Your message dated Mon, 13 May 2024 21:19:39 +0000
with message-id <e1s6d59-0068ev...@fasolo.debian.org>
and subject line Bug#1055853: fixed in jgit 6.7.0-1
has caused the Debian Bug report #1055853,
regarding jgit: CVE-2023-4759
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1055853: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055853
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: jgit
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for jgit.
CVE-2023-4759[0]:
| Arbitrary File Overwrite in Eclipse JGit <= 6.6.0 In Eclipse JGit,
| all versions <= 6.6.0.202305301015-r, a symbolic link present in a
| specially crafted git repository can be used to write a file to
| locations outside the working tree when this repository is cloned
| with JGit to a case-insensitive filesystem, or when a checkout from
| a clone of such a repository is performed on a case-insensitive
| filesystem. This can happen on checkout (DirCacheCheckout), merge
| (ResolveMerger via its WorkingTreeUpdater), pull (PullCommand using
| merge), and when applying a patch (PatchApplier). This can be
| exploited for remote code execution (RCE), for instance if the file
| written outside the working tree is a git filter that gets executed
| on a subsequent git command. The issue occurs only on case-
| insensitive filesystems, like the default filesystems on Windows and
| macOS. The user performing the clone or checkout must have the
| rights to create symbolic links for the problem to occur, and
| symbolic links must be enabled in the git configuration. Setting
| git configuration option core.symlinks = false before checking out
| avoids the problem. The issue was fixed in Eclipse JGit version
| 6.6.1.202309021850-r and 6.7.0.202309050840-r, available via Maven
| Central https://repo1.maven.org/maven2/org/eclipse/jgit/ and
| repo.eclipse.org https://repo.eclipse.org/content/repositories/jgit-
| releases/ . The JGit maintainers would like to thank RyotaK for
| finding and reporting this issue.
https://git.eclipse.org/c/jgit/jgit.git/commit/?id=9072103f3b3cf64dd12ad2949836ab98f62dabf1
(v6.6.1.202309021850-r)
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/11
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-4759
https://www.cve.org/CVERecord?id=CVE-2023-4759
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: jgit
Source-Version: 6.7.0-1
Done: Pierre Gruet <p...@debian.org>
We believe that the bug you reported is fixed in the latest version of
jgit, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1055...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pierre Gruet <p...@debian.org> (supplier of updated jgit package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 13 May 2024 22:35:40 +0200
Source: jgit
Architecture: source
Version: 6.7.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<pkg-java-maintain...@lists.alioth.debian.org>
Changed-By: Pierre Gruet <p...@debian.org>
Closes: 1055853
Changes:
jgit (6.7.0-1) unstable; urgency=medium
.
* Team upload
* New upstream version 6.7.0:
- Fixes CVE-2023-4759 (Closes: #1055853)
* Refreshing patches
* Raising Standards version to 4.7.0 (no change)
* Updating build-dependencies and Maven rules
* Updating the list of pom.xml files to ignore
* Building the package with javac instead of the eclipse compiler
* Setting the versions of the Debian-packaged Maven plugins for the build
* Skipping the generation of unneeded artifacts with maven-antrun-plugin
* Trim trailing whitespace in d/control
Checksums-Sha1:
f7cff0f496f34bb4cdf257ce2643661df8b3eac2 2557 jgit_6.7.0-1.dsc
908381a49d951d672994da90d68c96e0faeacd7a 2369792 jgit_6.7.0.orig.tar.xz
32be385b9e31688026d501b036d0aa43ba7bad07 10024 jgit_6.7.0-1.debian.tar.xz
c4464b4152adfd8da73c0e97943cbb1c8b89618f 18146 jgit_6.7.0-1_amd64.buildinfo
Checksums-Sha256:
ed694082c3322634e44a256a9b4a016bdd55e35a89429ad8686d667bb38e5136 2557
jgit_6.7.0-1.dsc
d219f29c8cf5c432cb5fbd1c377fe4cac3c86cd0f5b1c3eb9ee73b3b9bad9fa4 2369792
jgit_6.7.0.orig.tar.xz
2231d3cec6d961b1064e81d810180d06ad039b8ca3a159968d97f0acd0a885d6 10024
jgit_6.7.0-1.debian.tar.xz
703be936c44e106e843e91ba82b5a87dd1e93361c7c59d0184791c9a1dd1c943 18146
jgit_6.7.0-1_amd64.buildinfo
Files:
c77e259e5be295e2b8bff907174c3938 2557 java optional jgit_6.7.0-1.dsc
a0e932fe7f7f09ecbf45621ddd191cd0 2369792 java optional jgit_6.7.0.orig.tar.xz
009c11ec7f5e3388f9ea9b0b7fb91ce1 10024 java optional jgit_6.7.0-1.debian.tar.xz
987c7261c580035bf310128f5d6130b4 18146 java optional
jgit_6.7.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEM8soQxPpC9J9y0UjYAMWptwndHYFAmZCf1IACgkQYAMWptwn
dHaa+g//S2sOe47sjUKgVmxMrQHVcBwYvL4VHP3A4hrOC7OKGhqp9NoEyI4VM0yd
g+dxk9jZrtj5zZeTuCzKzO4TSpegz5ML4lRCa7dsmvosaaWMWwBnkcs6mG25ME9t
1RCTNhgnXkZI98vpRoa8q2zsbxE60zATzV1wJ3R9IQ1WSQdNVaS1n7WDLYGOD02K
rsk176/WvbG2SZUg1hxGsNm8+ZoUBukzTuxkzpPAryDVe0DKhj1HXNxeE+OLzLSK
pQv2aN7uL093i2CT3WJP97NXBBd7N04hyM41BCWWpnBv90RU7LsTgF9JB9JQUCuQ
TeOB9CjmSYpX2lytYBa3TQyXLpJgcKuF8Nh0oWPr8ccAP3YHciMAJ3GN9LeowMd6
QzMC5PCMB124lvpRWIENlKenikx1KJCgINW71vaX1GJLllEndN9F0QAxQpMDgJ58
jWKKB6pAiiHCW64pzqL02L0p7MxxeTpj8zoZbEhuT1WaRMUJWnApq2kkfRAOISXz
ijJNRwvHdiz5j4BdATXIKXzrYzGZQ2tAqbrvqqfQUNzNav4IRrwS/gvtaox5nuMc
Xmp2yMoo5Z9ezMeK3dnEoZWoK2ZCDpjz/ijGDeP4zIDDAk/eq9ZPSsIZkG6bSJwy
qYSOVoCe3/9j1aCAYBRmffq5hztRf9tGevifa1qUHxy9L6q3UOM=
=vXDQ
-----END PGP SIGNATURE-----
pgp5d5v3cBOy5.pgp
Description: PGP signature
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
debian-j...@lists.debian.org for discussions and questions.
