Bug#726601: marked as done (libcommons-fileupload-java: CVE-2013-2186)
Your message dated Mon, 06 Jan 2014 22:02:33 + with message-id and subject line Bug#726601: fixed in libcommons-fileupload-java 1.2.2-1+deb6u1 has caused the Debian Bug report #726601, regarding libcommons-fileupload-java: CVE-2013-2186 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 726601: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=726601 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: libcommons-fileupload-java Severity: grave Tags: security Justification: user security hole Red Hat fixed a security issue Commons FileUpload: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2186 Cheers, Moritz --- End Message --- --- Begin Message --- Source: libcommons-fileupload-java Source-Version: 1.2.2-1+deb6u1 We believe that the bug you reported is fixed in the latest version of libcommons-fileupload-java, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 726...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso (supplier of updated libcommons-fileupload-java package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 21 Dec 2013 11:12:53 +0100 Source: libcommons-fileupload-java Binary: libcommons-fileupload-java libcommons-fileupload-java-doc Architecture: source all Version: 1.2.2-1+deb6u1 Distribution: squeeze-security Urgency: high Maintainer: Debian Java Maintainers Changed-By: Salvatore Bonaccorso Description: libcommons-fileupload-java - File upload capability to your servlets and web applications libcommons-fileupload-java-doc - Javadoc API documentation for Commons FileUploads Closes: 726601 Changes: libcommons-fileupload-java (1.2.2-1+deb6u1) squeeze-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2013-2186.patch patch. CVE-2013-2186: Arbitrary file upload via deserialization. Properly validate repository in org.apache.commons.fileupload.disk.DiskFileItem. Thanks to Marc Deslauriers (Closes: #726601) Checksums-Sha1: 0659ff3343c66ffb693b10cb70ad5678a4388c0d 2329 libcommons-fileupload-java_1.2.2-1+deb6u1.dsc eac68561ffaa7412613458d5ac2d25d632f290bf 123220 libcommons-fileupload-java_1.2.2.orig.tar.gz 64ab16a040ce46ffcd20b840f3148453cb0296f2 6215 libcommons-fileupload-java_1.2.2-1+deb6u1.debian.tar.gz e6224adfd35436e38e70b7fd96f5fae1687704ae 53326 libcommons-fileupload-java_1.2.2-1+deb6u1_all.deb b8a3c68c840f691dc4246d9cad71e93b4f2c4a14 117858 libcommons-fileupload-java-doc_1.2.2-1+deb6u1_all.deb Checksums-Sha256: e9739c0f98381da0f66107731b59c21c818e5232f8e4b302e7da83936eac196b 2329 libcommons-fileupload-java_1.2.2-1+deb6u1.dsc 2f994b054b6514edd8d1bfe239db1dae5b7e581554d7c027c09d1b3afd832738 123220 libcommons-fileupload-java_1.2.2.orig.tar.gz eff51def523abb7c4081c66cd8b923989759c2fa6a99ab0c85e6ca723ddb8dd1 6215 libcommons-fileupload-java_1.2.2-1+deb6u1.debian.tar.gz 1694c7eb43ab507b9264b810526660ff619f768b2e19bc439b9a8e7d8a918b43 53326 libcommons-fileupload-java_1.2.2-1+deb6u1_all.deb 0b9a7b5f826e7ac40f9a78f1e3da215e35428e97d4160721d55ae40ad9f217b3 117858 libcommons-fileupload-java-doc_1.2.2-1+deb6u1_all.deb Files: 78dc4736bfd2e390566a871547e12360 2329 java optional libcommons-fileupload-java_1.2.2-1+deb6u1.dsc 9ec666ec10b4ffbc3b97a841dfd2c1d8 123220 java optional libcommons-fileupload-java_1.2.2.orig.tar.gz cafd1d184acdd1a93d441a48bf129574 6215 java optional libcommons-fileupload-java_1.2.2-1+deb6u1.debian.tar.gz d26f85e168f650357f07d97c46d9e721 53326 java optional libcommons-fileupload-java_1.2.2-1+deb6u1_all.deb e8affd66f1235ca95cbbf8bf6f54db1b 117858 doc optional libcommons-fileupload-java-doc_1.2.2-1+deb6u1_all.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJStggEAAoJEAVMuPMTQ89EchoP/0Kyu7m3q6v5G/WXRH6FbiN6 hr8jxsRjL4jkOFnTEKEOfjAl6NTmALu/VmZtlap9Rtq2UbKSS1N65gbhFsxlkZZr 36AtAsAZzTegSsXotmWKzczJrgjnQbS9mguNjugWr+rHu8ZZey6frTA3/3ZJsJ14 JrEIldB2HzwDnUeiHgTxbs5gb9vMih6h5UPiAKNP6PRS4UNlq8gAJfxg8ugrulGI hS19RMJ7fw8kYgNUY+7b72jvnl+rdQ/5LlswU86EHFOMCgdXxDd/5U5KqPdsTJkP 4HZxOkfG1duNfxu9J9Daptx9YopZPLBgFIBld71LiFFKN+P
Bug#726601: marked as done (libcommons-fileupload-java: CVE-2013-2186)
Your message dated Mon, 06 Jan 2014 21:47:05 + with message-id and subject line Bug#726601: fixed in libcommons-fileupload-java 1.2.2-1+deb7u1 has caused the Debian Bug report #726601, regarding libcommons-fileupload-java: CVE-2013-2186 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 726601: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=726601 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: libcommons-fileupload-java Severity: grave Tags: security Justification: user security hole Red Hat fixed a security issue Commons FileUpload: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2186 Cheers, Moritz --- End Message --- --- Begin Message --- Source: libcommons-fileupload-java Source-Version: 1.2.2-1+deb7u1 We believe that the bug you reported is fixed in the latest version of libcommons-fileupload-java, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 726...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso (supplier of updated libcommons-fileupload-java package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 21 Dec 2013 22:33:27 +0100 Source: libcommons-fileupload-java Binary: libcommons-fileupload-java libcommons-fileupload-java-doc Architecture: source all Version: 1.2.2-1+deb7u1 Distribution: wheezy-security Urgency: high Maintainer: Debian Java Maintainers Changed-By: Salvatore Bonaccorso Description: libcommons-fileupload-java - File upload capability to your servlets and web applications libcommons-fileupload-java-doc - Javadoc API documentation for Commons FileUploads Closes: 726601 Changes: libcommons-fileupload-java (1.2.2-1+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2013-2186.patch patch. CVE-2013-2186: Arbitrary file upload via deserialization. Properly validate repository in org.apache.commons.fileupload.disk.DiskFileItem. Thanks to Marc Deslauriers (Closes: #726601) * Add --java-lib to libcommons-fileupload-java.poms. In the resulting binary package the file commons-fileupload.jar in /usr/share/java is missing when rebuilding the package under wheezy. Thanks to Emmanuel Bourg Checksums-Sha1: 41dbaf099f71ecd5f88b3f19e83708defb7e563b 2439 libcommons-fileupload-java_1.2.2-1+deb7u1.dsc b2332ba704f8ce8884cbb6922197d345d4e21670 6053 libcommons-fileupload-java_1.2.2-1+deb7u1.debian.tar.gz fd007668d38b425f723eba18c30272471ee709ae 54366 libcommons-fileupload-java_1.2.2-1+deb7u1_all.deb 3ae3f989241b6390bc662368e67631f1f690c847 375812 libcommons-fileupload-java-doc_1.2.2-1+deb7u1_all.deb Checksums-Sha256: 3c2ccb347ce4b1aca796e1a7871de32509043c531bb6b511ce9b10d895f49c37 2439 libcommons-fileupload-java_1.2.2-1+deb7u1.dsc 54db444d51787bb8e9fdef3f56e0eec7684627eac688305af6975709bd0e287a 6053 libcommons-fileupload-java_1.2.2-1+deb7u1.debian.tar.gz b3eb7778554a306cb503aa024259527a8111bf8c728a3a1f51e876d24eb792cd 54366 libcommons-fileupload-java_1.2.2-1+deb7u1_all.deb e134465e68068449e1c20e4683419aa342804f76903d0755145a5043e0efc96e 375812 libcommons-fileupload-java-doc_1.2.2-1+deb7u1_all.deb Files: 2e35c8386cdc67e6f6041d25454fa23f 2439 java optional libcommons-fileupload-java_1.2.2-1+deb7u1.dsc e153306eaa6e4519c5a5e4aac144101f 6053 java optional libcommons-fileupload-java_1.2.2-1+deb7u1.debian.tar.gz eb4886058f3f2ff3930b3ad7e71e32b5 54366 java optional libcommons-fileupload-java_1.2.2-1+deb7u1_all.deb a82892ed01e4d5c0220b695f2ff005a1 375812 doc optional libcommons-fileupload-java-doc_1.2.2-1+deb7u1_all.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJSuDL4AAoJEAVMuPMTQ89EzQQQAKK5NU/VQ9UAeBMkXLW2GXiW my6SptSAMPxDhjBvS9pknxQCO1+5uX0dqg09x/SsFBA2q7Hb4J9vxXW2swJr7L8H jtTn2lwJ7nI16GBGbx/GQQiJHv7fBaXSr5EFtXs7f+hH6uji5ZY5W204xiytD73O dBac2rp9Lqs9YZZ6IUNy3aqLrHfpHB1DWwX5Tn1JMl2tkD+okk7GrzrH07JiaGO0 D2Ot7ITncsUWRSUILQzAnB1pP08hFcmatdN5UEcYKo8lbfx3Zt8tczlsZ7BdCFbo 4DxJIT6rMUdcejYDPRa6M9wFLytV38wdr13MJcSvCS214GbO9ib21PTTORdVwmra 3qrVY/z5D5u3+JOoWBxdUT7ZZogE3yC+gML2yeZrXTuYbYbqWg6ziX4mLK4WzzH2 R