Bug#860567: marked as done (fop: CVE-2017-5661: information disclosure vulnerability)
Your message dated Wed, 31 May 2017 01:02:08 + with message-id and subject line Bug#860567: fixed in fop 1:1.1.dfsg2-1+deb8u1 has caused the Debian Bug report #860567, regarding fop: CVE-2017-5661: information disclosure vulnerability to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 860567: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860567 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: fop Version: 1:1.0.dfsg-1 Severity: important Tags: upstream security Hi, the following vulnerability was published for fop. CVE-2017-5661[0]: | In Apache FOP before 2.2, files lying on the filesystem of the server | which uses FOP can be revealed to arbitrary users who send maliciously | formed SVG files. The file types that can be shown depend on the user | context in which the exploitable application is running. If the user | is root a full compromise of the server - including confidential or | sensitive files - would be possible. XXE can also be used to attack | the availability of the server via denial of service as the references | within a xml document can trivially trigger an amplification attack. I was not able to verify that myself, but it is claimed to affect all fop version from 1.0 up to 2.1. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-5661 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5661 [1] http://www.openwall.com/lists/oss-security/2017/04/18/2 Regards, Salvatore --- End Message --- --- Begin Message --- Source: fop Source-Version: 1:1.1.dfsg2-1+deb8u1 We believe that the bug you reported is fixed in the latest version of fop, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 860...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Emmanuel Bourg (supplier of updated fop package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 24 May 2017 17:35:34 +0200 Source: fop Binary: fop libfop-java fop-doc Architecture: source all Version: 1:1.1.dfsg2-1+deb8u1 Distribution: jessie-security Urgency: high Maintainer: Debian Java Maintainers Changed-By: Emmanuel Bourg Description: fop- XML formatter driven by XSL Formatting Objects (XSL-FO.) fop-doc- XML formatter driven by XSL Formatting Objects (doc) libfop-java - XML formatter driven by XSL Formatting Objects (XSL-FO.) Closes: 860567 Changes: fop (1:1.1.dfsg2-1+deb8u1) jessie-security; urgency=high . * Team upload. * Fixed CVE-2017-5661: Information disclosure vulnerability (Closes: #860567) Checksums-Sha1: c8a766eb23c24297298d957e90d4ca76e895d4a6 2507 fop_1.1.dfsg2-1+deb8u1.dsc 21c1bd4397974bd5ffaa4fe6fa351bfecd5c93b5 8753464 fop_1.1.dfsg2.orig.tar.xz c248ce9e8af758614e5f490eaed29c4c518c487a 842956 fop_1.1.dfsg2-1+deb8u1.debian.tar.xz fd8806ffd24ccfbb3e8194269dcdc31d1b57a016 21838 fop_1.1.dfsg2-1+deb8u1_all.deb a4774802e317238f8dd2c5e00fdee3405c1e273f 3198758 libfop-java_1.1.dfsg2-1+deb8u1_all.deb cd67a0f8b23bc1d63c62628b3d700149120d674e 2494910 fop-doc_1.1.dfsg2-1+deb8u1_all.deb Checksums-Sha256: 9e70fd85ce71f944a25e4130632e4f3c63fdf8ec826ccd5e4fe2eb2fc3c45cd7 2507 fop_1.1.dfsg2-1+deb8u1.dsc 8918d5de3079058ecb1714659c025927527d99f474fe8c1322a1d8ce73ec63b5 8753464 fop_1.1.dfsg2.orig.tar.xz 0bc6ede8422056c758691ddfd2d269daec5492ec724fe8fce14de0d6a5d6a0af 842956 fop_1.1.dfsg2-1+deb8u1.debian.tar.xz d30281ef217dc39b7fc90f6273f3f4b7e2f8e8ab97def685a7a980c693752b4c 21838 fop_1.1.dfsg2-1+deb8u1_all.deb e111dcca87688a968e162d9b6d0131cd24f969216aa6ff91511b4bb310b88060 3198758 libfop-java_1.1.dfsg2-1+deb8u1_all.deb 0ffce8a62e2295bbd83317a41f1da75fe0146904b81634ad6a3d3b8b55b5e3fc 2494910 fop-doc_1.1.dfsg2-1+deb8u1_all.deb Files: b8edc07af02e76937903f48b29442041 2507 text optional fop_1.1.dfsg2-1+deb8u1.dsc 5cf795e96e558260cbfa65dfe12aa0ed 8753464 text optional fop_1.1.dfsg2.orig.tar.xz b3e267b233985f7eca0c6964f98f5349 842956 text optional fop_1.1.dfsg2-1+deb8u1.debian.tar.xz 2b6c07b48404d39cfab5811acc7
Bug#860567: marked as done (fop: CVE-2017-5661: information disclosure vulnerability)
Your message dated Wed, 24 May 2017 15:04:51 + with message-id and subject line Bug#860567: fixed in fop 1:2.1-6 has caused the Debian Bug report #860567, regarding fop: CVE-2017-5661: information disclosure vulnerability to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 860567: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860567 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: fop Version: 1:1.0.dfsg-1 Severity: important Tags: upstream security Hi, the following vulnerability was published for fop. CVE-2017-5661[0]: | In Apache FOP before 2.2, files lying on the filesystem of the server | which uses FOP can be revealed to arbitrary users who send maliciously | formed SVG files. The file types that can be shown depend on the user | context in which the exploitable application is running. If the user | is root a full compromise of the server - including confidential or | sensitive files - would be possible. XXE can also be used to attack | the availability of the server via denial of service as the references | within a xml document can trivially trigger an amplification attack. I was not able to verify that myself, but it is claimed to affect all fop version from 1.0 up to 2.1. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-5661 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5661 [1] http://www.openwall.com/lists/oss-security/2017/04/18/2 Regards, Salvatore --- End Message --- --- Begin Message --- Source: fop Source-Version: 1:2.1-6 We believe that the bug you reported is fixed in the latest version of fop, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 860...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Emmanuel Bourg (supplier of updated fop package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 24 May 2017 15:53:03 +0200 Source: fop Binary: fop libfop-java fop-doc Architecture: source Version: 1:2.1-6 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers Changed-By: Emmanuel Bourg Description: fop- XML formatter driven by XSL Formatting Objects (XSL-FO.) - app fop-doc- XML formatter driven by XSL Formatting Objects (doc) - doc libfop-java - XML formatter driven by XSL Formatting Objects (XSL-FO.) - libs Closes: 860567 Changes: fop (1:2.1-6) unstable; urgency=high . * Team upload. * Fixed CVE-2017-5661: Information disclosure vulnerability (Closes: #860567) Checksums-Sha1: 03aefdca9334b932835a978357671dd1f56bdbcd 2492 fop_2.1-6.dsc 65808a7ffce63a0fa006dda4458a430bcae2de32 870416 fop_2.1-6.debian.tar.xz 61765c1f3d45e63c47744cb64c86da2e74ac12dc 5310 fop_2.1-6_source.buildinfo Checksums-Sha256: 8dc1a44f7f621127061993970e69bdf49f16067a6c9a276e27144ccc36ef4f2e 2492 fop_2.1-6.dsc a59f86deb333458326e0e62600066d4b741923f29f9cc18714034a68d059f73f 870416 fop_2.1-6.debian.tar.xz b25d50a885c426a1bf2ce3d9a662b518518212ddf6351d3f3bb1df9d1eefd1b0 5310 fop_2.1-6_source.buildinfo Files: 5d5632ee47527572eff4bbbd61391fa1 2492 text optional fop_2.1-6.dsc efa740348a632d77994b33f43c4e6bdf 870416 text optional fop_2.1-6.debian.tar.xz c081d15c17868d4f7f0a00e5ca7cfe83 5310 text optional fop_2.1-6_source.buildinfo -BEGIN PGP SIGNATURE- iQJGBAEBCAAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAlklkWgSHGVib3VyZ0Bh cGFjaGUub3JnAAoJEPUTxBnkudCsHRQQAMGpCn4Ctdxnhd6CKqCQngX0irXpPZBn Ay0XGF60iCrGso5df10y2cu1/f8vvyublBXwKcMStn21UL1ydWM2ns4aaH4li+5i xS8v+Lz7G6ekIlZlm0aFSHztoKhEwi/uIRF1JYS1yWv1IfBOK2rn3oh9W4hTrO9j d8aIKxyXksmz9lOSf1RbbFrRFLcoWQEmHS08pbVMyNj6yWH5g2E1z3TGVCORKLKP SZL8QWALq+2N8tF1CaAPLF/Rcvo2Xfqs/KF1JkpXhhFJj3yM4HNjZamc8li1a27l 4H3G+4XZYO2xdJ1lxK85kaNQlUtzXVM5OKcpFlWsTsRhaVREtGCGC1OQDMQBjGMY nWv5bYBPV3a5v7o7KYNVDmsdwccKVX5++FwmJJbzb4qcE2FdnbG0NpocGKB17V4X fxM0RIpYXEhvu1hFYmJSVL/5WuGI4hBt1adfsdVNp4JyBOpT0TrPmR62euqOyX62 ZxXNXDE3nAYTjA2TQ0Y278CtIT7BgvaILZ40dZZHFTIRn6Y/FdK44Oy2UT3snjB8 VeXw7YxjDfHbGS7xUNgFPSTgE+zzLz2ZrO2ZShemS9F2NjkENZ1I8J7fBLzPext1 9t