Bug#840000: libapache-mod-jk: CVE-2016-6808

[Markus Koschany]

On 07.10.2016 14:15, Salvatore Bonaccorso wrote:
[...]
> 
> Now whilst the affected code is back present in 1.2.0, I need some
> help understanding the actual impact for us. According to the build
> log this common code is as well compiled in into the mod_jk, The
> upstream description though mention that the resulting security impact
> is seems only relevant when run under IIS.
> https://marc.info/?l=oss-security=147575324211141=2 as well states
> that a mitigation would be to "Where available, use IIS configuration
> to restrict the maximum URI length to 4095 - (the length of the
> longest virtual host name)".
> 
> Can you clarify if this is correct? If so we would mark the CVE as
> (unimportant) and thus as well not release a DSA, and a 1:1.2.42
> upload to unstable can then mark the CVE as fixed.
> 
> Please let me know if the above statement about the issue beeing
> relevant only under IIS is correct this way.

Looking at native/common/jk_uri_worker_map.c it appears that the
affected map_uri_to_worker_ext function is shared between the IIS,
Apache 1.3 and Apache-2.0 modules and the latter is used by Debian. So
for me it looks relevant to us.

Regards,

Markus




signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

resteasy 3.0.19-2 MIGRATED to testing

[Debian testing watch]

FYI: The status of the resteasy source package
in Debian's testing distribution has changed.

  Previous version: 3.0.19-1
  Current version:  3.0.19-2

-- 
This email is automatically generated once a day.  As the installation of
new packages into testing happens multiple times a day you will receive
later changes on the next day.
See https://release.debian.org/testing-watch/ for more information.

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Processing of easymock_3.4+ds-1_source.changes

[Debian FTP Masters]

easymock_3.4+ds-1_source.changes uploaded successfully to localhost
along with the files:
  easymock_3.4+ds-1.dsc
  easymock_3.4+ds.orig.tar.xz
  easymock_3.4+ds-1.debian.tar.xz

Greetings,

Your Debian queue daemon (running on host franck.debian.org)

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Processing of easymock_3.4+ds-1_source.changes

[Debian FTP Masters]

easymock_3.4+ds-1_source.changes uploaded successfully to ftp-master.debian.org
along with the files:
  easymock_3.4+ds-1.dsc
  easymock_3.4+ds.orig.tar.xz
  easymock_3.4+ds-1.debian.tar.xz

Greetings,

Your Debian queue daemon (running on host coccia.debian.org)

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

easymock_3.4+ds-1_source.changes ACCEPTED into unstable

[Debian FTP Masters]

Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 07 Oct 2016 18:59:24 +0200
Source: easymock
Binary: libeasymock-java libeasymock-java-doc
Architecture: source
Version: 3.4+ds-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 

Changed-By: Markus Koschany 
Description:
 libeasymock-java - Java library to generate Mock Objects for given interfaces
 libeasymock-java-doc - Java library to generate Mock Objects for given 
interfaces (docum
Changes:
 easymock (3.4+ds-1) unstable; urgency=medium
 .
   * New upstream version 3.4+ds.
   * Switch to compat level 10.
   * debian/control: Use Build-Depends only.
   * Update get-orig-source target and use Files-Excluded mechanism.
   * Switch to maven-debian-helper because the build system is now Maven based.
   * Use correct Maven substvars in debian/control.
   * Remove libeasymock-java-doc.docs
   * Drop README.source.
   * Rebase no-android.patch and remove AndroidClassProxyFactory class.
   * Add maven.properties file.
   * Remove ant and ant-optional from Build-Depends.
   * Add libmaven-javadoc-plugin-java to Build-Depends.
   * Add libmaven-bundle-plugin-java to Build-Depends.
   * Add libeasymock-java-doc.doc-base.api
   * Add libeasymock-java-doc.install
   * Suggest Junit4 instead of depending on it because it is optional.
Checksums-Sha1:
 452eeed49b6796cbe9a86aeda55b070b15ca26f9 2302 easymock_3.4+ds-1.dsc
 f5292b9449a2451aca380b7dec90180d637f948a 101088 easymock_3.4+ds.orig.tar.xz
 cc0146f93948a88e60c0753d091d880387fa497c 7436 easymock_3.4+ds-1.debian.tar.xz
Checksums-Sha256:
 5a71c2f0ecd279feb677a6187271b4cded7c0ebec04ef8ed25e0947664ee502f 2302 
easymock_3.4+ds-1.dsc
 2268c8f004a47f747220cab05c1ed742f0ec55dee58e42dded574b9487750562 101088 
easymock_3.4+ds.orig.tar.xz
 320bec2c22457df37e94f81cab4a88e576f8e7726f3051aa8ebfeaee7fc61ce3 7436 
easymock_3.4+ds-1.debian.tar.xz
Files:
 77ab9974c17751cff353542a9bd295ec 2302 java optional easymock_3.4+ds-1.dsc
 4053a0ba492a6c0a095d1912973d4878 101088 java optional 
easymock_3.4+ds.orig.tar.xz
 0caf7d836b54ed81e7e801b02847f195 7436 java optional 
easymock_3.4+ds-1.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQKMBAEBCgB2BQJX99u+XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0DxxhcG9AZGViaWFuLm9yZwAKCRDZrRS5UTtR5PDTD/9f
k5Ua2LMRTbBEXFAAHHTpKiryXvgziq9e6E58RiVdV1gPGjJ55K1/NtWIV+L6uo0+
UPfy0inkbN+biD7JdQS3WRyH1GzSzI8HChu4Kitf5+4+6kWx91Q4TLa0TrkZllyr
Zsv+ijS82OEePCroSEUPlHzIPJ8KltqVH6ORQAM3eOwkCWhLARRIi8UC1EYD4C9v
s1lE01+1fNEsxnxiZJNRBfI/NKoo6UIXuALtowaLwbPp0AZQksBtMWsDosoGnJWK
IP65ukgXCKeU04rY+GB5WuY3VPAg1ZFkpN/SoFMicj6MWdSaBWNzezIshHgXMxID
151FWfkGPfx5eRLSrotS3DqnW8RDTPrq4mA7ZrmvSJbo1sn9yZ/XbCiR/6bu3dqA
HtXFsUQAYRvDzZnIwedGlxgNWr/KWvOekffpwdWTtgMnRj0gfgN5T3Kipt/fiyNl
TX0H+GejeXqc+fCNFxigSzWV6Fkbp3f2wJdqGZiozFVV+Q4klYhSJGKLV6F7AI5M
mUrB2yyaSqilw20zUW9rjNN5D2q6a4RGbMYubcwQKW+BUu6kL1k45d5VfEpJCqu3
Z4iqBTIt6lqPiFassawJhgG7yJnX3f/ltK4q7J2WeLBJ5Yo34mGeo81EkuNdHD7T
jXnW3/FzYeSSl+VHyHyWwsqOX88ORKDxG6OH/uf2Qw==
=1p4b
-END PGP SIGNATURE-


Thank you for your contribution to Debian.

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

assertj-core 2.3.0-3 MIGRATED to testing

[Debian testing watch]

FYI: The status of the assertj-core source package
in Debian's testing distribution has changed.

  Previous version: 2.3.0-2
  Current version:  2.3.0-3

-- 
This email is automatically generated once a day.  As the installation of
new packages into testing happens multiple times a day you will receive
later changes on the next day.
See https://release.debian.org/testing-watch/ for more information.

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#840000: libapache-mod-jk: CVE-2016-6808

[Markus Koschany]

On 07.10.2016 16:20, Salvatore Bonaccorso wrote:
> Hi Markus,
[...]

> Thanks for your investigation! Have you good upstream contact to try
> to clarify why the above statement was made?

Hi Salvatore,

unfortunately not. I'm just the guy who tries to keep these packages
alive. But I agree that we need an upstream clarification because I also
don't understand why they singled out the IIS server. I'll try to get in
contact with them.






signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#840000: libapache-mod-jk: CVE-2016-6808

[Markus Koschany]

Looks like Apache is not affected. [1] I guess  would be
justified here.

Markus


[1]
https://mail-archives.apache.org/mod_mbox/tomcat-users/201610.mbox/%3CCABzHfVmjt6oRKZfETgrP22wX%3DMF%2BSZsYDw2mAJkmhwcHDt0T3Q%40mail.gmail.com%3E



signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#840000: libapache-mod-jk: CVE-2016-6808

[Salvatore Bonaccorso]

Hi Markus,

On Fri, Oct 07, 2016 at 03:21:54PM +0200, Markus Koschany wrote:
> On 07.10.2016 14:15, Salvatore Bonaccorso wrote:
> [...]
> > 
> > Now whilst the affected code is back present in 1.2.0, I need some
> > help understanding the actual impact for us. According to the build
> > log this common code is as well compiled in into the mod_jk, The
> > upstream description though mention that the resulting security impact
> > is seems only relevant when run under IIS.
> > https://marc.info/?l=oss-security=147575324211141=2 as well states
> > that a mitigation would be to "Where available, use IIS configuration
> > to restrict the maximum URI length to 4095 - (the length of the
> > longest virtual host name)".
> > 
> > Can you clarify if this is correct? If so we would mark the CVE as
> > (unimportant) and thus as well not release a DSA, and a 1:1.2.42
> > upload to unstable can then mark the CVE as fixed.
> > 
> > Please let me know if the above statement about the issue beeing
> > relevant only under IIS is correct this way.
> 
> Looking at native/common/jk_uri_worker_map.c it appears that the
> affected map_uri_to_worker_ext function is shared between the IIS,
> Apache 1.3 and Apache-2.0 modules and the latter is used by Debian. So
> for me it looks relevant to us.

Thanks for your investigation! Have you good upstream contact to try
to clarify why the above statement was made?

Regards,
Salvatore

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#840000: libapache-mod-jk: CVE-2016-6808

[Salvatore Bonaccorso]

On Fri, Oct 07, 2016 at 02:15:32PM +0200, Salvatore Bonaccorso wrote:
> Can you clarify if this is correct? If so we would mark the CVE as
> (unimportant) and thus as well not release a DSA, and a 1:1.2.42
> upload to unstable can then mark the CVE as fixed.

... or actually  (Windows specific) in that case, it
turns true.

Regards,
Salvatore

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Processing of stegosuite_0.7.3-2_source.changes

[Debian FTP Masters]

stegosuite_0.7.3-2_source.changes uploaded successfully to localhost
along with the files:
  stegosuite_0.7.3-2.dsc
  stegosuite_0.7.3-2.debian.tar.xz

Greetings,

Your Debian queue daemon (running on host franck.debian.org)

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

stegosuite_0.7.3-2_source.changes ACCEPTED into unstable

[Debian FTP Masters]

Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 07 Oct 2016 20:30:01 +0200
Source: stegosuite
Binary: stegosuite
Architecture: source
Version: 0.7.3-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 

Changed-By: Markus Koschany 
Description:
 stegosuite - steganography tool to hide information in image files
Closes: 829258
Changes:
 stegosuite (0.7.3-2) unstable; urgency=medium
 .
   * Team upload.
   * Switch to compat level 10.
   * debian/control: Change Section from Java to Graphics.
 Thanks to Axel Beckert for the report. (Closes: #829258)
Checksums-Sha1:
 289a3fe4ba7327095ca7c2fc37d5fdb8e31f03b6 2233 stegosuite_0.7.3-2.dsc
 a2bd73315b32ad1a3af9f52965b35eb43f18007c 5600 stegosuite_0.7.3-2.debian.tar.xz
Checksums-Sha256:
 24424376751647e67d3d662e3a73d3efbd92f7e98fccc687717d4088a79d6362 2233 
stegosuite_0.7.3-2.dsc
 f867376f8c7605e44ed31569cf54ee79e701e0be5472f0f7d7c0cea0ed5b 5600 
stegosuite_0.7.3-2.debian.tar.xz
Files:
 1148e03e8a0be6aee9aacffe55cd98ab 2233 graphics optional stegosuite_0.7.3-2.dsc
 3a9706b8c5030e212136241be4314611 5600 graphics optional 
stegosuite_0.7.3-2.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQKMBAEBCgB2BQJX9+q4XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0DxxhcG9AZGViaWFuLm9yZwAKCRDZrRS5UTtR5EH5D/sG
9dl6xo2vMp7Rwmy/qxMvprcKME1lqabcdGrNUbCLULtBcMAxzHcQ9Z8vrRamOqp+
b3vIINLqfj6X6KJFKdCJSeiq09XeM2CJbdk/GDiW1yNj31jCRI5InY30Dk00TI5S
G9f8/6Q95prqru+4IXN0eMtsd1QecXlpOnqwXBKg9O9zdG4u4pRVLkvjY7QkabkS
1PBgb6vqEgtBpXTNuYMhJIABdq0O2hJgaSTST/Vr1T5Rnuey3LJ/W31+r8G+0dNd
li+7cMgkFF2hjKTEx6XKODKwS8B/xgBs+KEWfXdkE2FYcCA8IA1eSnCr5tCvBLK3
I0sbH2U9R1kDS1HTRi1Da9xJKLkOrTPURGfUWBkmHzgWyyCrTjzCnRY76YtDslKT
r3a6TQUhYukBPAcAwxSfcUqsyIL+XvmIYwOGjA2NyVhXkNyt7MqjT60TpqEKCg2J
yYt5z5T35EotrLfWfI5WXQOi9I5lOANqVe2pe+6l6bFGfLYQF4qhiq+3A2oJREqf
sO6zDcw3YnxiQx2PWjF6w4b40uQe3h7scrRubyGiP/GB3dPpxvWBNl5SgHds6rTw
DenaPSzEqejAANuBWCVqaaESrf40QTesHWWuxZhXvcSI0faOWBjHBkwKu7ll2j3a
n+DsTeOynWcIYCe93L/uKKhpKlZP5ltkgjPUWL+aPg==
=zI8C
-END PGP SIGNATURE-


Thank you for your contribution to Debian.

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#840043: src:libibatis-java: please package MyBatis 3

[Dominik George]

Package: src:libibatis-java
Severity: wishlist

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi,

I am currently updating the guacamole-client package in Debian and it
needs MyBatis 3 for its JDBC plugin, which seems to be a successor of
iBatis.

Could you update the package to MyBatis 3?

Cheers,
Nik


-BEGIN PGP SIGNATURE-

iQJhBAEBCABLBQJX9/0jMRpodHRwczovL3d3dy5kb21pbmlrLWdlb3JnZS5kZS9n
cGctcG9saWN5LnR4dC5hc2MSHG5pa0BuYXR1cmFsbmV0LmRlAAoJELeaPBagxPKW
0WEP/3wfinBcREQMljs56TgCOzUJN2QrqDof+w9qlheGZ7htsI7zkEi8O6j4vf2Z
62Hw3aHyjKyTxfeJ1mdit0zgIeKb4Qp3vy1nRCN53VBiYFztrqCR/FFsjqIZ9S67
cWvDzPnZwEy2WwB6TwVsjMmItMZ/r1KVz7j6RouMqG1n75ADU0LpK0v/98Fs/WQj
Zz9xcqG7hgWeQP1keAaRI+bYGzrdX4Sa5P8UEN5Q9TixzoO7FJsReVU/swPtM8Tm
uZaadYzJ3bnuLVwhv68V6fK5IYiGlyg1vRWix5zhgo64EPBfzCiiN3bYcwu2lbca
HOHKObVnXJn7VbQtnILz993qMbP0Z4TTOzda+2b+CuSpynjbJwRSiyCxnhTbcT8y
AjD5nmyfvB0S8+cEDipMXLOgG5E36mm1EuJF7UzGfqFUHQlFqv3EwJws0MrxPe7C
xD3cxP5Jz5jByznQJEqnPbSSm2EDb6bolNcoCu8TPCdBRrLhO6ipjK4fvoG7PEUh
Unh7eyBKByOauOLKK1pWwapdSfljLoADdG0Ab9V9EXNnd/cDSclgLT0djtdxJIS7
oOXxwWa9oQne2hncQf+5FRzgtNL4fARS+rWwbB/HH8CwY/u5D9JZL6u/ReffEmDM
XE3jT9dcYvS5ZsIRvF5gmhohunk2xrKRWNcbsmJeuDxTB3D9
=gPwr
-END PGP SIGNATURE-

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#829078: Interim workaround?

[Jamie Norrish]

Is there any way to get elasticsearch running while the patching is in
progress, or is the YAML problem fundamental? Alternately, is there
anything I, as someone unfamiliar with the package and only slightly
proficient at Java programming, can do to help with fixing the problem?

Jamie

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#840043: src:libibatis-java: please package MyBatis 3

[Emmanuel Bourg]

Le 7/10/2016 à 21:53, Dominik George a écrit :

> Could you update the package to MyBatis 3?

Hi Dominik,

If I'm not mistaken MyBatis 3 is not compatible with iBatis, so we'll
need a new package instead of upgrading this one.

Emmanuel Bourg

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Processing of stegosuite_0.7.3-2_source.changes

[Debian FTP Masters]

stegosuite_0.7.3-2_source.changes uploaded successfully to ftp-master.debian.org
along with the files:
  stegosuite_0.7.3-2.dsc
  stegosuite_0.7.3-2.debian.tar.xz

Greetings,

Your Debian queue daemon (running on host coccia.debian.org)

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#829258: marked as done (stegosuite: Wrong section, should be in e.g. graphics, but not in java)

[Debian Bug Tracking System]

Your message dated Fri, 07 Oct 2016 19:19:23 +
with message-id 
and subject line Bug#829258: fixed in stegosuite 0.7.3-2
has caused the Debian Bug report #829258,
regarding stegosuite: Wrong section, should be in e.g. graphics, but not in java
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
829258: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829258
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: stegosuite
Severity: normal
Version: 0.7.3-1

Dear Maintainer,

stegosuite seems to be in the wrong package section: According to the
package description it has nothing to do with Java except that it's
written in it. But that's not what "Section: java" is meant for.

So please move the package to a different section. I suggest "graphics".

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (600, 'testing'), (500, 'unstable-debug'), 
(500, 'buildd-unstable'), (110, 'experimental'), (1, 'experimental-debug'), (1, 
'buildd-experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.6.0-trunk-amd64 (SMP w/8 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
--- End Message ---
--- Begin Message ---
Source: stegosuite
Source-Version: 0.7.3-2

We believe that the bug you reported is fixed in the latest version of
stegosuite, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 829...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany  (supplier of updated stegosuite package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 07 Oct 2016 20:30:01 +0200
Source: stegosuite
Binary: stegosuite
Architecture: source
Version: 0.7.3-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 

Changed-By: Markus Koschany 
Description:
 stegosuite - steganography tool to hide information in image files
Closes: 829258
Changes:
 stegosuite (0.7.3-2) unstable; urgency=medium
 .
   * Team upload.
   * Switch to compat level 10.
   * debian/control: Change Section from Java to Graphics.
 Thanks to Axel Beckert for the report. (Closes: #829258)
Checksums-Sha1:
 289a3fe4ba7327095ca7c2fc37d5fdb8e31f03b6 2233 stegosuite_0.7.3-2.dsc
 a2bd73315b32ad1a3af9f52965b35eb43f18007c 5600 stegosuite_0.7.3-2.debian.tar.xz
Checksums-Sha256:
 24424376751647e67d3d662e3a73d3efbd92f7e98fccc687717d4088a79d6362 2233 
stegosuite_0.7.3-2.dsc
 f867376f8c7605e44ed31569cf54ee79e701e0be5472f0f7d7c0cea0ed5b 5600 
stegosuite_0.7.3-2.debian.tar.xz
Files:
 1148e03e8a0be6aee9aacffe55cd98ab 2233 graphics optional stegosuite_0.7.3-2.dsc
 3a9706b8c5030e212136241be4314611 5600 graphics optional 
stegosuite_0.7.3-2.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQKMBAEBCgB2BQJX9+q4XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0DxxhcG9AZGViaWFuLm9yZwAKCRDZrRS5UTtR5EH5D/sG
9dl6xo2vMp7Rwmy/qxMvprcKME1lqabcdGrNUbCLULtBcMAxzHcQ9Z8vrRamOqp+
b3vIINLqfj6X6KJFKdCJSeiq09XeM2CJbdk/GDiW1yNj31jCRI5InY30Dk00TI5S
G9f8/6Q95prqru+4IXN0eMtsd1QecXlpOnqwXBKg9O9zdG4u4pRVLkvjY7QkabkS
1PBgb6vqEgtBpXTNuYMhJIABdq0O2hJgaSTST/Vr1T5Rnuey3LJ/W31+r8G+0dNd
li+7cMgkFF2hjKTEx6XKODKwS8B/xgBs+KEWfXdkE2FYcCA8IA1eSnCr5tCvBLK3
I0sbH2U9R1kDS1HTRi1Da9xJKLkOrTPURGfUWBkmHzgWyyCrTjzCnRY76YtDslKT
r3a6TQUhYukBPAcAwxSfcUqsyIL+XvmIYwOGjA2NyVhXkNyt7MqjT60TpqEKCg2J
yYt5z5T35EotrLfWfI5WXQOi9I5lOANqVe2pe+6l6bFGfLYQF4qhiq+3A2oJREqf
sO6zDcw3YnxiQx2PWjF6w4b40uQe3h7scrRubyGiP/GB3dPpxvWBNl5SgHds6rTw
DenaPSzEqejAANuBWCVqaaESrf40QTesHWWuxZhXvcSI0faOWBjHBkwKu7ll2j3a
n+DsTeOynWcIYCe93L/uKKhpKlZP5ltkgjPUWL+aPg==
=zI8C
-END PGP SIGNATURE End Message ---
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

reproducible.debian.net status changes for batik

[Reproducible builds folks]

2016-10-07 12:25 
https://tests.reproducible-builds.org/debian/unstable/amd64/batik changed from 
unreproducible -> FTBFS
2016-10-07 14:48 
https://tests.reproducible-builds.org/debian/unstable/amd64/batik changed from 
FTBFS -> unreproducible

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

reproducible.debian.net status changes for jetty8

[Reproducible builds folks]

2016-10-07 14:06 
https://tests.reproducible-builds.org/debian/unstable/amd64/jetty8 changed from 
unreproducible -> FTBFS

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#839184: zkCli.sh unusable as packaged

[Felix Dreissig]

Tags: patch

Hi,

sorry, I broke this with the patch from #830222: In commit 8c69d33, I moved
the "JAVA" environment variable to the init script, as it cannot not be used
in the systemd unit file (that requires absolute executable paths).

However, other ZooKeeper tools rely on it being set in zkEnv.sh, which is
symlinked to /etc/zookeeper/conf/environment on Debian.
This not only affects zkCli.sh, but also zkCleanup.sh and zkServer.sh. Another
similar situation occurs for zkServer.sh, which relies on "$ZOOCFGDIR". Even
though that script is not used by the init files from zookeeperd, it is still
part of the zookeeper package and should probably be working as well.

I think the easiest solution is to just re-add the variables to the
environment file, the attached patch does that.

An alternative would be changing the scripts to not use "$JAVA" and
"$ZOOCFGDIR", but that would required patching the upstream files. Or remove
the symlink and use another zkEnv.sh (like the one from upstream), but I can't
comprehend the implications of that.

Best regards,
Felix

java-env.patch
Description: Binary data
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Processed: #839184

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 839184 + patch
Bug #839184 [zookeeper] zkCli.sh unusable as packaged
Added tag(s) patch.
>
End of message, stopping processing here.

Please contact me if you need assistance.
-- 
839184: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=839184
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#840000: libapache-mod-jk: CVE-2016-6808

[Salvatore Bonaccorso]

Source: libapache-mod-jk
Version: 1:1.2.41-1
Severity: important
Tags: security upstream patch

Hi,

the following vulnerability was published for libapache-mod-jk.

CVE-2016-6808[0]:
buffer overflow

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-6808

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#605063: marked as forwarded (batik is crashing (libbatik-java))

[Debian Bug Tracking System]

Your message dated Fri, 7 Oct 2016 09:05:05 +0200
with message-id 

has caused the   report #605063,
regarding batik is crashing (libbatik-java)
to be marked as having been forwarded to the upstream software
author(s) batik-...@xmlgraphics.apache.org

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
605063: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605063
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Hi,

I am about to make a new package for batik in Debian. Looking at the
bug tracker I see the following old issue, where:

$ java -jar /usr/share/java/batik.jar
Exception in thread "main" java.lang.NoClassDefFoundError:
org/w3c/dom/svg/SVGDocument
at java.lang.Class.getDeclaredMethods0(Native Method)
at java.lang.Class.privateGetDeclaredMethods(Class.java:2701)
at java.lang.Class.getDeclaredMethod(Class.java:2128)
at java.awt.Component.isCoalesceEventsOverriden(Component.java:6218)
at java.awt.Component.access$500(Component.java:186)
at java.awt.Component$3.run(Component.java:6172)
at java.awt.Component$3.run(Component.java:6170)
at java.security.AccessController.doPrivileged(Native Method)
at java.awt.Component.checkCoalescing(Component.java:6169)
at java.awt.Component.(Component.java:6138)
at java.awt.Container.(Container.java:283)
at java.awt.Window.(Window.java:535)
at java.awt.Frame.(Frame.java:420)
at java.awt.Frame.(Frame.java:385)
at javax.swing.JFrame.(JFrame.java:189)
at org.apache.batik.apps.svgbrowser.JSVGViewerFrame.(Unknown Source)
at org.apache.batik.apps.svgbrowser.Main.(Unknown Source)
at org.apache.batik.apps.svgbrowser.Main.main(Unknown Source)
Caused by: java.lang.ClassNotFoundException: org.w3c.dom.svg.SVGDocument
at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:331)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
... 18 more


However when I look at the source code, I fail to see where
SVGDocument could be coming from:

$ ls sources/org/w3c/dom/
ElementTraversal.java  events  Location.java  Window.java

What am I missing ?

Thanks,--- End Message ---
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

batik_1.8-4_source.changes ACCEPTED into unstable

[Debian FTP Masters]

Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Format: 1.8
Date: Fri, 07 Oct 2016 09:23:44 +0200
Source: batik
Binary: libbatik-java
Architecture: source
Version: 1.8-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 

Changed-By: Mathieu Malaterre 
Description:
 libbatik-java - xml.apache.org SVG Library
Closes: 805469 824113
Changes:
 batik (1.8-4) unstable; urgency=medium
 .
   [ Jakub Adam ]
   * Team upload.
   * Fix versioned OSGi dependencies.
   * Fix repeating Breaks: in d/control.
 .
   [ Mathieu Malaterre ]
   * Team upload.
   * Fix squiggle script crashes with a NoClassDefFoundError. Closes: #824113
   * Fix FOUserAgent - SVG graphic could not be built. Closes: #805469
   * Bump Std-Vers to 3.9.8, no changes needed
Checksums-Sha1:
 61d62eaaa3b58d3d96ea49ffdc5f4290c481f27d 2178 batik_1.8-4.dsc
 33bdc12cae5b6733b36a0d834732f5e2eb24ac44 13744 batik_1.8-4.debian.tar.xz
Checksums-Sha256:
 3ed81f0a61c5aadbc6413a36b48a0b1af02669963e67a19d7c6c87eeffbce555 2178 
batik_1.8-4.dsc
 9bd77e5bd3362a75ee2abd2a9763ecef4903d0e04ca7b874c6e728d4188d22ba 13744 
batik_1.8-4.debian.tar.xz
Files:
 6025b22ade361a83c991736931c4 2178 java optional batik_1.8-4.dsc
 d30d03a3256e53f2d802009ddb4cc26f 13744 java optional batik_1.8-4.debian.tar.xz

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBAgAGBQJX902yAAoJEAFx4YKK4JNFajIP/iOkXqgnD5FigDzldZ+PNY8V
09PPsDSfUpK6ZFvgvRVjmilaqfhBXXNkBhfq8oYePicIuXqTw0YgUQLv+CYRjbOK
WWDBB9m0dDj2WTixNZ4XEObFS8E+heqcYCRPn3AIblR8cs8fKlaARRnoQLzwDrCO
yT+HTMRSbbDH/aCiL48owoTs8qjCTcq8a/528TpPMUyfvHStkxD8FZl3ovVDzued
C3o0F5UiHtX9Q5KmCkL3uWrRP6+mmDUtp23auoKXwU5vhfQ2ckQY10ERqVUqFPn8
5FY6JaG0tegEX7i4yXlU6+MTjWhjQr5sV9ukSDIgPqKTe+n4cm8qURYdgUBaHyg6
ackm3h9yc3aHPN3pTtsS5PyggojPoKC274JUGUC+kHXlZlkiwfhPlFyZ+566PdsY
abahjsauR2pNo6731E04v6bi1b9ZHl0FAxVOkDm1kKv1++DWO8zywKAfZLIY657P
bTiYE1GuIZ9cYujqrMAU0gM4hRQ1+uI4IaynOWOmTYgdslNjNS44ryZVRld/89yU
hZlzXqA5GE+dTum5BM7Tmqs407ZaO3bGzrTKwbCz6VNUvCf2g+lofjni8pTD1p1+
SjbPAZEFOPqo1bcirOnKYA0xx4aAVhG9VbTmPUsAhgpXy6ePE8fi3i4mQyPZCFV6
02RltbNF7oQsPnHEtA27
=rdWB
-END PGP SIGNATURE-


Thank you for your contribution to Debian.

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#824113: marked as done (libbatik-java: The "squiggle" script crashes with a NoClassDefFoundError)

[Debian Bug Tracking System]

Your message dated Fri, 07 Oct 2016 07:33:40 +
with message-id 
and subject line Bug#824113: fixed in batik 1.8-4
has caused the Debian Bug report #824113,
regarding libbatik-java: The "squiggle" script crashes with a 
NoClassDefFoundError
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
824113: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=824113
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libbatik-java
Version: 1.8-3
Severity: normal
Tags: patch

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?
   * What exactly did you do (or not do) that was effective (or
 ineffective)?
   * What was the outcome of this action?
   * What outcome did you expect instead?

*** End of the template - remove these template lines ***


-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libbatik-java depends on:
ii  java-wrappers 0.1.28
ii  libbsf-java   1:2.4.0-5
ii  libcommons-io-java2.5-1
ii  libcommons-logging-java   1.2-1
ii  libxalan2-java2.7.1-9
ii  libxml-commons-external-java  1.4.01-2
ii  libxmlgraphics-commons-java   2.1-1

Versions of packages libbatik-java recommends:
pn  default-jre  
ii  fop  1:2.1-3
ii  rhino1.7R4-3

libbatik-java suggests no packages.

-- no debconf information

Executing the commmand:  

squiggle

brings up the application's splash screen, but fails to start with the message:

java.lang.Exception: org/apache/xmlgraphics/java2d/color/NamedColorSpace
at org.apache.batik.swing.svg.GVTTreeBuilder.run(Unknown Source)

This is remedied by adding xmlgraphics-commons to the list of jar files
sought by 'find_jars' in the squiggle shell script.
7c7
< find_jars xercesImpl batik-all xml-apis-ext js
---
> find_jars xercesImpl batik-all xml-apis-ext js xmlgraphics-commons
--- End Message ---
--- Begin Message ---
Source: batik
Source-Version: 1.8-4

We believe that the bug you reported is fixed in the latest version of
batik, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 824...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mathieu Malaterre  (supplier of updated batik package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Format: 1.8
Date: Fri, 07 Oct 2016 09:23:44 +0200
Source: batik
Binary: libbatik-java
Architecture: source
Version: 1.8-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 

Changed-By: Mathieu Malaterre 
Description:
 libbatik-java - xml.apache.org SVG Library
Closes: 805469 824113
Changes:
 batik (1.8-4) unstable; urgency=medium
 .
   [ Jakub Adam ]
   * Team upload.
   * Fix versioned OSGi dependencies.
   * Fix repeating Breaks: in d/control.
 .
   [ Mathieu Malaterre ]
   * Team upload.
   * Fix squiggle script crashes with a NoClassDefFoundError. Closes: #824113
   * Fix FOUserAgent - SVG graphic could not be built. Closes: #805469
   * Bump Std-Vers to 3.9.8, no changes needed
Checksums-Sha1:
 61d62eaaa3b58d3d96ea49ffdc5f4290c481f27d 2178 batik_1.8-4.dsc
 33bdc12cae5b6733b36a0d834732f5e2eb24ac44 13744 batik_1.8-4.debian.tar.xz
Checksums-Sha256:
 3ed81f0a61c5aadbc6413a36b48a0b1af02669963e67a19d7c6c87eeffbce555 2178 
batik_1.8-4.dsc
 9bd77e5bd3362a75ee2abd2a9763ecef4903d0e04ca7b874c6e728d4188d22ba 13744 
batik_1.8-4.debian.tar.xz
Files:
 6025b22ade361a83c991736931c4 2178 java optional batik_1.8-4.dsc
 d30d03a3256e53f2d802009ddb4cc26f 13744 java optional batik_1.8-4.debian.tar.xz

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBAgAGBQJX902yAAoJEAFx4YKK4JNFajIP/iOkXqgnD5FigDzldZ+PNY8V

Bug#805469: marked as done ([ERROR] FOUserAgent - SVG graphic could not be built.)

[Debian Bug Tracking System]

Your message dated Fri, 07 Oct 2016 07:33:40 +
with message-id 
and subject line Bug#805469: fixed in batik 1.8-4
has caused the Debian Bug report #805469,
regarding [ERROR] FOUserAgent - SVG graphic could not be built.
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
805469: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805469
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: fop
Severity: important
Tags: upstream

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hello,

at build of scon-doc I got always:

[ERROR] FOUserAgent - SVG graphic could not be built. Reason:
org.apache.batik.bridge.BridgeException:
titlepage/titlepage/mapnik_final_colors.svg (No such file or directory)
org.apache.batik.bridge.BridgeException:
titlepage/titlepage/mapnik_final_colors.svg (No such file or directory)


This looks like this resolved upstream bug[1]


CU
Jörg

[1] https://issues.apache.org/jira/browse/FOP-2489



- -- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (900, 'testing'), (800, 'unstable'), (500, 'testing-updates'), 
(1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.2.0-1-amd64 (SMP w/6 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCgAGBQJWTIT0AAoJEAn4nzyModJdM/MQANR+5Jt7H0rSpuDpdJHj6li7
32XctgYgA0G1ppDAQxlaGNgkf1rWx23/zxabugKZxu+PPbrJk7+nNwDVvvSiFTKH
/Pl7TmFaO25vq+EbIl+v34fhB9DaFEaMYMdqZYsBrPxr0scx4pi5TnWdnBGWqy/G
ZjnYhaBgSoiu/Km43bDfHTagzRYRYePuOk/nDk0SNWy5NSgnniPaocqdTYSJn2RR
tWZqAxhc1BlvNGZi/pzWkA1gNf7roxdL7lCgD74zNuVVJYW9VEZuXU/M71RIBDEA
WdTjPyaLJahgiORoP1eUj9Oj5IE+2RXUC57kfmofGGCfGQUM0MkK8uv8ocgUhh9l
UUoIscLH98I+PhRDdjsB6keVkippBzgIcMpLYf4vNo3zY3epM6xl7o68mThWlt1j
aC0601CF6SyNlZCwe93DAMLxxSHynP3gyA1WvhrI4IXaW6Si9BWtSCJhbJRcUCOn
GiG6W3tyfTBHNFebNY3K5V0lIGcowTuP8wPeQL9867lBt/rfMfikp1/WAkJm0mhu
RDeuaHa7c7zI9gw/00WI4xfb9rSz7DA4FnsxxneWlrj6NN8iwO2a+u85esWQS3eD
Xg12RV8TKvI8xxwX1dE5mHQMIfv+lLvUNfdpJsGayovhhZW67RGXdzQ5C7pZ+izA
quhab2ipxhm3IU3NxPDr
=zwFR
-END PGP SIGNATURE-
--- End Message ---
--- Begin Message ---
Source: batik
Source-Version: 1.8-4

We believe that the bug you reported is fixed in the latest version of
batik, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 805...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mathieu Malaterre  (supplier of updated batik package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Format: 1.8
Date: Fri, 07 Oct 2016 09:23:44 +0200
Source: batik
Binary: libbatik-java
Architecture: source
Version: 1.8-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 

Changed-By: Mathieu Malaterre 
Description:
 libbatik-java - xml.apache.org SVG Library
Closes: 805469 824113
Changes:
 batik (1.8-4) unstable; urgency=medium
 .
   [ Jakub Adam ]
   * Team upload.
   * Fix versioned OSGi dependencies.
   * Fix repeating Breaks: in d/control.
 .
   [ Mathieu Malaterre ]
   * Team upload.
   * Fix squiggle script crashes with a NoClassDefFoundError. Closes: #824113
   * Fix FOUserAgent - SVG graphic could not be built. Closes: #805469
   * Bump Std-Vers to 3.9.8, no changes needed
Checksums-Sha1:
 61d62eaaa3b58d3d96ea49ffdc5f4290c481f27d 2178 batik_1.8-4.dsc
 33bdc12cae5b6733b36a0d834732f5e2eb24ac44 13744 batik_1.8-4.debian.tar.xz
Checksums-Sha256:
 3ed81f0a61c5aadbc6413a36b48a0b1af02669963e67a19d7c6c87eeffbce555 2178 
batik_1.8-4.dsc
 9bd77e5bd3362a75ee2abd2a9763ecef4903d0e04ca7b874c6e728d4188d22ba 13744 
batik_1.8-4.debian.tar.xz
Files:
 6025b22ade361a83c991736931c4 2178 java optional batik_1.8-4.dsc
 d30d03a3256e53f2d802009ddb4cc26f 13744 java optional batik_1.8-4.debian.tar.xz

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBAgAGBQJX902yAAoJEAFx4YKK4JNFajIP/iOkXqgnD5FigDzldZ+PNY8V
09PPsDSfUpK6ZFvgvRVjmilaqfhBXXNkBhfq8oYePicIuXqTw0YgUQLv+CYRjbOK
WWDBB9m0dDj2WTixNZ4XEObFS8E+heqcYCRPn3AIblR8cs8fKlaARRnoQLzwDrCO

Processing of batik_1.8-4_source.changes

[Debian FTP Masters]

batik_1.8-4_source.changes uploaded successfully to localhost
along with the files:
  batik_1.8-4.dsc
  batik_1.8-4.debian.tar.xz

Greetings,

Your Debian queue daemon (running on host franck.debian.org)

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#840000: libapache-mod-jk: CVE-2016-6808

[Salvatore Bonaccorso]

Control: found -1 1:1.2.37-4

Hi

On Fri, Oct 07, 2016 at 01:26:00PM +0200, Salvatore Bonaccorso wrote:
> Source: libapache-mod-jk
> Version: 1:1.2.41-1
> Severity: important
> Tags: security upstream patch
> 
> Hi,
> 
> the following vulnerability was published for libapache-mod-jk.
> 
> CVE-2016-6808[0]:
> buffer overflow
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2016-6808

Now whilst the affected code is back present in 1.2.0, I need some
help understanding the actual impact for us. According to the build
log this common code is as well compiled in into the mod_jk, The
upstream description though mention that the resulting security impact
is seems only relevant when run under IIS.
https://marc.info/?l=oss-security=147575324211141=2 as well states
that a mitigation would be to "Where available, use IIS configuration
to restrict the maximum URI length to 4095 - (the length of the
longest virtual host name)".

Can you clarify if this is correct? If so we would mark the CVE as
(unimportant) and thus as well not release a DSA, and a 1:1.2.42
upload to unstable can then mark the CVE as fixed.

Please let me know if the above statement about the issue beeing
relevant only under IIS is correct this way.

Regards,
Salvatore

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Processed: Re: Bug#840000: libapache-mod-jk: CVE-2016-6808

[Debian Bug Tracking System]

Processing control commands:

> found -1 1:1.2.37-4
Bug #84 [src:libapache-mod-jk] libapache-mod-jk: CVE-2016-6808
Marked as found in versions libapache-mod-jk/1:1.2.37-4.

-- 
84: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=84
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Processing of libfastutil-java_7.0.11-2~bpo8+1_amd64.changes

[Debian FTP Masters]

libfastutil-java_7.0.11-2~bpo8+1_amd64.changes uploaded successfully to 
localhost
along with the files:
  libfastutil-java_7.0.11-2~bpo8+1.dsc
  libfastutil-java_7.0.11-2~bpo8+1.debian.tar.xz
  libfastutil-java_7.0.11-2~bpo8+1_all.deb
  libfastutil-java-doc_7.0.11-2~bpo8+1_all.deb

Greetings,

Your Debian queue daemon (running on host franck.debian.org)

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

libfastutil-java_7.0.11-2~bpo8+1_amd64.changes is NEW

[Debian FTP Masters]

binary:libfastutil-java is NEW.
binary:libfastutil-java-doc is NEW.
source:libfastutil-java is NEW.

Your package has been put into the NEW queue, which requires manual action
from the ftpteam to process. The upload was otherwise valid (it had a good
OpenPGP signature and file hashes are valid), so please be patient.

Packages are routinely processed through to the archive, and do feel
free to browse the NEW queue[1].

If there is an issue with the upload, you will receive an email from a
member of the ftpteam.

If you have any questions, you may reply to this email.

[1]: https://ftp-master.debian.org/new.html

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.