Your message dated Mon, 07 Apr 2025 14:02:35 +0000
with message-id <[email protected]>
and subject line Bug#1001037: fixed in kotlin 1.3.31+ds1-3
has caused the Debian Bug report #1001037,
regarding kotlin: CVE-2020-29582
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1001037: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001037
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: kotlin
Version: 1.3.31+~1.0.1+~0.11.12-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi Andrej,
Looking at
https://blog.jetbrains.com/blog/2021/02/03/jetbrains-security-bulletin-q4-2020/
there is an entry for Kotlin. It is said to be fixed in 1.4.21 but
there is little other information.
https://youtrack.jetbrains.com/issue/KT-42181 is not accessible
neither.
I'm filling this bug for tracking the issue:
CVE-2020-29582:
| In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for
| temporary file and folder creation. An attacker was able to read data
| from such files and list directories due to insecure permissions.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: kotlin
Source-Version: 1.3.31+ds1-3
Done: Julien Plissonneau Duquène <[email protected]>
We believe that the bug you reported is fixed in the latest version of
kotlin, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Julien Plissonneau Duquène <[email protected]> (supplier of updated kotlin
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 07 Apr 2025 11:37:55 +0000
Source: kotlin
Architecture: source
Version: 1.3.31+ds1-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Julien Plissonneau Duquène <[email protected]>
Closes: 1001037 1101825
Changes:
kotlin (1.3.31+ds1-3) unstable; urgency=medium
.
* Revert the temporary FTBFS fixes.
* Fix run-time compatibility issues with older JREs when built with the
default JDK (21).
* Fix CVE-2020-29582: use NIO Files.createTemp*() instead of
File.createTemp*(). (Closes: #1001037)
* Promote Standards-Version to 4.7.2 with no changes.
* Include build.txt in package to fix -version. (Closes: #1101825)
Checksums-Sha1:
cc3e9d7f69ac6341c14786c31c01b3412c45ac3e 3032 kotlin_1.3.31+ds1-3.dsc
cbd80e3fc51a4d2b06f2110893622bb9a1d6617d 122468
kotlin_1.3.31+ds1-3.debian.tar.xz
7525c619a99ae462b82bcb4dd61b605ce2d993b3 19363
kotlin_1.3.31+ds1-3_amd64.buildinfo
Checksums-Sha256:
7816bae288915a86d141b995552a8ab5a120241e0dcf115c0bb861943c36ab39 3032
kotlin_1.3.31+ds1-3.dsc
33780602271a6a3f1e2edb4f97b122c9ab8e83f8b5794b18e47eff9622b4a9f0 122468
kotlin_1.3.31+ds1-3.debian.tar.xz
95c4280786a520fbbd273852ea382288c80984b1fd39947eb719f2bfc70564b1 19363
kotlin_1.3.31+ds1-3_amd64.buildinfo
Files:
aa952d1cee00bd1d02d65f7ef31e6192 3032 java optional kotlin_1.3.31+ds1-3.dsc
1e3ed9d66c7b9c70d8121d362210290b 122468 java optional
kotlin_1.3.31+ds1-3.debian.tar.xz
04ebf5eff0c22852e229b1686d7e154e 19363 java optional
kotlin_1.3.31+ds1-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEFMnrwNIhrM6EDEYM9P4fU4cZaWwFAmfzvfkACgkQ9P4fU4cZ
aWyJRhAAyB4C/EMOa14mih8AbAIYfa6QcAWJ5SAJUFtY6bUi6u/w734Pl5zCmPu6
HW+RseOPjU/NjhxNVUh17p3r5bP5oMAohrSHMfuwATK62MiRUc9RD9l8FWO/djtd
stuw3f00N91f247MjURtXDV2UGae7UWOWtDnPuLUwJpPlM7EI6vZB8SWXZ8NIlbr
lA5QGBhWOt+lu3Q5JDJKKFd8lbHUNrMvJdHuHPhH76Its4s+TQu1A+wqHA1GpqRT
aYuEwJEQ7qmWZ/gnDu7OE9TNgT5pqQOwauvY/84zy51KIlcZNkqxr+cxSnZMzEj0
j1DKajUot5srLFT6bKeJXaIAnTppTT1jYnNFLekIbArgsTxDM7tB7gNwBl86jxTL
rxFDpH7d2iPaM2htjJKwtkRYlAHW8Mjqarol4adfEL4RTwots/8Hkf9PXoFoWoHT
RqRwJI4rsIUAmqBT3xMYZOmjTG45M53qKMP3TsaKdeFdiq0C+qfMcmI0u94Iqc88
VEWImnvYZub/Qt6uWEPBRLcUnSojzY5zAaUKkabJSYQTTRhcCfqralGrSXYXXiwH
1wGoCK48+CASdmemXTooFPma1L+ZqehvtT/V8wd6zR7loyl1jaRUMUVp+gyQyBq3
Mg650KBYM1rk9iR2kU7gt+WuV7cPt+RLkm741GYad0k9utAVOTM=
=0QYh
-----END PGP SIGNATURE-----
pgprkbatpY0lo.pgp
Description: PGP signature
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
