Debian Bug report logs -
#716937
openjpa: CVE-2013-1768
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Mon, 15 Jul 2013 05:42:02 UTC
Severity: grave
Tags: confirmed, security
Fixed in version openjpa/2.2.2-1
Done: Miguel Landaeta <miguel@miguel.cc>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#716937; Package openjpa.
(Mon, 15 Jul 2013 05:42:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Mon, 15 Jul 2013 05:42:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: openjpa
Severity: grave
Tags: security
Justification: user security hole
Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1768
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#716937; Package openjpa.
(Sun, 01 Sep 2013 22:33:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Miguel Landaeta <miguel@miguel.cc>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Sun, 01 Sep 2013 22:33:07 GMT) (full text, mbox, link).
Message #10 received at 716937@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 716937 + confirmed pending
tags 716937 + confirmed pending
thanks
Marking them as pending since those bugs are already fixed in the git
repo but I'm still dealing with some random Maven errors during the
build process.
--
Miguel Landaeta, miguel at miguel.cc
secure email with PGP 0x6E608B637D8967E9 available at http://keyserver.pgp.com/
"Faith means not wanting to know what is true." -- Nietzsche
[signature.asc (application/pgp-signature, inline)]
Added tag(s) confirmed and pending.
Request was from Miguel Landaeta <miguel@miguel.cc>
to control@bugs.debian.org.
(Sun, 01 Sep 2013 22:33:10 GMT) (full text, mbox, link).
Reply sent
to Miguel Landaeta <miguel@miguel.cc>:
You have taken responsibility.
(Wed, 09 Oct 2013 00:21:09 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Wed, 09 Oct 2013 00:21:09 GMT) (full text, mbox, link).
Message #17 received at 716937-close@bugs.debian.org (full text, mbox, reply):
Source: openjpa
Source-Version: 2.2.2-1
We believe that the bug you reported is fixed in the latest version of
openjpa, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 716937@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Miguel Landaeta <miguel@miguel.cc> (supplier of updated openjpa package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 06 Oct 2013 20:39:22 -0300
Source: openjpa
Binary: libopenjpa-java libopenjpa-java-doc
Architecture: source all
Version: 2.2.2-1
Distribution: unstable
Urgency: low
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Miguel Landaeta <miguel@miguel.cc>
Description:
libopenjpa-java - Java Persistence 2.0 API (JPA) implementation library
libopenjpa-java-doc - Documentation for libopenjpa-java
Closes: 706176 716937
Changes:
openjpa (2.2.2-1) unstable; urgency=low
.
[ Miguel Landaeta ]
* New upstream release. (Closes: #716937).
This release includes a fix for security issue CVE-2013-1768
that allowed remote attackers to execute arbitrary code.
* Switch build system from Ant to Maven since that was upstream use.
Replace debhelper with cdbs.
Several Maven plugins and libraries were added to dependency lists.
* Bump Standards-Version to 3.9.4. No changes were required.
* Added Stephen Nelson to Uploaders list.
* Drop java7-compat.diff patch, it's not needed anymore.
* Use canonical form of Vcs-* fields.
* Remove obsolete DMUA header.
* OpenJPA user manual is no longer included in -doc.
.
[ Stephen Nelson ]
* Fix FTBFS cause by libhsqldb-java API changes. (Closes: #706176).
Checksums-Sha1:
8cdb31ff4d6474e22d477b55416d307e5dc05fa1 2801 openjpa_2.2.2-1.dsc
3a8828d8bc1d3fb1492c9b57855a865c2add3146 6981175 openjpa_2.2.2.orig.tar.gz
c242d31e935f3d08bb6be4d6124fa96ee636f3d2 14562 openjpa_2.2.2-1.debian.tar.gz
a0abcb081053dfa06ecfbadf2cf069b3deec2171 4354906 libopenjpa-java_2.2.2-1_all.deb
591b678de88d15e3a1824e3613e14b94ddbb3c96 3981106 libopenjpa-java-doc_2.2.2-1_all.deb
Checksums-Sha256:
9fd762bea5f7e3ab484a5f6e3cc13d0f039f6e5a98b0099802c9d604d951446f 2801 openjpa_2.2.2-1.dsc
5772c9355c16b64c80f3fb1c5ba47f7fb68827f63a2d7228c08ea41665e9317b 6981175 openjpa_2.2.2.orig.tar.gz
bfad25cd7e8cc1b9b64abdc21dc682aa51020f19a7b4106a9511a3c426c0a264 14562 openjpa_2.2.2-1.debian.tar.gz
783743dbec4d939a2981e9c49b4d1cb4d76f289693205b8f443c96ebd1378eff 4354906 libopenjpa-java_2.2.2-1_all.deb
63cfd69427a434d47058bb8c1c6631c7702b6022520019302c52f2611a56ba7b 3981106 libopenjpa-java-doc_2.2.2-1_all.deb
Files:
7a6e75c1956419b68e540bba5f31f112 2801 java optional openjpa_2.2.2-1.dsc
70dce7c5ef929750e05e30fd7290bef9 6981175 java optional openjpa_2.2.2.orig.tar.gz
ff7860b7a23b9a3ef1410efcaf3ae75f 14562 java optional openjpa_2.2.2-1.debian.tar.gz
70fafd054fac983d42a04dafc53a5a05 4354906 java optional libopenjpa-java_2.2.2-1_all.deb
0c6fa2a6c1814acf8712e64361879c73 3981106 doc optional libopenjpa-java-doc_2.2.2-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBAgAGBQJSVKD4AAoJEI8AS/UHtGj71twP/RlULXYTYyd/ubIEwwxPlgF2
Ny0ctILAKx+CMbswvyr9vWhhp3a5Y9uQfD/j6udd/JfsiJKrbLw4PEPtBVEA4bj4
O066hcb4p+cSs+oq4FkFY7ZuYU63tR2vYbXL2qgJAYl+C74O3gwsRYKtsHDGRFxk
ruKAZJFirVOo0IpT5KwEuAQvL9tFiekyIHYNjAg2XL6fidNafSA7RdNtjDZsWnxa
EIupcs03PEIHc+ebFx4Gto8JLJHWwWefT73ZQ+HfWFJCUz4rfIVmFKgbkdobGLmm
Zh+vij5DF8W9nXN3KvH6gvOz9tGF1VwS23gLRQhsrQDHFxqc6uQdZjJEmJ1UAvJi
f/LScQAeqqMFi6TNtFkt25CR5ZVMcbsE76Xhg7vDH18HLAvvzhMGq1jZEXArSxFm
DCFqgUjK0aGUyuW6L3BSDpxphvsejubeu/VvDvqTQPakBeuLkIeSou4SLo9ybKKq
NnoVUBKZzmux6fkVMt0go14fZ3YYs6Qnftj/Ti8bm3sStOjzPlEIcTDJXDxpbs8b
6FjNAFSKdoVQaDVOhp9EacRrAL4KoKQ9Vyt8YxwKfeTUu2LUuxmidPWgdKAUMdUH
P5V4up8/rVv/5mDVcKHpbjhWQL6zHiCmkQVIiOJS5hAP0Hj5QcRnE0FXTdjAZg29
cGnl8QWLuu3nMgPCIWCb
=CRUH
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 May 2015 07:45:12 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:31:40 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon