Your message dated Mon, 22 Mar 2021 03:33:50 +0000
with message-id <[email protected]>
and subject line Bug#985221: fixed in velocity-tools 2.0-8
has caused the Debian Bug report #985221,
regarding velocity-tools: CVE-2020-13959
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
985221: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985221
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: velocity-tools
Version: 2.0-7
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for velocity-tools.
CVE-2020-13959[0]:
| The default error page for VelocityView in Apache Velocity Tools prior
| to 3.1 reflects back the vm file that was entered as part of the URL.
| An attacker can set an XSS payload file as this vm file in the URL
| which results in this payload being executed. XSS vulnerabilities
| allow attackers to execute arbitrary JavaScript in the context of the
| attacked website and the attacked user. This can be abused to steal
| session cookies, perform requests in the name of the victim or for
| phishing attacks.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-13959
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13959
[1] https://www.openwall.com/lists/oss-security/2021/03/10/2
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: velocity-tools
Source-Version: 2.0-8
Done: tony mancill <[email protected]>
We believe that the bug you reported is fixed in the latest version of
velocity-tools, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
tony mancill <[email protected]> (supplier of updated velocity-tools package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 21 Mar 2021 18:54:10 -0700
Source: velocity-tools
Architecture: source
Version: 2.0-8
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: tony mancill <[email protected]>
Closes: 985221
Changes:
velocity-tools (2.0-8) unstable; urgency=high
.
* Team upload.
* Create upstream and pristin-tar branches.
* Update Vcs URLs to point to Salsa
* Apply patch for CVE-2020-13959 (closes: #985221)
Checksums-Sha1:
8756d7fa8b26006080ed2ba7374ee836a45f5d03 2389 velocity-tools_2.0-8.dsc
a1fa1645c2c497d6c8930f7204141f9c3257cc3b 7332
velocity-tools_2.0-8.debian.tar.xz
466ad1faef8d777287fd653c2ba8600b13bccb2e 9316
velocity-tools_2.0-8_amd64.buildinfo
Checksums-Sha256:
a727f4b4353c9254f233d4d9e68172f1d7ed135e1b9eed3d61b9460534250ff7 2389
velocity-tools_2.0-8.dsc
acfe5b9ef6a4e941b594e273fcd24d9fa2f3eed1ed64d83352575b56ec6b6c1e 7332
velocity-tools_2.0-8.debian.tar.xz
cbbd19e38ee5973c10b8dc9d27c1f06a37917d87b200e756c57e4fffce7b08cf 9316
velocity-tools_2.0-8_amd64.buildinfo
Files:
a538b86fdef37d2dc3e988c2a6aa90fe 2389 java optional velocity-tools_2.0-8.dsc
76a52c062d5734a7af300ff027a4b21b 7332 java optional
velocity-tools_2.0-8.debian.tar.xz
4ba60b7d58b5774240bf8d90db50c6f6 9316 java optional
velocity-tools_2.0-8_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAmBYDHcUHHRtYW5jaWxs
QGRlYmlhbi5vcmcACgkQIdIFiZdLPpbFwBAAzk9zGWPgzHBXedMNBoXw7lXBDND8
UQivFi1Af05H8/xxS5MIKI1mBmtjr7ImB8NfA10Cr+RxCz1aniCvkqiPGdV0kfxV
z1l+cIlDXIxstR2XCswkBU+zYSZSishhK3WD9nR3KEI1VjQxqU1Yz/X6sQJgOMT2
cLCr5ckeVNCNwpvIn/MC+za1WZh5897PRuv/Oij75SW8SA2DDhlOkkvOEZr9E2vs
PrvVmQyzX7cFgUoxE6XhSc5009au5xTrvJ/6nD5OmZDkEDA3u9pIMxXk5ydCJ9Td
YURgwszhOQ6PVEb/EoTuQKI5nCsIHzNTNPCQl3rGDgO40ZTWWi14Z8zNJCGEPKyn
gpI+5Dvz394uLiuhaT6FfmZI6gsKQDFbjUDgxP61vSRtQkWRA+VHpENRimkA7Gxj
cRotvEYzgirWGuiRei76MZPo8r3U2iVk7CKoKvZdCDhGa5bPU5kPaVby6YSB/ab1
dgde3x+KtQvIn/ZG5572ai9AmPbeafmlHK4Wr20AoWVgiJ3hgXVTiaEuLz5WiU0j
KC7pIEhd0U5g2UiyUNe1fPFY2dR2UgCjQBIry55hR1aBYQQ6ts8wJh+RVGmjhMne
U/zE9D8xGZ/N+Tme3x/xSpSG8fKT0ovRgnIzrYSSKJ0DV5Yumpvt0db3sGtPnv1b
qsNVJG1LusP3IUo=
=gUXQ
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
