Your message dated Mon, 04 Mar 2024 05:19:15 +0000
with message-id <[email protected]>
and subject line Bug#1064966: fixed in apache-mime4j 0.8.10-1
has caused the Debian Bug report #1064966,
regarding apache-mime4j: CVE-2024-21742
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1064966: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064966
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: apache-mime4j
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for apache-mime4j.
CVE-2024-21742[0]:
| Improper input validation allows for header injection in MIME4J
| library when using MIME4J DOM for composing message. This can be
| exploited by an attacker to add unintended headers to MIME messages.
https://www.openwall.com/lists/oss-security/2024/02/27/5
https://github.com/apache/james-mime4j/commit/9dec5df2a588fed8027839815daefa79ee66efd1
(apache-mime4j-project-0.8.10)
https://github.com/apache/james-mime4j/pull/91
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-21742
https://www.cve.org/CVERecord?id=CVE-2024-21742
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: apache-mime4j
Source-Version: 0.8.10-1
Done: tony mancill <[email protected]>
We believe that the bug you reported is fixed in the latest version of
apache-mime4j, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
tony mancill <[email protected]> (supplier of updated apache-mime4j package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 02 Mar 2024 21:55:07 -0800
Source: apache-mime4j
Architecture: source
Version: 0.8.10-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: tony mancill <[email protected]>
Closes: 1064966
Changes:
apache-mime4j (0.8.10-1) unstable; urgency=medium
.
* Team upload
* Update debian/watch to use GitHub API
* New upstream version 0.8.10
CVE-2024-21742 (Closes: #1064966)
* Update debian/rules for different upstream changelog
* Freshen years in debian/copyright
* Use debhelper-compat 13
* Set Rules-Requires-Root: no in debian/control
* Bump Standards-Version to 4.6.2
* Include Apache NOTICE file in binary package
Checksums-Sha1:
8700767dad6491f0c940833572224905a3717cc9 2239 apache-mime4j_0.8.10-1.dsc
78b25d91d98d730d7a0325ace64b23091faec799 468976
apache-mime4j_0.8.10.orig.tar.xz
205390313aa9ad6c5e99e697fba76d866d94731a 4416
apache-mime4j_0.8.10-1.debian.tar.xz
eed03a8bb1ca3a7a8ed225ba493c32b8cbef3121 17423
apache-mime4j_0.8.10-1_amd64.buildinfo
Checksums-Sha256:
dcf61a6824d59e61c76476fece922ea0dd9c2f329844fc4f66ca4ab35cd1c191 2239
apache-mime4j_0.8.10-1.dsc
90b849eca310af3b541efc7a03c4e73e4b4e214856122d89e7b8402bdcf6efd8 468976
apache-mime4j_0.8.10.orig.tar.xz
cadf64aad32046ef7c621f922630ad60d00c858c0ecd905bda8a45b5ac085dcd 4416
apache-mime4j_0.8.10-1.debian.tar.xz
1e32883642c7907179581604ed774ca80479bf3c94fc4240c315cd998e5bd1db 17423
apache-mime4j_0.8.10-1_amd64.buildinfo
Files:
7f3eebf4fec402adda3a31b1c96e6590 2239 java optional apache-mime4j_0.8.10-1.dsc
a06b01e972b2b67dd67c4da536834b7e 468976 java optional
apache-mime4j_0.8.10.orig.tar.xz
a6abf4d9698cbd1c2a01bd94d139c2fb 4416 java optional
apache-mime4j_0.8.10-1.debian.tar.xz
4ed611dd87d5a2a56285a3d1ceace282 17423 java optional
apache-mime4j_0.8.10-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAmXlVpUUHHRtYW5jaWxs
QGRlYmlhbi5vcmcACgkQIdIFiZdLPpac6BAAtEjqku7rat0HzsPXuiyl9l/4twOe
DXTBfjVyLhyTCcqQX3prz6Rl/iVCh/weFdwTh154FHmbHKTV0vwHaZXEIMTg6eSm
o6NB83/irvUx68WN3qs4XaDqgIwfawCbFg6Fr/I++3V9hGniXWRIeyXk686/8G2Y
4s89zSjtheCWPYdBWhZApYvyg1hDLsOLCNeOEjf0ZRJOF677Qper/dY22QXdusZE
i7rDWj4Rv/XppGxX4Ouy4N/ocDILhJuFST8314Ec9IDzA81HbSyr5RtryyXHX5WM
y3YmU+kxbQN/6J9dF6akX8PxqAIsDGrrDYlc1fzTscP98TouNFeFJG3Bx9FgbGPw
EFOREKNU458Rg+x3kXm+yTY6AIqkMJJ9xM7JJcE5rWwippO5ATffwAx3cIwjkyLx
NAui8o/vz6D0SGf+MIdJumu+rVgN+P+qjULuo5sIiWMQBV1TfCVHAMV1AK88PBak
Wji6SXU79whqAL56+4HPJSPxiWkaUWmDz5GUONDaDNXHkRAzUOpNspkb0xG2b9hL
vXEHGLvEsJj1bKSOfk3UwiFMz1/MzzP6M7eRXGC6u+IDm0uwy0Nw/m8j2p1GAby7
jCBm6i4NDkvgfdotwkbCNJ4aieBxlic9M/TZVD7Hwe3ir7g7AB/8rRYw3oZPLR0Z
Qbomb+mpYot4OYY=
=b2V0
-----END PGP SIGNATURE-----
pgpcms6JkbSdD.pgp
Description: PGP signature
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
