Debian Bug report logs -
#899374
batik: CVE-2018-8013
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#899374; Package src:batik.
(Wed, 23 May 2018 13:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Wed, 23 May 2018 13:27:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: batik
Version: 1.5beta2-1
Severity: important
Tags: security upstream fixed-upstream
Hi,
The following vulnerability was published for batik.
CVE-2018-8013[0]:
Apache Batik information disclosure vulnerability
Unfortunately the report does not share details, but it was posted at
[1], refering as affected versions 1.0 up to 1.9.1 and fixed in 1.10.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-8013
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8013
[1] http://www.openwall.com/lists/oss-security/2018/05/23/1
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#899374; Package src:batik.
(Fri, 25 May 2018 10:06:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Fri, 25 May 2018 10:06:05 GMT) (full text, mbox, link).
Message #10 received at 899374@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
This is apparently upstream bug BATIK-1222
https://issues.apache.org/jira/browse/BATIK-1222
Patch:
https://svn.apache.org/viewvc?view=revision&revision=1831241
[signature.asc (application/pgp-signature, attachment)]
Reply sent
to Markus Koschany <apo@debian.org>:
You have taken responsibility.
(Fri, 25 May 2018 13:21:15 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 25 May 2018 13:21:15 GMT) (full text, mbox, link).
Message #17 received at 899374-close@bugs.debian.org (full text, mbox, reply):
Source: batik
Source-Version: 1.10-1
We believe that the bug you reported is fixed in the latest version of
batik, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 899374@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated batik package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 25 May 2018 13:53:34 +0200
Source: batik
Binary: libbatik-java
Architecture: source
Version: 1.10-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
libbatik-java - xml.apache.org SVG Library
Closes: 884481 884536 899374
Changes:
batik (1.10-1) unstable; urgency=medium
.
* Team upload.
* New upstream version 1.10.
- squiggle works as expected again after updating the policy patch.
(Closes: #884481)
- Fix CVE-2018-8013: information disclosure vulnerability.
(Closes: #899374)
* Drop 07_optional_rhino_and_jython_dependencies.patch. Applied upstream.
* Remove repack scripts and use Files-Excluded mechanism instead.
* Update the watch file. Use Files-Excluded.
* Ignore jython artifact and add no-Jython-support.patch. Jython as a
scripting language for Batik is no longer supported because the dependency
complicates transitions. (Closes: #884536)
* Ignore batik-test-old module.
Checksums-Sha1:
2793a5adb6a83b61dbf4613defe3836185592a3c 2304 batik_1.10-1.dsc
7fe65c7594207a52cbda62f91dd9c6ce3345983b 5549417 batik_1.10.orig.tar.gz
2b87afa682268445fd39cde6981f086579bac6a0 31560 batik_1.10-1.debian.tar.xz
bd91d28ed5cc8e76542343729b1a37f3ef69b062 15590 batik_1.10-1_amd64.buildinfo
Checksums-Sha256:
f4851be6bc2ede46e7bcfc9bde5660731944ed7b6cd1b00317bbc9b3b5dafc5d 2304 batik_1.10-1.dsc
800af9f9eede082fed10fe76de87d31653c634afa32e85f1091c73bede6d14be 5549417 batik_1.10.orig.tar.gz
047755bde9cf82e92cdf4ef90ffd404bc556549a66813a3a3314c51daea5f2ea 31560 batik_1.10-1.debian.tar.xz
95305bd9eec64e43136fce077f74dd9e9a6553af38dc23ae85a68c2c654712ea 15590 batik_1.10-1_amd64.buildinfo
Files:
c40f898e565959ab0ad74215240a4d29 2304 java optional batik_1.10-1.dsc
312d7ff1d9106e0a3d61361b9e94e5e1 5549417 java optional batik_1.10.orig.tar.gz
aa47200173af9e3983444f61b3e3fbef 31560 java optional batik_1.10-1.debian.tar.xz
01910cc6ea70b9b2470531d041f5121c 15590 java optional batik_1.10-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlsICbRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hky8sP+waqLQXmqSztWhSWUaCyOJK1xtDhuBlmNcO0
sDbn1v1RzWBWsD7RI+o8zaA7KoWm09mQpbzLAPSwwi/jYNf8DH10epPPF9t5P9ln
vZDwQhC9aU0b+jSbIt1E8Sj4qHej33jwDn2K/f1sDs7mEJ9okcrkUv7p0lGvCGk8
bvx/M7grF5RMDusmxraN98NpSD/Iq0h4Wh44SEhm0fPs9dwdFCsFzhMLUSFWDcI7
9xwnBZ657qQTliT8Z+T6+VpgPeR3anoXXM54gaAUhc6z3mCSyWIDlB8Pb0SEEE5v
E9P9abvSwN2V+J7vTPUTI0qSmnrmQjmNuOVfzHW7fDIxIyBT+5mKG5bRJSrHyZX8
rD9Mi75CGBxyTWQAhuusOyLFsZkZtvAy0F2P5F4CpXmc7EMz2v1jOSN4olnoZnf0
tjK9dWAIQ56AwUkJozzyTpG8fPYjNYLURWuLpmgPst5WhYD13hFDoFfdz6scT//Z
xcO3ymPdefEsOl+YjuHldeO6GuVDhCTvFEMgdAVpu3E5y4hOPJGG9pt9U755688W
I1hlMLq9zSaNtOtmObkEyYc24/7BZmvT29idPHMtRFLHpgmOB2kxTueZ4oAvLn+L
z6feLOQ3AOtpHDKGJYI704BGzPGqg2+4VQE9WSP/Anjk1YQpwAp8Xb6n4t1ADPBh
t0/xbuv8
=iRQO
-----END PGP SIGNATURE-----
Reply sent
to Markus Koschany <apo@debian.org>:
You have taken responsibility.
(Sun, 03 Jun 2018 11:03:10 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 03 Jun 2018 11:03:10 GMT) (full text, mbox, link).
Message #22 received at 899374-close@bugs.debian.org (full text, mbox, reply):
Source: batik
Source-Version: 1.8-4+deb9u1
We believe that the bug you reported is fixed in the latest version of
batik, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 899374@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated batik package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 30 May 2018 18:59:04 +0200
Source: batik
Binary: libbatik-java
Architecture: source all
Version: 1.8-4+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
libbatik-java - xml.apache.org SVG Library
Closes: 860566 899374
Changes:
batik (1.8-4+deb9u1) stretch-security; urgency=high
.
* Team upload.
* Fix CVE-2017-5662: XXE information disclosure. (Closes: #860566)
* Fix CVE-2018-8013: information disclosure when deserializing a subclass of
AbstractDocument. (Closes: #899374)
Checksums-Sha1:
2ab776502c481cc9e2d43acc5b3abf30bb4fcb28 2373 batik_1.8-4+deb9u1.dsc
874c6e71c37f13b706b18e5007f6c48b13183095 7504664 batik_1.8.orig.tar.gz
1144d669a7c2251d1b5de7fc83d71d0037cd65d5 14528 batik_1.8-4+deb9u1.debian.tar.xz
dfdd39e26731df20e550231da4d06ebf3fffe108 11593 batik_1.8-4+deb9u1_amd64.buildinfo
35bd8f6bf9309ec6462152f05197eb1091ec2f93 2891780 libbatik-java_1.8-4+deb9u1_all.deb
Checksums-Sha256:
0992d7d659d013610f22099fcdbd9ccef6ecd26d6ac07a9d22c2dd04a3d6a3c2 2373 batik_1.8-4+deb9u1.dsc
bfd18b0eb3f4ae32655f929e510b630bddb4e00ac3e08af4881027c635eb1624 7504664 batik_1.8.orig.tar.gz
c6fdce714d335d731befe02f394541dfc10f1f6307ba95be3c8d70e867f0f1bd 14528 batik_1.8-4+deb9u1.debian.tar.xz
abc0b0d9855953078e70e2cdee82d635669e0c9a2fa5b388ce24a1c736d44a9a 11593 batik_1.8-4+deb9u1_amd64.buildinfo
7a6a1c13462c834c3bba4c8a7d589b89f92bea44c9ea43306d098b82eb86cfc9 2891780 libbatik-java_1.8-4+deb9u1_all.deb
Files:
7597d60c294a4199b5a24f735fdb3577 2373 java optional batik_1.8-4+deb9u1.dsc
8999291b3cfc8cda4673243d67d697e0 7504664 java optional batik_1.8.orig.tar.gz
0379ade4865b5690ecfdd2a55b5a1c44 14528 java optional batik_1.8-4+deb9u1.debian.tar.xz
56031a1d2d80207cf4813a1763bbfbcc 11593 java optional batik_1.8-4+deb9u1_amd64.buildinfo
c1d08aeacd6b7581d47aae3bac948d38 2891780 java optional libbatik-java_1.8-4+deb9u1_all.deb
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlsP4hJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkMr0P+gLGHZnrCcPBKx7sdL6jsKIi+IeIITu8uBK+
JrT78DEVznf8YZOw3mw41GaFo/bLHoC2epxgoXERSgBEYxEVA4EXmAv4ENtOhlJ8
pH0umSeW+XtCmgayPgw9sh5AsGj2O+xBT5UMstJJrJ9phrsNpQlEcpMNy86E0vib
jibsBNL72qt3pu79lqmYSFioTcJQUxXB4q5f+bTYYVk6CEv61UXwyScirtV1kPtm
h8ErSZaR/jy+/0KX1X32j+ad4Bl3D0cgp/x4uY7w4CQA74pbFQDDCRJpS/K43dGX
EFdpXR2eiPvRURdt7F4Ysfs1HkmUCWyw/UHwPWf6U4qprAb0d9Xx/rvTaZz6MThb
/6ZhCABqIR03TUxJMUpMcXQzpEr/7KeLA4rSYjPj39Zm1eGVyHlqnXb2q7mOzDPA
pd8yt+P+/shZzx+Bg9rMvqbQYelb1tldT5PpPhriEKGJrknHxvlEm16nYX/PXUjX
jXE9YGsLwMWlMHKul9XUhnicUN7IWlXWgX6TEqzzC18UE+X+1Ag4mfjHLXnHSutj
cBOcgNEzsvysIVfcazzAoX9jqiF64O1F46RoD/SfYqueLe3oVCA817wRoz7Il2+5
7wkLgHk2v2iZ/n3/XgYluwJmGD3yNl3xDVgraL6ULOaOjHbUGt6ixYuPcC5GJzMV
tzjvLAtw
=KOGi
-----END PGP SIGNATURE-----
Reply sent
to Markus Koschany <apo@debian.org>:
You have taken responsibility.
(Sun, 03 Jun 2018 11:36:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 03 Jun 2018 11:36:07 GMT) (full text, mbox, link).
Message #27 received at 899374-close@bugs.debian.org (full text, mbox, reply):
Source: batik
Source-Version: 1.7+dfsg-5+deb8u1
We believe that the bug you reported is fixed in the latest version of
batik, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 899374@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated batik package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 30 May 2018 18:25:57 +0200
Source: batik
Binary: libbatik-java
Architecture: source all
Version: 1.7+dfsg-5+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
libbatik-java - xml.apache.org SVG Library
Closes: 860566 899374
Changes:
batik (1.7+dfsg-5+deb8u1) jessie-security; urgency=high
.
* Non-maintainer upload by the LTS team.
* Fix CVE-2017-5662: XXE information disclosure. (Closes: #860566)
* Fix CVE-2018-8013: information disclosure when deserializing a subclass of
AbstractDocument. (Closes: #899374)
Checksums-Sha1:
8fb1c80d46209741775983914a49fcfd1e1f4d96 2406 batik_1.7+dfsg-5+deb8u1.dsc
b9e8d2bdedcb1ddf553c9b99115165264cf8b4b8 4290288 batik_1.7+dfsg.orig.tar.xz
6f8bf33eca55ba17861790d33e155763e1137d49 13216 batik_1.7+dfsg-5+deb8u1.debian.tar.xz
e8fb3db286e99a4957bdfeb60e7491e541c1cc64 2857362 libbatik-java_1.7+dfsg-5+deb8u1_all.deb
Checksums-Sha256:
92b5a0e69774ce59e172146c08cbc6ace4b3c1e9071ad2fa782a464b61c0f8f1 2406 batik_1.7+dfsg-5+deb8u1.dsc
2003bc124a01cedb1ebebda32c1412a0a8292573348d751f8b06fa24dcf03124 4290288 batik_1.7+dfsg.orig.tar.xz
999690e66fca860ad148dd0e9644f34af2b2240d3002c70952277a2211e4a16e 13216 batik_1.7+dfsg-5+deb8u1.debian.tar.xz
d9ea60d22acdafacd739ed2e4b1837c43a4f3eb147e752c6105b2f0542d4342c 2857362 libbatik-java_1.7+dfsg-5+deb8u1_all.deb
Files:
0322ac72f75c8e4d2ad4df0d74ed01dc 2406 java optional batik_1.7+dfsg-5+deb8u1.dsc
dfd317fa0c7bc9782273c05d3045b90c 4290288 java optional batik_1.7+dfsg.orig.tar.xz
14cfa5f522198f00cd8605712a7a4a08 13216 java optional batik_1.7+dfsg-5+deb8u1.debian.tar.xz
8234cf3833fab70f808053d597d1ff22 2857362 java optional libbatik-java_1.7+dfsg-5+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlsP4yBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkQDsP/RT7ffy4r/qal+5PZ2daeRLsxsj/aAt2llX7
7tC05540Zxn0MgVp8AwGW8nfK/UYF+aE/kYOylxCwyXvDiEa6OC0hUOJKZUt9hWq
2SKa69SSKbRvZF4wMbqUt4ZYCbRmgbxdxQSSvtTn+U3wKAk9GFkTcu/vCc6QzpMo
PB1XmHNbVkoc2ZwhlIxj21uzeEr5J8ofKaIuhcos6IgR0xaEfUjvN3s1LQky1zYZ
P3vk7I3z+YVnQoVXsvUn8J0H2xli9aMIUFZTHSSFdTnaoHB/fbmMJTsgFKEFrCWP
GnXyPKrw75IRzwFaiRtDGPKC7L+oHNgmbXRnagnM2MNigHqXSknD+BM34uVtwV3b
/I3cKn3pEuabUg9P1nAW+V5aISQzQq2U6tlaTy1vTi5zr8yAxY/2R3itS/bjdUol
ka4zWpgflOl5WnT7Yd3RP+NpqxXrhNWKRExRe0BFkV4BTY+Ahi6EFRupjwKXa5Zg
ZjKjadRHQMhYnud4IU7mqrHFI1q1M2RPpleVh+IwZfW03P1rGFNy7HGn2m70VkVr
hRa9cmldXad0ZKrpoQ7+PhLt7RzEA9sLhvUXi8WXU0OKe1dylvByro3bZWN6dTus
eV3Vv85lky1ofnwDDVcj/waMR9SqfkxyYvph4CsQu44oJLjElyM4i6a82SPhAfc7
lNGj4w5M
=jb4l
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 02 Jul 2018 07:28:55 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 12:56:28 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon