Debian Bug report logs -
#942463
jss: CVE-2019-14823
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian FreeIPA Team <pkg-freeipa-devel@alioth-lists.debian.net>:
Bug#942463; Package src:jss.
(Wed, 16 Oct 2019 20:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian FreeIPA Team <pkg-freeipa-devel@alioth-lists.debian.net>.
(Wed, 16 Oct 2019 20:09:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: jss
Version: 4.6.1-3
Severity: grave
Tags: security upstream
Forwarded: https://github.com/dogtagpki/jss/pull/284
Hi,
The following vulnerability was published for jss.
CVE-2019-14823[0]:
| A flaw was found in the "Leaf and Chain" OCSP policy implementation in
| JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it
| implicitly trusted the root certificate of a certificate chain.
| Applications using this policy may not properly verify the chain and
| could be vulnerable to attacks such as Man in the Middle.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-14823
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14823
[1] https://github.com/dogtagpki/jss/pull/284
[2] https://github.com/dogtagpki/jss/commit/be37ff4738b4696d529a13b6ed33c7ac56d97ba4
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Timo Aaltonen <tjaalton@debian.org>:
You have taken responsibility.
(Thu, 17 Oct 2019 10:21:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 17 Oct 2019 10:21:06 GMT) (full text, mbox, link).
Message #10 received at 942463-close@bugs.debian.org (full text, mbox, reply):
Source: jss
Source-Version: 4.6.2-1
We believe that the bug you reported is fixed in the latest version of
jss, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 942463@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Timo Aaltonen <tjaalton@debian.org> (supplier of updated jss package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 17 Oct 2019 12:55:52 +0300
Source: jss
Architecture: source
Version: 4.6.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian FreeIPA Team <pkg-freeipa-devel@alioth-lists.debian.net>
Changed-By: Timo Aaltonen <tjaalton@debian.org>
Closes: 942463
Changes:
jss (4.6.2-1) unstable; urgency=medium
.
* New upstream release.
- fix CVE-2019-14823 (Closes: #942463)
* fix-bufferprfd.diff: Dropped, upstream.
Checksums-Sha1:
c8d210f919ccca1ad021d6cfc0c532e98e6f4f49 2032 jss_4.6.2-1.dsc
4fea1d770e0882aa9c1c6c493bce9eb579b5c085 862003 jss_4.6.2.orig.tar.gz
231d67e501e31b8ce09d75aeb7bb17286bad19e2 12708 jss_4.6.2-1.debian.tar.xz
6c4a2ec44d7c011ef83ab0301bcd3baef341da73 6400 jss_4.6.2-1_source.buildinfo
Checksums-Sha256:
6b673c13d0e81f0ced59bf9116aaca59e445bf2a4f291854bd9f0b415ebc41c6 2032 jss_4.6.2-1.dsc
92fdc212fe94dde8c16c9bb044342819ad1811fbefc651c7523e7ca81d7791a0 862003 jss_4.6.2.orig.tar.gz
b5be715db6eed67e35d40e56b0863c4cd4111a11744e662bc2709dedca48637b 12708 jss_4.6.2-1.debian.tar.xz
a6035157b83825d8462ba9dc044e2c7857d002f3aecac10d48b80ae86bf0a564 6400 jss_4.6.2-1_source.buildinfo
Files:
03cc509a279b5ba86d8d9f301b8f650e 2032 java optional jss_4.6.2-1.dsc
b128b2f9032575f141ad94ad24cc0152 862003 java optional jss_4.6.2.orig.tar.gz
04a902ee087c54b745f8b1cad94171ac 12708 java optional jss_4.6.2-1.debian.tar.xz
8065a42ecc088b319059e1fcd767d720 6400 java optional jss_4.6.2-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEdS3ifE3rFwGbS2Yjy3AxZaiJhNwFAl2oOrIACgkQy3AxZaiJ
hNx8+g/8DqJkoxDYeRZ3WlBPHZOgY276eHKxOApVvMGQGAnbKcm9EFSGdr40wiC3
QhqwrvQgiMe5dY0samloxDW72ISLnWK2O1SsYstNO/ImVHmBt4xz/4+ewslZs4wN
43KIAglMURnu0D33jl4OdfX4UXlJ+CwSDH3QlW8a/S/onh6QoNJO4sk0PXOQMYEt
wiApsqSmBkU/R5CXaQE82njh+yw+9E3tUFCvdEvjyrN75/GurnJkrGAYUlbrqmCd
gFCJhP+Ul3q9vEMjX3Fcjoj/eXsl5nul1GseTEPUJgMf87rXvM00RR57lIWzyyVH
Qr49GZqy2j6+ZfPIQNeDdMvZqCLaam3vSiH77j8bUvpGaLtzop34qMge0HMweeKc
OXmsUrf6JQgx5WujqJV0IxdU1Dlgc2mwUGLyuIyPJXJmhx+w3XJK7tTuOvxoJjOx
Y2KkUoN9wfPSB5admzAL6dUlxD5/re6xS7AGlagyr7NdvTi1R5hg32gSc7VCPjSC
X+eJopOH2uZ7f1YXUIq+c28lkPEMUctoNQp4wz9Kk6tFQxdQNk+4vz1uabr7OK5x
C+6xG7cvNmgnKqikCHVJpRgAMKjArVHLJcQaOQ1OEbWBSDpM09F1ratK6vSvlusH
EB2+w9OzJufhX5WgtiZLpN/C6rW38SastLx4Nc9hYZUp92hdmhs=
=1yUu
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Oct 17 16:48:00 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon