Your message dated Thu, 07 Jun 2018 10:19:49 +0000 with message-id <e1fqs1f-000g3b...@fasolo.debian.org> and subject line Bug#900953: fixed in plexus-archiver 3.6.0-1 has caused the Debian Bug report #900953, regarding plexus-archiver: CVE-2018-1002200 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 900953: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900953 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: plexus-archiver Version: 3.5-1 Severity: grave Tags: patch security upstream Justification: user security hole Forwarded: https://github.com/codehaus-plexus/plexus-archiver/pull/87 Hi, The following vulnerability was published for plexus-archiver. CVE-2018-1002200[0]: | arbitrary file write vulnerability / arbitrary code execution using a | specially crafted zip file If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-1002200 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1002200 [1] https://github.com/codehaus-plexus/plexus-archiver/pull/87 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: plexus-archiver Source-Version: 3.6.0-1 We believe that the bug you reported is fixed in the latest version of plexus-archiver, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 900...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Emmanuel Bourg <ebo...@apache.org> (supplier of updated plexus-archiver package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 07 Jun 2018 11:50:41 +0200 Source: plexus-archiver Binary: libplexus-archiver-java Architecture: source Version: 3.6.0-1 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Emmanuel Bourg <ebo...@apache.org> Description: libplexus-archiver-java - Archiver plugin for the Plexus compiler system Closes: 889426 900953 Changes: plexus-archiver (3.6.0-1) unstable; urgency=medium . * Team upload. * New upstream release - Fixes CVE-2018-1002200: Arbitrary file write vulnerability using a specially crafted zip file (Closes: #900953) * Removed Damien Raude-Morvan from the uploaders (Closes: #889426) * Standards-Version updated to 4.1.4 * Switch to debhelper level 11 * Use salsa.debian.org Vcs-* URLs Checksums-Sha1: c2eaeefbe692980ed505875578e070b495d84067 2323 plexus-archiver_3.6.0-1.dsc fd15074c740a551877bc30b94ad5c46d0567ee70 425988 plexus-archiver_3.6.0.orig.tar.xz 49731591269037da5098d87f0891f4e87abb466c 4552 plexus-archiver_3.6.0-1.debian.tar.xz a3edb759bfe596b867f5b3c14b38c1e3067cf81a 14873 plexus-archiver_3.6.0-1_source.buildinfo Checksums-Sha256: 950b9dfe30783cc67ac6c53ec950c13ac0230fce0a0a81358e9ac382822a7611 2323 plexus-archiver_3.6.0-1.dsc ffe914d89c386cc092c999056d761fc50e8d91bc272bde88717f601ded43c476 425988 plexus-archiver_3.6.0.orig.tar.xz 34e118bb95960fc413aa27a481071ea08df68472fac2bdf6421a92c7b6deef2c 4552 plexus-archiver_3.6.0-1.debian.tar.xz 5a39f16a8d2494f7dd1dbc8dd20235cb80dfaee22ccf357346df61b0f1c46afd 14873 plexus-archiver_3.6.0-1_source.buildinfo Files: e82a8902044bc8e2305785b5e94921b2 2323 java optional plexus-archiver_3.6.0-1.dsc 5ad9a01cdfb2ff0d35070ae580e691f6 425988 java optional plexus-archiver_3.6.0.orig.tar.xz d81948f576146dab21ea0810ac01bd59 4552 java optional plexus-archiver_3.6.0-1.debian.tar.xz c97a04a95806b3401160a5c5c0c01ad5 14873 java optional plexus-archiver_3.6.0-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAlsZAkgSHGVib3VyZ0Bh cGFjaGUub3JnAAoJEPUTxBnkudCsn4wP/jKamEPg7A7gZbV53mOWhowce2FsxuSB xIDyZ7kg0apRs7fB4d0UYMZZqcS01/BN3oepI/xSS6H75bUUMMw4o+XN7sIJAxu7 Oz3EVHGS14iqLaeQoVbBOBokC6kbBDQ36cR/GMNwqxeIDmPPSBpxzLNC3a6v7DTd Wsc1QMXg0045vOkaKiynw3xwl4Crhcwn1tHIRRb1toDqD2QNAbKrfJUNusNr/rXg 4ol+rXTbNAZd3O65G05g1YoHFCCeGYA6LxqpDrnRebYOPs33c1VzLSxzwPAybosD t1P+2Q8+j62AGVYZ2HxGMA5wtuXbtmZz2tDJYs7xb/Qzcj1Vi5IDPtg9IvVazes/ 6EqJ2C/tACeLIaRHJ75tIOtMMEgtom5ZzEISRt/UgXtfNBmvtcb224YHgLvgUr/h Lrr2s7QPJtJOIAV/Gsr1586OytHVD3hQKWt8e4msNw/B9y+ZEeaQ2Fe5f4MMt+0N oJZ6Q8yUtE+PEq/y4LcHVwWJJA+AvZiI1pS/OeBa8+VoaYGU6DI8GHh0vueEDuel S/15CFe8hfsZxauoIwqk/v/2mw+V3JadAE6OliD6nSCXVUY7VElV7NRB6Anri09r Kh/ApUkPclxxxLKICHez+iPMkoZ4MtbwAXBv6S7aMfSxRXwsnI0b6CPKG7aGXmln QBFqAyXaO+ts =86Dq -----END PGP SIGNATURE-----
--- End Message ---
