Your message dated Mon, 09 Apr 2018 08:56:58 +0000
with message-id <e1f5sbi-000exk...@fasolo.debian.org>
and subject line Bug#893174: fixed in libcommons-compress-java 1.13-2
has caused the Debian Bug report #893174,
regarding libcommons-compress-java: CVE-2018-1324: Infinite loop via extra
field parser in ZipFile and ZipArchiveInputStream classes
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
893174: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893174
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libcommons-compress-java
Version: 1.13-1
Severity: important
Tags: patch security upstream
Forwarded: https://issues.apache.org/jira/browse/COMPRESS-432
Hi,
the following vulnerability was published for libcommons-compress-java.
CVE-2018-1324[0]:
| A specially crafted ZIP archive can be used to cause an infinite loop
| inside of Apache Commons Compress' extra field parser used by the
| ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15.
| This can be used to mount a denial of service attack against services
| that use Compress' zip package.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-1324
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1324
[1] https://issues.apache.org/jira/browse/COMPRESS-432
[2]
https://git-wip-us.apache.org/repos/asf?p=commons-compress.git;a=blobdiff;f=src/main/java/org/apache/commons/compress/archivers/zip/X0017_StrongEncryptionHeader.java;h=acc3b22346b49845e85b5ef27a5814b69e834139;hp=0feb9c98cc622cde1defa3bbd268ef82b4ae5c18;hb=2a2f1dc48e22a34ddb72321a4db211da91aa933b;hpb=dcb0486fb4cb2b6592c04d6ec2edbd3f690df5f2
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libcommons-compress-java
Source-Version: 1.13-2
We believe that the bug you reported is fixed in the latest version of
libcommons-compress-java, which is due to be installed in the Debian FTP
archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 893...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
tony mancill <tmanc...@debian.org> (supplier of updated
libcommons-compress-java package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 08 Apr 2018 20:58:50 -0700
Source: libcommons-compress-java
Binary: libcommons-compress-java
Architecture: source all
Version: 1.13-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: tony mancill <tmanc...@debian.org>
Description:
libcommons-compress-java - Java API for working with compression and archive
formats
Closes: 893174
Changes:
libcommons-compress-java (1.13-2) unstable; urgency=medium
.
* Team upload.
* Apply patch for CVE-2018-1324 (Closes: #893174)
* Use debhelper 11
* Update Homepage
* Update debian/watch to repack with xz compression
* Drop get-orig-source target from debian/rules
* Bump Standards-Version to 4.1.4
Checksums-Sha1:
04ce355fe27300ee6c77add72373e3f8a1d0b956 2387
libcommons-compress-java_1.13-2.dsc
b4ca4f57dc337a10e49fd429419fa15a1f273f56 4532
libcommons-compress-java_1.13-2.debian.tar.xz
554e21ebf4b69e4e084e999dca7a12969f783bb5 430140
libcommons-compress-java_1.13-2_all.deb
f24a792ff6462e4ee246f1433e4c47a2864b8096 16492
libcommons-compress-java_1.13-2_amd64.buildinfo
Checksums-Sha256:
7bf642056cd591d189d070954d2dffed0ba393df7e0b63e01b3345f8766c5d1b 2387
libcommons-compress-java_1.13-2.dsc
828e93c76c932e330c91c82b190ad64be73b5ead266d7aebe9d882e6e527d85f 4532
libcommons-compress-java_1.13-2.debian.tar.xz
610c27274bd98979321035f855e771b843222d257ac937d1035bf4fdeaa8f9c7 430140
libcommons-compress-java_1.13-2_all.deb
bcd1f7331caeec74471f24b0c90c5a504239fec212f2958c5b7e828ef7164627 16492
libcommons-compress-java_1.13-2_amd64.buildinfo
Files:
26cb8848c85d7513b2d45ae2a41eb0b8 2387 java optional
libcommons-compress-java_1.13-2.dsc
700df1a46ea1145c955120505e68871e 4532 java optional
libcommons-compress-java_1.13-2.debian.tar.xz
d064da40700609e27106f862f517f11c 430140 java optional
libcommons-compress-java_1.13-2_all.deb
0b0845d28d54fd1e8ff905f8fbe55c1d 16492 java optional
libcommons-compress-java_1.13-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAlrK5oYUHHRtYW5jaWxs
QGRlYmlhbi5vcmcACgkQIdIFiZdLPpb9xQ//f5KzhvuAIXFjvNA2LKkpajPsRCT4
tvgs6D4V8I5Wk8ac6B2Yr7lhK4FUWoWGwOYckhytPFmqkJIlt6EG88oaF22tdO+y
NmQFyQrtfCyzF2y/8+5AjRfpH4/QrTb6RxWH/yElqGGbVnghoI5UHX0hpZ0vTeWU
vDhpebVlVrHwftzche+S/p6BlDgaFttozgRvPcNUI0lwbGDEr5DIdMkWBi9e+wtT
GOpONNkaXSYEjCQ29Sho1oRaorOji98KfDvO/DhHZfWd1J/MFdeff9UmsNM+johe
KC1MnCSmbT5M/DyoFABC1KlbGRb+YLHlaGCnPOmypFxhEkP+Qe1DaaiVzVj8rYKO
bKRziaRbYHTJtQwRiynYdmrLVJQ0QL7g8gZCKe56GOkVwtXe29rJZJtSUg/P6s3z
idfrkboSVavH62z+dRTxmXsLdbea7xrgXWFb5paFAxAGO7bYfNAh3EQwKY+lWJIs
coO3zhid2gKQ5K0BaJYemBWwoJBshYqzMM13WQPsUq6CnVt5AXtTlpx5qbz6h1wF
5Co0jJOb4uXDcvx9ugh0DdIvBSlcRq0Clchzew6uR8NkQbu4IWajG9aHFkyeDgwy
zUjU5lynADYF5n6s9RHOYINSL4hI7FmbeKE7nCyNTKDOV5x0nDAosXfCBCl53tvy
qMZzqTIWuNjGeTA=
=y5Vc
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
debian-j...@lists.debian.org for discussions and questions.
