Your message dated Sat, 07 Aug 2021 18:17:07 +0000
with message-id <[email protected]>
and subject line Bug#984949: fixed in xmlgraphics-commons 2.3-1+deb10u1
has caused the Debian Bug report #984949,
regarding xmlgraphics-commons: CVE-2020-11988: SSRF due to improper input
validation by the XMPParser
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
984949: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984949
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: xmlgraphics-commons
Version: 2.4-1
Severity: important
Tags: security upstream
Forwarded: https://issues.apache.org/jira/browse/XGC-122
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for xmlgraphics-commons.
CVE-2020-11988[0]:
| Apache XmlGraphics Commons 2.4 is vulnerable to server-side request
| forgery, caused by improper input validation by the XMPParser. By
| using a specially-crafted argument, an attacker could exploit this
| vulnerability to cause the underlying server to make arbitrary GET
| requests.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-11988
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11988
[1] https://www.openwall.com/lists/oss-security/2021/02/24/1
[2]
https://github.com/apache/xmlgraphics-commons/commit/57393912eb87b994c7fed39ddf30fb778a275183
[3] https://issues.apache.org/jira/browse/XGC-122
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: xmlgraphics-commons
Source-Version: 2.3-1+deb10u1
Done: Markus Koschany <[email protected]>
We believe that the bug you reported is fixed in the latest version of
xmlgraphics-commons, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <[email protected]> (supplier of updated xmlgraphics-commons
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 04 Aug 2021 13:31:34 +0200
Source: xmlgraphics-commons
Architecture: source
Version: 2.3-1+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Markus Koschany <[email protected]>
Closes: 984949
Changes:
xmlgraphics-commons (2.3-1+deb10u1) buster; urgency=medium
.
* Team upload.
* Fix CVE-2020-11988:
Apache XmlGraphics Commons is vulnerable to server-side request forgery,
caused by improper input validation by the XMPParser. By using a
specially-crafted argument, an attacker could exploit this vulnerability to
cause the underlying server to make arbitrary GET requests.
(Closes: #984949)
Checksums-Sha1:
3a9c6462b81f092d7a576ebce93e8641b7869952 2538
xmlgraphics-commons_2.3-1+deb10u1.dsc
450b1305d489ccd3a818e799d49dd202be27e04a 8356
xmlgraphics-commons_2.3-1+deb10u1.debian.tar.xz
d6b9778bdece75e0e9042dd239ea99a1116815a2 14091
xmlgraphics-commons_2.3-1+deb10u1_amd64.buildinfo
Checksums-Sha256:
822914cc6da4cfb5d1916086ab6ce477390ad3d9edc0d88c0304c9e75d9da862 2538
xmlgraphics-commons_2.3-1+deb10u1.dsc
80baa84cc954da85a56fc4865c82e08799c7da5e7ba131c752ab8ea9f1ed7839 8356
xmlgraphics-commons_2.3-1+deb10u1.debian.tar.xz
b521799b4450289b75e42b16e7ba2e75eaf2cd2bdc43ed0f7491f8e0797ac85e 14091
xmlgraphics-commons_2.3-1+deb10u1_amd64.buildinfo
Files:
cf3c1fb9847c2559750d44333d600925 2538 java optional
xmlgraphics-commons_2.3-1+deb10u1.dsc
830970944a7d10743b29e50f8e7f4e78 8356 java optional
xmlgraphics-commons_2.3-1+deb10u1.debian.tar.xz
61dd71fd38fbdc0d99fd83b3f390b969 14091 java optional
xmlgraphics-commons_2.3-1+deb10u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmEKfAZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkbMoP/03ByJhL8SD1MTY0OmtWOrKht6RsLCqEdTYY
nTtsSwr+75nKT49/tEd/JMEtvw5toKeNky3C654GRnULJY1/lJSxN4phsJE/H3s1
du60Hgh+/Ocrk83/DrtPb4YSv3lV9DFW0wxqTux29vUBQu/pCxO5a3GZUSsyuJLu
GvtuMLpyT6p2ynRwhou/d8xVfBvg0AVrd6NY89nBP1+dnEGbqYUgEvEssOcJT7vG
t6jXZZxShDwboHATmxSGYHN2SGMNtP75DDDMI40k6ETtRJldyoRMnoGzC+foSLxw
kX173iRdrg5TaS/KXCMRYlxYH9ld6hiY2iF9/Q14LoBkSSOCEO96JOBrT0Hu7EWh
gqqdXI6vcGyQtLV87gtFL/lsbiuIB4D0MwLkksPumbPBhpIM9quPlXZB9BBZmhtg
EhUdlmkgg9iz5qYY8twcCggMr+KcO2nBo8NiYLt6xhLEs1wbhUpgrw18btr54Mo3
K4fzBSEKxzfpdwesIkrI+oHnAGTekYBF3CaNijxRJOgy43Adm6cblE9fB+4PEyX8
JCge6gxTOwp7Dcq5H7w/iau2bb/JIsu9YS6iVzRjE09H6w5fT7XQdWFvFAwYIVdu
64i2jDwumaLQYKOG56NpGZfaM3+Ri4O2K8PLPMdqKn2WwShOjjkLrZGsLI52K0g7
PSUl1ORd
=oFbL
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
