Your message dated Mon, 25 Mar 2024 05:35:03 +0000
with message-id <e1rocz9-00bbvs...@fasolo.debian.org>
and subject line Bug#1067513: fixed in commons-configuration2 2.10.1-1
has caused the Debian Bug report #1067513,
regarding commons-configuration2: CVE-2024-29131
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1067513: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067513
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: commons-configuration2
Version: 2.8.0-2
Severity: important
Tags: security upstream
Forwarded: https://issues.apache.org/jira/browse/CONFIGURATION-840
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for commons-configuration2.
CVE-2024-29131[0]:
| Out-of-bounds Write vulnerability in Apache Commons
| Configuration.This issue affects Apache Commons Configuration: from
| 2.0 before 2.10.1. Users are recommended to upgrade to version
| 2.10.1, which fixes the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-29131
https://www.cve.org/CVERecord?id=CVE-2024-29131
[1] https://issues.apache.org/jira/browse/CONFIGURATION-840
[2] https://www.openwall.com/lists/oss-security/2024/03/20/4
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: commons-configuration2
Source-Version: 2.10.1-1
Done: tony mancill <tmanc...@debian.org>
We believe that the bug you reported is fixed in the latest version of
commons-configuration2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1067...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
tony mancill <tmanc...@debian.org> (supplier of updated commons-configuration2
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 24 Mar 2024 21:43:35 -0700
Source: commons-configuration2
Architecture: source
Version: 2.10.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<pkg-java-maintain...@lists.alioth.debian.org>
Changed-By: tony mancill <tmanc...@debian.org>
Closes: 1067513 1067514
Changes:
commons-configuration2 (2.10.1-1) unstable; urgency=medium
.
* Team upload.
* New upstream version 2.10.1 (Closes: #1067513, #1067514)
CVE-2024-29131, CVE-2024-29133
* Ignore spotbugs maven plugin
* Ignore org.apache.maven.plugins:maven-pmd-plugin
* Add Build-Dep on libmockito-java and liblog4j2-java
Checksums-Sha1:
f87b15f4c5b13254dfeb3057fd0b31f64df1c6c2 2684
commons-configuration2_2.10.1-1.dsc
a7bd29e7072c432344e781f6c6d7096541a38fb7 666940
commons-configuration2_2.10.1.orig.tar.xz
4071172cca28491af971e5e7f821f91a1994320d 5036
commons-configuration2_2.10.1-1.debian.tar.xz
d46822382aa88fbd87821a5e4e7b64edc4018746 17604
commons-configuration2_2.10.1-1_amd64.buildinfo
Checksums-Sha256:
52b9ee19c3572e46f83de7bc2e563135dd2cf85366952fc8bc7abb6c594efb6d 2684
commons-configuration2_2.10.1-1.dsc
3df256ecf5683cdc9b7b72113712a0d31e2d72eabc6400005406db134dc22439 666940
commons-configuration2_2.10.1.orig.tar.xz
44b3dd85437f546b41ed6c838ca117be209bf57f5ae6ae4a46811032de59a6ba 5036
commons-configuration2_2.10.1-1.debian.tar.xz
9449cb8d86e5e46f6336f9ad2a5bed247954b3fca2fe48cd0249672f1587262a 17604
commons-configuration2_2.10.1-1_amd64.buildinfo
Files:
e0500831e9f927a4590fa3425620800a 2684 java optional
commons-configuration2_2.10.1-1.dsc
cbd39112a507d641371276333c2a439d 666940 java optional
commons-configuration2_2.10.1.orig.tar.xz
2311ad118ce1d9204788e582f220768c 5036 java optional
commons-configuration2_2.10.1-1.debian.tar.xz
196b33ff8b525fe38b0990e56db934bf 17604 java optional
commons-configuration2_2.10.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAmYBBakUHHRtYW5jaWxs
QGRlYmlhbi5vcmcACgkQIdIFiZdLPpb0QRAAm1bUxAJjLaheyPrgBQAx6wzX11AH
jOuBlImXvFHx8MM/dkKJGJX6Y020YEvsT5Fu+CnUiEPXxngj3R2sv28j910bLjBB
DVGrQACox6J3yUKdfPrASOCahjT+dFP4XVuzNKdJPTW5Kw1ifldveA7VSN+tAVMj
U/PLO8RusBDpQhpv3sSrIGjcxD6XzV/+jW2MJ1V2Ltt+NaD7PKc5Wdp3BJK3jQ2H
p6y67/BAYja/irxX1d56WenI+4Z9L8kvFpMt3vxQLl7CZhgNPoPbR6HpS2lbp+LI
34Gf6N+cT2qhfIOWFoEO9rSPkfyf+e7L0dZWiryHXIJnuJAdWJ9m5ZvoaS2qXPsN
PSByL+HmwgE5QWbpxX/xRawaou3cnC8NCeBQDoelNDIX3a9DWX0QWZMZo885l74G
CsJY3CuPw8z9gEeX/6Ry6QhK/aXqMr/oWuxh1KUek8zLAJOpfB0jlqB74jTz1rqf
FFI9fih9c/r4n/taAy0nzonFCaxsZOZbphk+nbPruE7y3jUugLQbbpw+h9SYAKI1
SHMrM8xruq1rbOfYFOqDkvJPxyaTe371k9+hU5Nqpqv4d59cmbsZDh20ljy5Nt85
NqEsJ/PpXWVXWTBrqbu8L3UXExZPPk/9HbfRC+ZYjqSeshKYFASAh9Pg/qcjXsyu
1Hnd7uP8PSLKgMg=
=tp4s
-----END PGP SIGNATURE-----
pgpkRkEPzPnkd.pgp
Description: PGP signature
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
debian-j...@lists.debian.org for discussions and questions.
