Bug#900953: marked as done (plexus-archiver: CVE-2018-1002200)
Your message dated Thu, 14 Jun 2018 19:17:10 + with message-id and subject line Bug#900953: fixed in plexus-archiver 2.2-1+deb9u1 has caused the Debian Bug report #900953, regarding plexus-archiver: CVE-2018-1002200 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 900953: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900953 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: plexus-archiver Version: 3.5-1 Severity: grave Tags: patch security upstream Justification: user security hole Forwarded: https://github.com/codehaus-plexus/plexus-archiver/pull/87 Hi, The following vulnerability was published for plexus-archiver. CVE-2018-1002200[0]: | arbitrary file write vulnerability / arbitrary code execution using a | specially crafted zip file If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-1002200 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1002200 [1] https://github.com/codehaus-plexus/plexus-archiver/pull/87 Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: plexus-archiver Source-Version: 2.2-1+deb9u1 We believe that the bug you reported is fixed in the latest version of plexus-archiver, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 900...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso (supplier of updated plexus-archiver package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sun, 10 Jun 2018 16:49:48 +0200 Source: plexus-archiver Binary: libplexus-archiver-java Architecture: source Version: 2.2-1+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Debian Java Maintainers Changed-By: Salvatore Bonaccorso Description: libplexus-archiver-java - Archiver plugin for the Plexus compiler system Closes: 900953 Changes: plexus-archiver (2.2-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Fail when trying to extract outside of dest dir (CVE-2018-1002200) Fixes arbitrary file write vulnerability using a specially crafted zip file. (Closes: #900953) Checksums-Sha1: b240cce32f14ba1f7074af0ca35e0ef718872ee0 2480 plexus-archiver_2.2-1+deb9u1.dsc bcbe1e9013634eb77c20b90729c0434df9a11246 136141 plexus-archiver_2.2.orig.tar.gz 2ac61f5c2eec9e3ffa532280bbe0cc9300a50a54 4924 plexus-archiver_2.2-1+deb9u1.debian.tar.xz 3dc5d05a123c571d10063c6e3bec7c460be62b70 6188 plexus-archiver_2.2-1+deb9u1_source.buildinfo Checksums-Sha256: 840aeb21bbe2b43850123ec4b542cba9457eea26e766b63522576789616e1ce8 2480 plexus-archiver_2.2-1+deb9u1.dsc 93572eafdbf0e037303a5a1ed7e91b9cb251a9072ae513067efa5ca3ca32570e 136141 plexus-archiver_2.2.orig.tar.gz 4fccf74ef9cbea391933543f7cbd697aff405756c70b46a24aa355cd6c2376ab 4924 plexus-archiver_2.2-1+deb9u1.debian.tar.xz a50060addb77050187942a4cb64de024b3fc70f85cf53804650eccafb24b8cfe 6188 plexus-archiver_2.2-1+deb9u1_source.buildinfo Files: 5d56f32b90171db07195165d8eb1300d 2480 java optional plexus-archiver_2.2-1+deb9u1.dsc d3325095c0859aeac96aa14d7276a9d3 136141 java optional plexus-archiver_2.2.orig.tar.gz 4df7e694bc223a6171b0e1073dcfa5ff 4924 java optional plexus-archiver_2.2-1+deb9u1.debian.tar.xz 496b98e813ce1698fed3ae3ed9fe0648 6188 java optional plexus-archiver_2.2-1+deb9u1_source.buildinfo -BEGIN PGP SIGNATURE- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsdQPZfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EHZ8QAIHNfzrr4KHOeg1RqEtRe3SiaFP5glqC hBItfRF9CZavsfjipEj+eBHlu02prZYos+idX/sNV1v1JoP2Cm2sbv0sLtRyknjD Iv2blbu3r/ajC2onZPdXtROkgO7xprguoB246CFEd9Zc8m7B1MpphO4UWc2yLm6g TOx5XW8I3f5jcWqyhMfdaAxhfrN1ptRKDXO26iqvMqMtYysuRYaUtBy7smNOB2mP BV9Ipsu2W7Kr6l0QECDTho421nYGmwzKcwgQhw4fQfLKeZfa0HtexPKM6202HdEm yT3/nraZ1LlMTi912umXuz3W/SntLIPMF/Wntwe8Dj1XLsq0/ZoDsXeH5VX4U
Bug#900953: marked as done (plexus-archiver: CVE-2018-1002200)
Your message dated Wed, 13 Jun 2018 22:17:33 + with message-id and subject line Bug#900953: fixed in plexus-archiver 1.2-1+deb8u1 has caused the Debian Bug report #900953, regarding plexus-archiver: CVE-2018-1002200 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 900953: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900953 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: plexus-archiver Version: 3.5-1 Severity: grave Tags: patch security upstream Justification: user security hole Forwarded: https://github.com/codehaus-plexus/plexus-archiver/pull/87 Hi, The following vulnerability was published for plexus-archiver. CVE-2018-1002200[0]: | arbitrary file write vulnerability / arbitrary code execution using a | specially crafted zip file If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-1002200 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1002200 [1] https://github.com/codehaus-plexus/plexus-archiver/pull/87 Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: plexus-archiver Source-Version: 1.2-1+deb8u1 We believe that the bug you reported is fixed in the latest version of plexus-archiver, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 900...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso (supplier of updated plexus-archiver package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sun, 10 Jun 2018 21:17:18 +0200 Source: plexus-archiver Binary: libplexus-archiver-java Architecture: all source Version: 1.2-1+deb8u1 Distribution: jessie-security Urgency: high Maintainer: Debian Java Maintainers Changed-By: Salvatore Bonaccorso Closes: 900953 Description: libplexus-archiver-java - Archiver plugin for the Plexus compiler system Changes: plexus-archiver (1.2-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fail when trying to extract outside of dest dir (CVE-2018-1002200) Fixes arbitrary file write vulnerability using a specially crafted zip file. (Closes: #900953) Checksums-Sha1: 657a8d10077a1ef86195640062b5fc2fc6c1bfcd 2487 plexus-archiver_1.2-1+deb8u1.dsc 73b0cb563903c97dfa276b44409b852da78ffcf1 125994 plexus-archiver_1.2.orig.tar.gz b0b0cddda2456ae3209ae5b79efa6e06c3a800d3 4404 plexus-archiver_1.2-1+deb8u1.debian.tar.xz a53e3e54ec6cfbafc818a62da41d3256b2106b7b 165576 libplexus-archiver-java_1.2-1+deb8u1_all.deb Checksums-Sha256: e8551f1d118da04c0b72932a15ae49d7354e084997ca412d636d3b61bad5f686 2487 plexus-archiver_1.2-1+deb8u1.dsc 37c48eaa6af2d88476b885849a4e7157190a918c0259eeab7ead00c52d7d4e59 125994 plexus-archiver_1.2.orig.tar.gz 511b9a9aef380b5e86ee4063133d0780e331a09ed41a4b5f9d00fb3783fd5454 4404 plexus-archiver_1.2-1+deb8u1.debian.tar.xz 989a071a9667323c194d94cba2ac57edf8ad91914f49881a5d7342de19df 165576 libplexus-archiver-java_1.2-1+deb8u1_all.deb Files: ea05ae8a053cd0f1665f9fc82545b07e 2487 java optional plexus-archiver_1.2-1+deb8u1.dsc 72ab4e8d4505f8db159dc760fe85aef1 125994 java optional plexus-archiver_1.2.orig.tar.gz d8a6b6749543a01c89196c62ea727f5d 4404 java optional plexus-archiver_1.2-1+deb8u1.debian.tar.xz 69d90ba3d7f5fb84ec9f05ec22c9df89 165576 java optional libplexus-archiver-java_1.2-1+deb8u1_all.deb -BEGIN PGP SIGNATURE- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsdeqVfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EwfUP/0WhTz9A/hNP7qc8C4uCz9pR8bMHs4bS MZAxdVeVTSIoyRiavpWZ94cvMRlvKNb2TfBMasARrlGUQKHjd/TsHFdoX9V1pATb x+RrgZksZFZTkqrRKJzUToHHG/L5nx9iRzZlWvwWfbqOxBuNPBRUo3+Z47I4EKYC RJRA0ieNAq32h+4q0e1Fo0THCsB6WcqnIFQnQXkkYn+aO42TU8ezkfMrPYx1CI3z uqavA75gQVCXSi2adwN2raUHYuuNibNi1I2PU3W2xVFQeewgHgwrG5L0KF5eaQmT /Ca1ULuTiofb22lssAN5u0HOJEuFaBpGuh/xuH1WsodC9DusyS/d
Bug#900953: marked as done (plexus-archiver: CVE-2018-1002200)
Your message dated Thu, 07 Jun 2018 10:19:49 + with message-id and subject line Bug#900953: fixed in plexus-archiver 3.6.0-1 has caused the Debian Bug report #900953, regarding plexus-archiver: CVE-2018-1002200 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 900953: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900953 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: plexus-archiver Version: 3.5-1 Severity: grave Tags: patch security upstream Justification: user security hole Forwarded: https://github.com/codehaus-plexus/plexus-archiver/pull/87 Hi, The following vulnerability was published for plexus-archiver. CVE-2018-1002200[0]: | arbitrary file write vulnerability / arbitrary code execution using a | specially crafted zip file If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-1002200 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1002200 [1] https://github.com/codehaus-plexus/plexus-archiver/pull/87 Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: plexus-archiver Source-Version: 3.6.0-1 We believe that the bug you reported is fixed in the latest version of plexus-archiver, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 900...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Emmanuel Bourg (supplier of updated plexus-archiver package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Thu, 07 Jun 2018 11:50:41 +0200 Source: plexus-archiver Binary: libplexus-archiver-java Architecture: source Version: 3.6.0-1 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers Changed-By: Emmanuel Bourg Description: libplexus-archiver-java - Archiver plugin for the Plexus compiler system Closes: 889426 900953 Changes: plexus-archiver (3.6.0-1) unstable; urgency=medium . * Team upload. * New upstream release - Fixes CVE-2018-1002200: Arbitrary file write vulnerability using a specially crafted zip file (Closes: #900953) * Removed Damien Raude-Morvan from the uploaders (Closes: #889426) * Standards-Version updated to 4.1.4 * Switch to debhelper level 11 * Use salsa.debian.org Vcs-* URLs Checksums-Sha1: c2eaeefbe692980ed505875578e070b495d84067 2323 plexus-archiver_3.6.0-1.dsc fd15074c740a551877bc30b94ad5c46d0567ee70 425988 plexus-archiver_3.6.0.orig.tar.xz 49731591269037da5098d87f0891f4e87abb466c 4552 plexus-archiver_3.6.0-1.debian.tar.xz a3edb759bfe596b867f5b3c14b38c1e3067cf81a 14873 plexus-archiver_3.6.0-1_source.buildinfo Checksums-Sha256: 950b9dfe30783cc67ac6c53ec950c13ac0230fce0a0a81358e9ac382822a7611 2323 plexus-archiver_3.6.0-1.dsc ffe914d89c386cc092c999056d761fc50e8d91bc272bde88717f601ded43c476 425988 plexus-archiver_3.6.0.orig.tar.xz 34e118bb95960fc413aa27a481071ea08df68472fac2bdf6421a92c7b6deef2c 4552 plexus-archiver_3.6.0-1.debian.tar.xz 5a39f16a8d2494f7dd1dbc8dd20235cb80dfaee22ccf357346df61b0f1c46afd 14873 plexus-archiver_3.6.0-1_source.buildinfo Files: e82a8902044bc8e2305785b5e94921b2 2323 java optional plexus-archiver_3.6.0-1.dsc 5ad9a01cdfb2ff0d35070ae580e691f6 425988 java optional plexus-archiver_3.6.0.orig.tar.xz d81948f576146dab21ea0810ac01bd59 4552 java optional plexus-archiver_3.6.0-1.debian.tar.xz c97a04a95806b3401160a5c5c0c01ad5 14873 java optional plexus-archiver_3.6.0-1_source.buildinfo -BEGIN PGP SIGNATURE- iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAlsZAkgSHGVib3VyZ0Bh cGFjaGUub3JnAAoJEPUTxBnkudCsn4wP/jKamEPg7A7gZbV53mOWhowce2FsxuSB xIDyZ7kg0apRs7fB4d0UYMZZqcS01/BN3oepI/xSS6H75bUUMMw4o+XN7sIJAxu7 Oz3EVHGS14iqLaeQoVbBOBokC6kbBDQ36cR/GMNwqxeIDmPPSBpxzLNC3a6v7DTd Wsc1QMXg0045vOkaKiynw3xwl4Crhcwn1tHIRRb1toDqD2QNAbKrfJUNusNr/rXg 4ol+rXTbNAZd3O65G05g1YoHFCCeGYA6LxqpDrnRebYOPs33c1VzLSxzwPAybosD t1P+2Q8+j62AGVYZ2HxGMA5wtuXbtmZz2tDJYs7xb/Qzcj1Vi5IDPtg9IvVazes/ 6EqJ2C/tACeLIaRHJ75tIOtMMEgtom5ZzEISRt/UgXtfNBmvtcb224YHgLvgUr/h Lrr2s7QPJt