLiPMiEYI4ADdiCsiuyipDV2hMV0OClcqFxy
Qq7urXl+ZNytsE48fekhQOXgo4K/IfjEnpJ+Gg8W/m5s+g332OeObjR+1j9gvup+
U5x3u1P4oUJ3tWyW7r6aVrXBUjfBupQrrX3CQJBNBpcfhxjnr8/2g+CQYWvrlhPe
IvKndYsBGW/2j7A1/Nvh2D+IEOvdA36HYKcBbzzRDgQ68JRs9PKiBV8PaMOE60J7
/sskYAvXI1KD8Xx87qoahSIm4kCTwHfrUeDwec+Q3GdExB74KqnEFwMbP7MlFVA0
F6ESjou538hCiZcxOa4diSVJuhLD/VtzJpbx8h+dNroinIdb2WZgcCleKhQz6Djh
TfAbiSeFK2ofuRiRuKIeuo5KU28f0NpwDiyHe+wqNQJwXR/VjQ0uzX+59/mGtBQo
fUj3D2e2Cfg3qc5ymSfYRnTSACGdkQO/FQhH1BsFCBPOGwxxAhXh3dqPE4hO6ocH
W6J+an7D8VOJuSB7S7DU9e/qvvNbo41LCO4Nx1c2tFMe3+v3DyY=
=rEtR
-----END PGP SIGNATURE-----
--- End Message ---
