Bug#780897: batik: CVE-2015-0250
Source: batik Version: 1.7-1 Severity: important Tags: security upstream Hi, the following vulnerability was published for batik. CVE-2015-0250[0]: information disclosure If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2015-0250 [1] http://seclists.org/oss-sec/2015/q1/864 Regards, Salvatore __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Processed: owner 780897
Processing commands for cont...@bugs.debian.org: owner 780897 tmanc...@debian.org Bug #780897 [src:batik] batik: CVE-2015-0250 Owner recorded as tmanc...@debian.org. thanks Stopping processing here. Please contact me if you need assistance. -- 780897: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780897 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
tomcat-native 1.1.32~repack-2 MIGRATED to testing
FYI: The status of the tomcat-native source package in Debian's testing distribution has changed. Previous version: 1.1.32~repack-1 Current version: 1.1.32~repack-2 -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See https://release.debian.org/testing-watch/ for more information. __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#780897: marked as done (batik: CVE-2015-0250)
Your message dated Sat, 21 Mar 2015 23:33:53 + with message-id e1yzstt-0005no...@franck.debian.org and subject line Bug#780897: fixed in batik 1.7+dfsg-5 has caused the Debian Bug report #780897, regarding batik: CVE-2015-0250 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 780897: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780897 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Source: batik Version: 1.7-1 Severity: important Tags: security upstream Hi, the following vulnerability was published for batik. CVE-2015-0250[0]: information disclosure If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2015-0250 [1] http://seclists.org/oss-sec/2015/q1/864 Regards, Salvatore ---End Message--- ---BeginMessage--- Source: batik Source-Version: 1.7+dfsg-5 We believe that the bug you reported is fixed in the latest version of batik, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 780...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. tony mancill tmanc...@debian.org (supplier of updated batik package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 21 Mar 2015 15:24:17 -0700 Source: batik Binary: libbatik-java Architecture: source all Version: 1.7+dfsg-5 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers pkg-java-maintainers@lists.alioth.debian.org Changed-By: tony mancill tmanc...@debian.org Description: libbatik-java - xml.apache.org SVG Library Closes: 771539 780897 Changes: batik (1.7+dfsg-5) unstable; urgency=medium . [ tony mancill ] * Team upload. * Update homepage URL to https://xmlgraphics.apache.org/batik/ in debian/control and debian/copyright. (Closes: #771539) * Add debian/patches/cve_2015_0250.patch to disable external XML entity resolution (information disclosure). This addresses CVE-2015-0250. (Closes: #780897) . [ Emmanuel Bourg ] * Replaced the Build-Id in the manifests with a constant value to make the build reproducible. Checksums-Sha1: 705e68ba6f4c03e37a8259151c86c553463cbe84 2213 batik_1.7+dfsg-5.dsc bc9d69b97e2587e2a33435f9b88566e4d0bedd3b 12580 batik_1.7+dfsg-5.debian.tar.xz d7a66b06cc122f90cf634be692bc6aa456065472 2861372 libbatik-java_1.7+dfsg-5_all.deb Checksums-Sha256: e733554f0a4106b7266b677dfb2982c9260e0448fb7d710698f05a2064f46352 2213 batik_1.7+dfsg-5.dsc 8c5ab35e8edca96f119e7550e8839490dc526bbcec732740bac32c43762ea15d 12580 batik_1.7+dfsg-5.debian.tar.xz 086e18bd07ba13cf4bd9af87b82d0347970f5a91625a01b0a77f1e23d156e0d2 2861372 libbatik-java_1.7+dfsg-5_all.deb Files: 3e58c10ce9d1a027cdfcf3e2af64d64c 2213 java optional batik_1.7+dfsg-5.dsc 1d66de13c1bc0f4eda258e2eae70d51d 12580 java optional batik_1.7+dfsg-5.debian.tar.xz a6354d8253db3df6edbf6cd7100a56e5 2861372 java optional libbatik-java_1.7+dfsg-5_all.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJVDf4LAAoJECHSBYmXSz6Ws0cP+wV0YEeFTd8F6Q3GuYNWU0JD Rf+pJucLrvRy4aSNci2f+B9aGJJyoNtYyspf5N4MtvPM4JVU/Pij5qEychShZf8r ajSu85PAFCnvc65HLXsCAT4SkUXdWl/M6YYe8/jg5DAfZf0Tl+tqXR2imjiAnGJz cgcF3AxilOAk4ywSFyPATBF71btwAKHoy29sSlk6T1V7aSCZhBp0TMMWdLDDCabH ENrFdL+ATQMKRviaxhyi4dsssGL8S9vrU5I4nkqUF8f/VA0X215V8l8U9Nv+pRnv UTgOWyB6thVNgLuFc53SP9UuOo9vF+gOXHqr4l0jPt10Jk6g+pDQPBmMiRa1SrPO xo9nvOmuyyaNDHeg43bWKlLnXUotb+TTqxQVNL9xrUMe0BO7Zpb+t5GozctRqgW4 qPReweJ/Q+Gs8C+YbKOUH3LND7os6a4hSiO23OkGgSh1Tpvi7XoP0/qUgpFV4rhX 8HiiQv4Xdz2o/GG30NYbsG9WpwBszf0Uz8Fa9t+vY46s7WzzDHLpit0tzHt+nfzm tSyoNuXqyBvGDYx/JhZFzKQ2ZsHAUXuDXBc1uP90mEreXCkd5MCZcrh497UqtFPO GbJE2fiG45dBz05Zd1uqntQJH/uCbgbaAWHkOBUZ5ALJDwbsEZcLiG/tz6h8P5u5 FYVWtOUZxVWYD+s4Z7YB =kO10 -END PGP SIGNATUREEnd Message--- __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#771539: marked as done (libbatik-java: wrong/updated homepage: https://xmlgraphics.apache.org/batik/)
Your message dated Sat, 21 Mar 2015 23:33:53 + with message-id e1yzstt-0005ni...@franck.debian.org and subject line Bug#771539: fixed in batik 1.7+dfsg-5 has caused the Debian Bug report #771539, regarding libbatik-java: wrong/updated homepage: https://xmlgraphics.apache.org/batik/ to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 771539: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771539 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: libbatik-java Version: 1.7+dfsg-4 Severity: minor -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package points to http://xml.apache.org/batik/ as homepage. That is a virtually empty page. Seems the proper Homepage is https://xmlgraphics.apache.org/batik/. - Jonas -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQF8BAEBCgBmBQJUezJqXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ3NjQ4ODQwMTIyRTJDNTBFQzUxRDQwRTI0 RUMxQjcyMjM3NEY5QkQ2AAoJEE7BtyI3T5vW/cEH/RVfL2YomLjbXSYlb/52LM8K /+wBZCLPhooCm7KJB3D2xkuZxY3lwH/Z6U3bV2j+cCodY47tRCtcodj8/jq4BqN9 5RfOX8Y09X/7NN54hssVDLV1kuyI7Ez679Z2xdJk3hyRX/9jhTaO+AdUPqqhoiJS QkwuNNvqB8AsgOOZZkqxZIcnQHWrF/qFxkCAPPLslX2gsaE4HANcjOGQ6c7JItep dpDYNwsfmkZbsmKQfNXKw8GJS/SO65G7FizUFZBM8ue0j+1MnIE/EqveqgsHcMoe 2u1nsH/1/FincaJ0TZ39TYwVkGHP7aFwYyKGNISRtDnPsKR71kTdrhyw60XIowQ= =ZoEd -END PGP SIGNATURE- ---End Message--- ---BeginMessage--- Source: batik Source-Version: 1.7+dfsg-5 We believe that the bug you reported is fixed in the latest version of batik, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 771...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. tony mancill tmanc...@debian.org (supplier of updated batik package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 21 Mar 2015 15:24:17 -0700 Source: batik Binary: libbatik-java Architecture: source all Version: 1.7+dfsg-5 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers pkg-java-maintainers@lists.alioth.debian.org Changed-By: tony mancill tmanc...@debian.org Description: libbatik-java - xml.apache.org SVG Library Closes: 771539 780897 Changes: batik (1.7+dfsg-5) unstable; urgency=medium . [ tony mancill ] * Team upload. * Update homepage URL to https://xmlgraphics.apache.org/batik/ in debian/control and debian/copyright. (Closes: #771539) * Add debian/patches/cve_2015_0250.patch to disable external XML entity resolution (information disclosure). This addresses CVE-2015-0250. (Closes: #780897) . [ Emmanuel Bourg ] * Replaced the Build-Id in the manifests with a constant value to make the build reproducible. Checksums-Sha1: 705e68ba6f4c03e37a8259151c86c553463cbe84 2213 batik_1.7+dfsg-5.dsc bc9d69b97e2587e2a33435f9b88566e4d0bedd3b 12580 batik_1.7+dfsg-5.debian.tar.xz d7a66b06cc122f90cf634be692bc6aa456065472 2861372 libbatik-java_1.7+dfsg-5_all.deb Checksums-Sha256: e733554f0a4106b7266b677dfb2982c9260e0448fb7d710698f05a2064f46352 2213 batik_1.7+dfsg-5.dsc 8c5ab35e8edca96f119e7550e8839490dc526bbcec732740bac32c43762ea15d 12580 batik_1.7+dfsg-5.debian.tar.xz 086e18bd07ba13cf4bd9af87b82d0347970f5a91625a01b0a77f1e23d156e0d2 2861372 libbatik-java_1.7+dfsg-5_all.deb Files: 3e58c10ce9d1a027cdfcf3e2af64d64c 2213 java optional batik_1.7+dfsg-5.dsc 1d66de13c1bc0f4eda258e2eae70d51d 12580 java optional batik_1.7+dfsg-5.debian.tar.xz a6354d8253db3df6edbf6cd7100a56e5 2861372 java optional libbatik-java_1.7+dfsg-5_all.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJVDf4LAAoJECHSBYmXSz6Ws0cP+wV0YEeFTd8F6Q3GuYNWU0JD Rf+pJucLrvRy4aSNci2f+B9aGJJyoNtYyspf5N4MtvPM4JVU/Pij5qEychShZf8r ajSu85PAFCnvc65HLXsCAT4SkUXdWl/M6YYe8/jg5DAfZf0Tl+tqXR2imjiAnGJz cgcF3AxilOAk4ywSFyPATBF71btwAKHoy29sSlk6T1V7aSCZhBp0TMMWdLDDCabH ENrFdL+ATQMKRviaxhyi4dsssGL8S9vrU5I4nkqUF8f/VA0X215V8l8U9Nv+pRnv UTgOWyB6thVNgLuFc53SP9UuOo9vF+gOXHqr4l0jPt10Jk6g+pDQPBmMiRa1SrPO xo9nvOmuyyaNDHeg43bWKlLnXUotb+TTqxQVNL9xrUMe0BO7Zpb+t5GozctRqgW4 qPReweJ/Q+Gs8C+YbKOUH3LND7os6a4hSiO23OkGgSh1Tpvi7XoP0/qUgpFV4rhX 8HiiQv4Xdz2o/GG30NYbsG9WpwBszf0Uz8Fa9t+vY46s7WzzDHLpit0tzHt+nfzm
Processing of batik_1.7+dfsg-5_amd64.changes
batik_1.7+dfsg-5_amd64.changes uploaded successfully to localhost along with the files: batik_1.7+dfsg-5.dsc batik_1.7+dfsg-5.debian.tar.xz libbatik-java_1.7+dfsg-5_all.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
batik_1.7+dfsg-5_amd64.changes ACCEPTED into unstable
Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 21 Mar 2015 15:24:17 -0700 Source: batik Binary: libbatik-java Architecture: source all Version: 1.7+dfsg-5 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers pkg-java-maintainers@lists.alioth.debian.org Changed-By: tony mancill tmanc...@debian.org Description: libbatik-java - xml.apache.org SVG Library Closes: 771539 780897 Changes: batik (1.7+dfsg-5) unstable; urgency=medium . [ tony mancill ] * Team upload. * Update homepage URL to https://xmlgraphics.apache.org/batik/ in debian/control and debian/copyright. (Closes: #771539) * Add debian/patches/cve_2015_0250.patch to disable external XML entity resolution (information disclosure). This addresses CVE-2015-0250. (Closes: #780897) . [ Emmanuel Bourg ] * Replaced the Build-Id in the manifests with a constant value to make the build reproducible. Checksums-Sha1: 705e68ba6f4c03e37a8259151c86c553463cbe84 2213 batik_1.7+dfsg-5.dsc bc9d69b97e2587e2a33435f9b88566e4d0bedd3b 12580 batik_1.7+dfsg-5.debian.tar.xz d7a66b06cc122f90cf634be692bc6aa456065472 2861372 libbatik-java_1.7+dfsg-5_all.deb Checksums-Sha256: e733554f0a4106b7266b677dfb2982c9260e0448fb7d710698f05a2064f46352 2213 batik_1.7+dfsg-5.dsc 8c5ab35e8edca96f119e7550e8839490dc526bbcec732740bac32c43762ea15d 12580 batik_1.7+dfsg-5.debian.tar.xz 086e18bd07ba13cf4bd9af87b82d0347970f5a91625a01b0a77f1e23d156e0d2 2861372 libbatik-java_1.7+dfsg-5_all.deb Files: 3e58c10ce9d1a027cdfcf3e2af64d64c 2213 java optional batik_1.7+dfsg-5.dsc 1d66de13c1bc0f4eda258e2eae70d51d 12580 java optional batik_1.7+dfsg-5.debian.tar.xz a6354d8253db3df6edbf6cd7100a56e5 2861372 java optional libbatik-java_1.7+dfsg-5_all.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJVDf4LAAoJECHSBYmXSz6Ws0cP+wV0YEeFTd8F6Q3GuYNWU0JD Rf+pJucLrvRy4aSNci2f+B9aGJJyoNtYyspf5N4MtvPM4JVU/Pij5qEychShZf8r ajSu85PAFCnvc65HLXsCAT4SkUXdWl/M6YYe8/jg5DAfZf0Tl+tqXR2imjiAnGJz cgcF3AxilOAk4ywSFyPATBF71btwAKHoy29sSlk6T1V7aSCZhBp0TMMWdLDDCabH ENrFdL+ATQMKRviaxhyi4dsssGL8S9vrU5I4nkqUF8f/VA0X215V8l8U9Nv+pRnv UTgOWyB6thVNgLuFc53SP9UuOo9vF+gOXHqr4l0jPt10Jk6g+pDQPBmMiRa1SrPO xo9nvOmuyyaNDHeg43bWKlLnXUotb+TTqxQVNL9xrUMe0BO7Zpb+t5GozctRqgW4 qPReweJ/Q+Gs8C+YbKOUH3LND7os6a4hSiO23OkGgSh1Tpvi7XoP0/qUgpFV4rhX 8HiiQv4Xdz2o/GG30NYbsG9WpwBszf0Uz8Fa9t+vY46s7WzzDHLpit0tzHt+nfzm tSyoNuXqyBvGDYx/JhZFzKQ2ZsHAUXuDXBc1uP90mEreXCkd5MCZcrh497UqtFPO GbJE2fiG45dBz05Zd1uqntQJH/uCbgbaAWHkOBUZ5ALJDwbsEZcLiG/tz6h8P5u5 FYVWtOUZxVWYD+s4Z7YB =kO10 -END PGP SIGNATURE- Thank you for your contribution to Debian. __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#780897: batik: CVE-2015-0250
On 03/21/2015 12:07 AM, Salvatore Bonaccorso wrote: Source: batik Version: 1.7-1 Severity: important Tags: security upstream Hi, the following vulnerability was published for batik. CVE-2015-0250[0]: information disclosure If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2015-0250 [1] http://seclists.org/oss-sec/2015/q1/864 Regards, Salvatore Hello Salvatore, Thank you for the bug report and the detailed information in security-tracker.d.o. I was able to reproduce the information disclosure and test that the version just uploaded to unstable no longer exhibits the disclosure. Version 1.7+dfsg-5 addresses this bug for sid and should also be appropriate for jessie. I'll look at wheezy and squeeze next. Thank you, tony signature.asc Description: OpenPGP digital signature __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.