Your message dated Sat, 11 Jul 2020 11:47:08 +0000
with message-id <[email protected]>
and subject line Bug#964510: fixed in batik 1.10-2+deb10u1
has caused the Debian Bug report #964510,
regarding batik: CVE-2019-17566
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
964510: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964510
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: batik
X-Debbugs-CC: [email protected]
Severity: important
Version: 1.8-4
Tags: security
Hi,
The following vulnerability was published for batik.
CVE-2019-17566[0]: SSRF vulnerability
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
Note that this is fixed upstream in 1.13, and the fix is easy to backport. You
may want to consider fixing this for buster and stretch via the upcoming point
release.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-17566
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17566
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: batik
Source-Version: 1.10-2+deb10u1
Done: Emilio Pozuelo Monfort <[email protected]>
We believe that the bug you reported is fixed in the latest version of
batik, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emilio Pozuelo Monfort <[email protected]> (supplier of updated batik package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 10 Jul 2020 19:28:13 +0200
Source: batik
Architecture: source
Version: 1.10-2+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Emilio Pozuelo Monfort <[email protected]>
Closes: 964510
Changes:
batik (1.10-2+deb10u1) buster; urgency=medium
.
* Non-maintainer upload.
* CVE-2019-17566: Server-side request forgery via xlink:href attributes.
(Closes: #964510)
Checksums-Sha1:
b1069ca61740c5ed723ba4a38e69e7c2018a5fc1 2181 batik_1.10-2+deb10u1.dsc
50f73fe30b095f42b8a7f952608010b2a43d3d21 32888
batik_1.10-2+deb10u1.debian.tar.xz
09f1e1de4ccd9dd1f0197b9455c0da2693ff119a 5609
batik_1.10-2+deb10u1_source.buildinfo
Checksums-Sha256:
7db77dd7edefc7178cdae6c0818f27dca85a3b23e8023b8ff8c2c1bbc5f02c4a 2181
batik_1.10-2+deb10u1.dsc
4b87e00f81e4d0fd534c25bdd271ce553fe58cbd81cf8d0e58a3b77d842b698b 32888
batik_1.10-2+deb10u1.debian.tar.xz
bd69958b242f3aa912de0c9670701407c247e37fbce72e7a945b9f1c4bc1b781 5609
batik_1.10-2+deb10u1_source.buildinfo
Files:
645dd4f696dfa94d76bbb32e1bd73210 2181 java optional batik_1.10-2+deb10u1.dsc
6fe351e6015135a36acebcebbd1f4fc6 32888 java optional
batik_1.10-2+deb10u1.debian.tar.xz
f0b8bf75e15bbfa690752e762016eab7 5609 java optional
batik_1.10-2+deb10u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAl8IpYYACgkQnUbEiOQ2
gwKP8w/7BgzfUanr0sS2GxqnghxOSpwgOk73iOFLzqSDb+bX7i3QhQKpsNXUIelN
IXRTzEz4XeNPEqbxqGdSyIG8Uj2Lxz36fopXzcqfPE0T66WFGdsvQ5aTGmXHxGxu
2IpzbbugHSRZbGqSRgP4pHmUm39J46UtnwiZfwNTeKdJxJV+swlDTwkR/Tf8s/RR
3Snfrz2wjDOl29fwdfUjNxKCyhmlSnzf9HfW3jwQ7OaU6CkNVq9o3PueoOOY0Vuy
mqcinNAwPE4uCBWeNPG5UCxa/4dqVsdJUU8zQDRCM9QIvD/vR31KMD5448bOcxE3
+2h4o1W/ZVjPPg908ZPjOUW1yPkgzvFUUaD0yILZ3nHMiA8WyNO1pdbA7Nb50eMz
tdCPCYOHShjrUTqnQJcn2rDECfo6kuOhikvieA5V0oZL8zE+5GjNPN43/hW4JjX9
NWocqTtLuhe/hcZWEt1LC+lR2RWZYZFX34/dsEUsrFhTF47mLp7vAMLdX3e+Jyyi
M3sEw4NnST01aytKUEYj6e6BDZP3DjkLgdoT0h6P65Enm8c3/0oihy8i97To9+sP
xe/zpYY3TmT3DgCVG0TR4vQXAtL9/Tg4U1NTGB3Bmdb+ceIm+i/CLud65ngRrwwF
q6Pxh+hk+MGoVucm9hwlNBQ5OoZPV4jZQ9fvEuBprIoDe8tyP0Y=
=IEjr
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
