Your message dated Wed, 24 May 2017 15:04:51 +0000
with message-id <e1ddxqf-0004m7...@fasolo.debian.org>
and subject line Bug#860567: fixed in fop 1:2.1-6
has caused the Debian Bug report #860567,
regarding fop: CVE-2017-5661: information disclosure vulnerability
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
860567: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860567
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: fop
Version: 1:1.0.dfsg-1
Severity: important
Tags: upstream security

Hi,

the following vulnerability was published for fop.

CVE-2017-5661[0]:
| In Apache FOP before 2.2, files lying on the filesystem of the server
| which uses FOP can be revealed to arbitrary users who send maliciously
| formed SVG files. The file types that can be shown depend on the user
| context in which the exploitable application is running. If the user
| is root a full compromise of the server - including confidential or
| sensitive files - would be possible. XXE can also be used to attack
| the availability of the server via denial of service as the references
| within a xml document can trivially trigger an amplification attack.

I was not able to verify that myself, but it is claimed to affect all
fop version from 1.0 up to 2.1.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-5661
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5661
[1] http://www.openwall.com/lists/oss-security/2017/04/18/2

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: fop
Source-Version: 1:2.1-6

We believe that the bug you reported is fixed in the latest version of
fop, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 860...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg <ebo...@apache.org> (supplier of updated fop package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 24 May 2017 15:53:03 +0200
Source: fop
Binary: fop libfop-java fop-doc
Architecture: source
Version: 1:2.1-6
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers 
<pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebo...@apache.org>
Description:
 fop        - XML formatter driven by XSL Formatting Objects (XSL-FO.) - app
 fop-doc    - XML formatter driven by XSL Formatting Objects (doc) - doc
 libfop-java - XML formatter driven by XSL Formatting Objects (XSL-FO.) - libs
Closes: 860567
Changes:
 fop (1:2.1-6) unstable; urgency=high
 .
   * Team upload.
   * Fixed CVE-2017-5661: Information disclosure vulnerability (Closes: #860567)
Checksums-Sha1:
 03aefdca9334b932835a978357671dd1f56bdbcd 2492 fop_2.1-6.dsc
 65808a7ffce63a0fa006dda4458a430bcae2de32 870416 fop_2.1-6.debian.tar.xz
 61765c1f3d45e63c47744cb64c86da2e74ac12dc 5310 fop_2.1-6_source.buildinfo
Checksums-Sha256:
 8dc1a44f7f621127061993970e69bdf49f16067a6c9a276e27144ccc36ef4f2e 2492 
fop_2.1-6.dsc
 a59f86deb333458326e0e62600066d4b741923f29f9cc18714034a68d059f73f 870416 
fop_2.1-6.debian.tar.xz
 b25d50a885c426a1bf2ce3d9a662b518518212ddf6351d3f3bb1df9d1eefd1b0 5310 
fop_2.1-6_source.buildinfo
Files:
 5d5632ee47527572eff4bbbd61391fa1 2492 text optional fop_2.1-6.dsc
 efa740348a632d77994b33f43c4e6bdf 870416 text optional fop_2.1-6.debian.tar.xz
 c081d15c17868d4f7f0a00e5ca7cfe83 5310 text optional fop_2.1-6_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCAAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAlklkWgSHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCsHRQQAMGpCn4Ctdxnhd6CKqCQngX0irXpPZBn
Ay0XGF60iCrGso5df10y2cu1/f8vvyublBXwKcMStn21UL1ydWM2ns4aaH4li+5i
xS8v+Lz7G6ekIlZlm0aFSHztoKhEwi/uIRF1JYS1yWv1IfBOK2rn3oh9W4hTrO9j
d8aIKxyXksmz9lOSf1RbbFrRFLcoWQEmHS08pbVMyNj6yWH5g2E1z3TGVCORKLKP
SZL8QWALq+2N8tF1CaAPLF/Rcvo2Xfqs/KF1JkpXhhFJj3yM4HNjZamc8li1a27l
4H3G+4XZYO2xdJ1lxK85kaNQlUtzXVM5OKcpFlWsTsRhaVREtGCGC1OQDMQBjGMY
nWv5bYBPV3a5v7o7KYNVDmsdwccKVX5++FwmJJbzb4qcE2FdnbG0NpocGKB17V4X
fxM0RIpYXEhvu1hFYmJSVL/5WuGI4hBt1adfsdVNp4JyBOpT0TrPmR62euqOyX62
ZxXNXDE3nAYTjA2TQ0Y278CtIT7BgvaILZ40dZZHFTIRn6Y/FdK44Oy2UT3snjB8
VeXw7YxjDfHbGS7xUNgFPSTgE+zzLz2ZrO2ZShemS9F2NjkENZ1I8J7fBLzPext1
9tMCzI9XBiBooqgZRmJTHsGXM7HEPWijoCU0YIv+KWKBwdnnh6/ZQWbKkyx5jRvx
pP+4h+BMzZOc
=H7Kp
-----END PGP SIGNATURE-----

--- End Message ---
__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to