Your message dated Thu, 07 Nov 2024 23:19:25 +0000
with message-id <[email protected]>
and subject line Bug#1084985: fixed in fop 1:2.10+dfsg-1
has caused the Debian Bug report #1084985,
regarding fop: CVE-2024-28168
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1084985: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084985
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: fop
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for fop.
CVE-2024-28168[0]:
| Improper Restriction of XML External Entity Reference ('XXE')
| vulnerability in Apache XML Graphics FOP. This issue affects Apache
| XML Graphics FOP: 2.9. Users are recommended to upgrade to version
| 2.10, which fixes the issue.
https://www.openwall.com/lists/oss-security/2024/10/09/1
https://issues.apache.org/jira/browse/FOP-3168
https://github.com/apache/xmlgraphics-fop/commit/d96ba9a11710d02716b6f4f6107ebfa9ccec7134
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-28168
https://www.cve.org/CVERecord?id=CVE-2024-28168
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: fop
Source-Version: 1:2.10+dfsg-1
Done: Pierre Gruet <[email protected]>
We believe that the bug you reported is fixed in the latest version of
fop, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pierre Gruet <[email protected]> (supplier of updated fop package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 07 Nov 2024 23:55:56 +0100
Source: fop
Architecture: source
Version: 1:2.10+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Pierre Gruet <[email protected]>
Closes: 1064305 1084985 1086266
Changes:
fop (1:2.10+dfsg-1) unstable; urgency=medium
.
* Team upload
* Upload of upstream version 2.10+dfsg to unstable (Closes: #1064305):
- Fixes CVE-2024-28168 (Closes: #1084985)
- Solves FTBFS in unstable (Closes: #1086266)
* Adding fontbox2 to the classpath of the fop-core jar
* Adding a Lintian override for codeless jar
Checksums-Sha1:
e7f45aa0a76c7ea4a576aa7afa7356c98c835341 2732 fop_2.10+dfsg-1.dsc
49b4dbc0e13e8de45e42ea9d18a0afeeafd2a336 874604 fop_2.10+dfsg-1.debian.tar.xz
b918af900334151b5b73bbaaf6a62fd04bd8eb82 17782 fop_2.10+dfsg-1_source.buildinfo
Checksums-Sha256:
07e7dabe39b3c1e20d91c7297da4e7b9d6c3d6a8a091a0fae7c6820b294c2cc8 2732
fop_2.10+dfsg-1.dsc
58f016741bbecc71439af66849a72574ee98287ee0896ff4e0da2d201bce118d 874604
fop_2.10+dfsg-1.debian.tar.xz
a69d09b2c8eb3824599b99f0756f6b254597c458c139739b6f55c3115aa84a9e 17782
fop_2.10+dfsg-1_source.buildinfo
Files:
223e9505699e3cadbfba5fc1a2f4b838 2732 text optional fop_2.10+dfsg-1.dsc
3963554c2dcf134ddf890685ae22ac70 874604 text optional
fop_2.10+dfsg-1.debian.tar.xz
eb4f61c29a43392b9ff930bfc26a141c 17782 text optional
fop_2.10+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEM8soQxPpC9J9y0UjYAMWptwndHYFAmctRhAACgkQYAMWptwn
dHak/A//VBa4O1lOi0BglqaFlDk/aBz9Gy/SuJT0JW1N2mC40uIvht19Vb8vYDOL
swxoCP0Lh+BumLkZvNSKU8z9RqBsQTNf0ziG5VKQ+8gQjWMBDKYXudtrXUvYTRnj
+yU4mfjWk14Ot18cDrSsNYcb+yZFjXaMX+LS6njDMsyzueKztEd46ZZAcIeg7UBB
cnSdqC1RjEQcF8cyjthVRHEtgNXkiWCFowqvNHPf3Dn/R89qNxJu8zHz2N5GkIO6
Ew3UZ8T2u4aH+PbYPgAAeAp/hZU5eQVfqCTcXKbQqwcU+TUY9jAZ9FayoMvqS8W1
HYuR/GTJC8DE7xDeAgQ0htD0Z2l0BnYPtSjj0+mj1KmIL/dYVIADk0FjK3/2WGlU
plUzu3FAKO3+GZV7z8JWCXgC3xSr7b0zV3//OfYMt3J7qaWYQrkRBzfQ3XTkmfas
QMVQh4zcUBF0b12jPmdyIs6Ejziq28yVkGSg2SILtgkYm326/r6XYNGJqBfdTWqb
2zqBRVh0ADi/My+GLKKhl7VGYlkY+ql3eyMYldwNqDHjfFf+C1/0XZ7AKSWKxekA
3n5VUusj8DKyA3izz8/niaLy8vL60QKpYYl4HjQLSIgkDWBBJYqY2aAMr+wdaQvF
Q8pcJYtTlNNUH4ajgH3pVBxlN7AHip+QdoeQ8Voe3HB4rmGr9hE=
=BuCV
-----END PGP SIGNATURE-----
pgpG51xQ__JEs.pgp
Description: PGP signature
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
