Your message dated Sun, 02 Oct 2022 11:02:58 +0000
with message-id <[email protected]>
and subject line Bug#1012314: fixed in maven-shared-utils 3.3.0-1+deb11u1
has caused the Debian Bug report #1012314,
regarding maven-shared-utils: CVE-2022-29599
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1012314: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012314
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: maven-shared-utils
Version: 3.3.0-1
Severity: important
Tags: security upstream
Forwarded: https://issues.apache.org/jira/browse/MSHARED-297
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for maven-shared-utils.
CVE-2022-29599[0]:
| In Apache Maven maven-shared-utils prior to version 3.3.3, the
| Commandline class can emit double-quoted strings without proper
| escaping, allowing shell injection attacks.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-29599
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29599
[1] https://issues.apache.org/jira/browse/MSHARED-297
[2] https://github.com/apache/maven-shared-utils/pull/40
[3]
https://github.com/apache/maven-shared-utils/commit/f751e614c09df8de1a080dc1153931f3f68991c9
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: maven-shared-utils
Source-Version: 3.3.0-1+deb11u1
Done: Aron Xu <[email protected]>
We believe that the bug you reported is fixed in the latest version of
maven-shared-utils, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aron Xu <[email protected]> (supplier of updated maven-shared-utils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 23 Sep 2022 14:28:15 +0800
Source: maven-shared-utils
Architecture: source
Version: 3.3.0-1+deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Aron Xu <[email protected]>
Closes: 1012314
Changes:
maven-shared-utils (3.3.0-1+deb11u1) bullseye-security; urgency=high
.
* Non-maintainer upload by the Security Team.
.
[Markus Koschany ]
* Fix CVE-2022-29599: Apache Maven maven-shared-utils, the Commandline class
can emit double-quoted strings without proper escaping, allowing shell
injection attacks. (Closes: #1012314)
Checksums-Sha1:
bc503bf12b85f41fbe43e2dc4cde47c0f360f758 2039
maven-shared-utils_3.3.0-1+deb11u1.dsc
56d7890696c253da39ef7dc878098965ccd487c0 119656
maven-shared-utils_3.3.0.orig.tar.xz
239fc1e123f0b61cfcc8a0371b53638d7da21e52 6412
maven-shared-utils_3.3.0-1+deb11u1.debian.tar.xz
3e0ab7a5df351b63f9f45e30b513553f2d60b461 8665
maven-shared-utils_3.3.0-1+deb11u1_source.buildinfo
Checksums-Sha256:
40a16a9a6aaff71977c73a56cb588a84c63456b11924c2d485a01efb6c9cbc74 2039
maven-shared-utils_3.3.0-1+deb11u1.dsc
11b00155d894a7e5f2bd4a0f81ca2b34236496019fdf9492aa458355fd16d674 119656
maven-shared-utils_3.3.0.orig.tar.xz
728d9433cc61a2980ff13f01f81234c404102d187eee4015e7acad26770a6f0c 6412
maven-shared-utils_3.3.0-1+deb11u1.debian.tar.xz
7700c9860ff9c2e0b599426c1b79e9b9eb11c2f370877bab1212e11f5a44257a 8665
maven-shared-utils_3.3.0-1+deb11u1_source.buildinfo
Files:
767d924a9a8c2102bfc9e36453e14e00 2039 java optional
maven-shared-utils_3.3.0-1+deb11u1.dsc
e8986bb1ea7745c6bbf4dca7a2f8443a 119656 java optional
maven-shared-utils_3.3.0.orig.tar.xz
7b542205305ab4f5efed4ff38caa9062 6412 java optional
maven-shared-utils_3.3.0-1+deb11u1.debian.tar.xz
ac3391d66b34c667d89b0de6d99d74f8 8665 java optional
maven-shared-utils_3.3.0-1+deb11u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhhz+aYQl/Bp4OTA7O1LKKgqv2VQFAmMxEhgACgkQO1LKKgqv
2VRPlAf/aLkX2JtGG5ccPHzO2SLc9KrAtYAh36q3ea3DKYn7X575Vsxx0lN4/qLT
+m1x/WKk00wvbUEL/YhR8StuTedZl93uJz0GnrtHFNupyB4YjXROpkb0eZIJa7B1
/UtViR875AJxTn3y2CGvbaaUWjQfnkSu00mIc34z74aExMnDuwIDUWwM3ag5YhMt
ITIJdNJoM70Lz/ohUdIjfqaAzVhEpWrfsfs9oLNQ6Xz58svKlyaJl5bc3+V9WfNi
UOczmO1Fxnak9F5q3ZY1PkMjUWt/me1hk/T9jkPxLiBs8d1SXyzOvAhR48xHxlu4
K5bZ/P9S1AyqaPoQT1kd8BfZfa6y0Q==
=1MxI
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
