Your message dated Mon, 11 Dec 2017 12:48:59 +0000 with message-id <e1eonvz-0009ki...@fasolo.debian.org> and subject line Bug#880467: fixed in jasperreports 6.3.1-1 has caused the Debian Bug report #880467, regarding jasperreports: CVE-2017-14941, CVE-2017-5528, CVE-2017-5529 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 880467: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880467 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: jasperreports X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, the following vulnerabilities were published for jasperreports. I couldn't find much information about them, so I asked a question on the community board for jasperreports. https://community.jaspersoft.com/questions/1072461/security-update-cve-2017-14941-cve-2017-5528-cve-2017-5529 CVE-2017-14941[0]: | Jaspersoft JasperReports 4.7 suffers from a saved credential disclosure | vulnerability, which allows a remote authenticated user to retrieve | stored Data Source passwords by accessing flow.html and reading the | HTML source code of the page reached in an Edit action for a Data | Source connector. CVE-2017-5528[1]: | Multiple JasperReports Server components contain vulnerabilities | which may allow authorized users to perform cross-site scripting | (XSS) and cross-site request forgery (CSRF) attacks. The impact of | this vulnerability includes the theoretical disclosure of sensitive | information. Affects TIBCO JasperReports Server (versions 6.1.1 and | below, 6.2.0, 6.2.1, and 6.3.0), TIBCO JasperReports Server Community | Edition (versions 6.3.0 and below), TIBCO JasperReports Server for | ActiveMatrix BPM (versions 6.2.0 and below), TIBCO Jaspersoft for AWS | with Multi-Tenancy (versions 6.2.0 and below), and TIBCO Jaspersoft | Reporting and Analytics for AWS (versions 6.2.0 and below). CVE-2017-5529[2]: | JasperReports library components contain an information disclosure | vulnerability. This vulnerability includes the theoretical disclosure | of any accessible information from the host file system. Affects TIBCO | JasperReports Library Community Edition (versions 6.4.0 and below), | TIBCO JasperReports Library for ActiveMatrix BPM (versions 6.2.0 and | below), TIBCO JasperReports Professional (versions 6.2.1 and below, | and 6.3.0), TIBCO JasperReports Server (versions 6.1.1 and below, | 6.2.0, 6.2.1, 6.3.0), TIBCO JasperReports Server Community Edition | (versions 6.3.0 and below), TIBCO JasperReports Server for | ActiveMatrix BPM (versions 6.2.0 and below), TIBCO Jaspersoft for AWS | with Multi-Tenancy (versions 6.3.0 and below), TIBCO Jaspersoft | Reporting and Analytics for AWS (versions 6.3.0 and below), and TIBCO | Jaspersoft Studio for ActiveMatrix BPM (versions 6.2.0 and below). If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-14941 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14941 [1] https://security-tracker.debian.org/tracker/CVE-2017-5528 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5528 [2] https://security-tracker.debian.org/tracker/CVE-2017-5529 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5529 Please adjust the affected versions in the BTS as needed.
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---Source: jasperreports Source-Version: 6.3.1-1 We believe that the bug you reported is fixed in the latest version of jasperreports, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 880...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Emmanuel Bourg <ebo...@apache.org> (supplier of updated jasperreports package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 11 Dec 2017 13:14:45 +0100 Source: jasperreports Binary: libjasperreports-java Architecture: source Version: 6.3.1-1 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Emmanuel Bourg <ebo...@apache.org> Description: libjasperreports-java - Java reporting generator library Closes: 880467 Changes: jasperreports (6.3.1-1) unstable; urgency=medium . * Team upload. * New upstream release - Fixes CVE-2017-5528 and CVE-2017-5529 (Closes: #880467) - Refreshed the patches - Adapted the build to the new source layout * Track and download the new releases from GitHub Checksums-Sha1: bfeebfd690f1c8d9b6e36ad0c937f7967d1ef559 2847 jasperreports_6.3.1-1.dsc 35f250a958d6d2d7134bd129776b98857580d8f9 1543728 jasperreports_6.3.1.orig.tar.xz ec308337dab6a022d3e191de103ee3fe08f0ed1b 12604 jasperreports_6.3.1-1.debian.tar.xz 048ce73f4780622c77590fa558a98d01fc9e72ac 16272 jasperreports_6.3.1-1_source.buildinfo Checksums-Sha256: 8d4043574732d1b8e6c3f5969ad6055fb052f0c3e58350a8b1adb1eb2915709b 2847 jasperreports_6.3.1-1.dsc ea948587b0eed68ddc6fb5886937185616986cb720ac3665c0d489dbd9e2e0ba 1543728 jasperreports_6.3.1.orig.tar.xz 528f6549e4901a72185b5774fdfb64603ab5e759639625201f3ef4f70736f641 12604 jasperreports_6.3.1-1.debian.tar.xz 33197dfcb54ecd81f4cb0314a21bb07147831765cee98593863c875df29e5f0d 16272 jasperreports_6.3.1-1_source.buildinfo Files: 1b91772b4972a63302a235cdb6d686c2 2847 java optional jasperreports_6.3.1-1.dsc a8bc0c7ecc19d9a6c769fd56c427e75c 1543728 java optional jasperreports_6.3.1.orig.tar.xz 38aa44a9c35842e304a81d5b0ec83eb8 12604 java optional jasperreports_6.3.1-1.debian.tar.xz 4c4850bc2840c8632a3d1c5683f7aa53 16272 java optional jasperreports_6.3.1-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAloueRMSHGVib3VyZ0Bh cGFjaGUub3JnAAoJEPUTxBnkudCsx4EP/ig/6zI2IoiUVK/3zIzmD2+g23CQd/+s NDDmVJpxtdeK6MVQUzMQEu7BB0QALvagKDXyHCRNwRxQ9PByKD2Mn0E5QVKS0VOU rZFOm8HQfHaCYujs5mPowBEt0Do7XEMEKrVcbsBg8pB4Aq+4I8kxRrMHbMHdrzy/ 5KrwSgFoousuUvAEvi0aDveC3qzWq12GPDfHfGrituAaKw90R5sP6tJZg4nTpJcR gZIHAHRBJ92pJa+fLCfFq3fl2q6QOOfyUmRCH3WDQGW73pAV5ArIKG//jWE5FtZh fCvItHfJ9/DEprUZv/2m4BdaW0U92za9XrF8q5Tt98JdZC3J9nbd7lzZhsQ9SDsu cYQH+MFI6iUq/n3C3SxyovbRG1FLau7Yj4/mt4M0OgEu/qCfRN459sxCP4kBCDN+ XSy3tAE1LU6eQTyLvOdvieP8a2djwzQaO2WMJyo4wQMJNV9i9wko7/176z9GKMow SboIoLHr7WVQ+qstK3K8JrQ41Qfz7J4z2RWHFMDB58fTnfEc8CgI5m/1pxwXvr6c MLqQJ/YTOm7jovXxMSDKDtFwj0ALeZx2eIvS6EZ4PWxg3jffsitMygdjMsMgqolL AyxnvJPxryIDK6q/6ALoseyzCJ+/Ni9iHb97FRgldS6ck9/NDFfGEzXb15LYCnP9 2qxwqai66OUq =9cM8 -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
