Debian Bug report logs -
#777741
wss4j: CVE-2015-0226 CVE-2015-0227
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Thu, 12 Feb 2015 06:21:02 UTC
Severity: grave
Tags: security
Fixed in version wss4j/1.6.15-2
Done: Emmanuel Bourg <ebourg@apache.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#777741; Package wss4j.
(Thu, 12 Feb 2015 06:21:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Thu, 12 Feb 2015 06:21:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: wss4j
Severity: grave
Tags: security
Justification: user security hole
Hi,
please see
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0226
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0227
Cheers,
Moritz
Added tag(s) pending.
Request was from Emmanuel Bourg <ebourg@apache.org>
to control@bugs.debian.org.
(Thu, 12 Feb 2015 08:54:04 GMT) (full text, mbox, link).
Reply sent
to Emmanuel Bourg <ebourg@apache.org>:
You have taken responsibility.
(Thu, 12 Feb 2015 09:27:15 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Thu, 12 Feb 2015 09:27:15 GMT) (full text, mbox, link).
Message #12 received at 777741-close@bugs.debian.org (full text, mbox, reply):
Source: wss4j
Source-Version: 1.6.15-2
We believe that the bug you reported is fixed in the latest version of
wss4j, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 777741@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated wss4j package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 12 Feb 2015 09:11:29 +0100
Source: wss4j
Binary: libwss4j-java
Architecture: source all
Version: 1.6.15-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
libwss4j-java - Apache WSS4J WS-Security implementation
Closes: 777741
Changes:
wss4j (1.6.15-2) unstable; urgency=medium
.
* Fixed security issues (Closes: #777741):
- CVE-2015-0227: WSS4J is still vulnerable to Bleichenbacher's attack
(incomplete fix for CVE-2011-2487)
- CVE-2015-0226: WSS4J doesn't correctly enforce the
requireSignedEncryptedDataElements property
* Standards-Version updated to 3.9.6 (no changes)
Checksums-Sha1:
1919d3cd5bf05dba2796069d251f0bd5b7e95b9a 2124 wss4j_1.6.15-2.dsc
6461136db69ddd7e46064fdd750e1c7823ab5fed 9548 wss4j_1.6.15-2.debian.tar.xz
cbaf5c5cb4ab1f8015a2912c7791aa0cb5da9cca 342064 libwss4j-java_1.6.15-2_all.deb
Checksums-Sha256:
c8a93f439e8c2abd7c95ec246906ee0b00f7fc0c390e3565d9fe66606d782eae 2124 wss4j_1.6.15-2.dsc
afa2ec0e05322657fe15544fdbea842fccc32f3195b97b2e77566202a513983d 9548 wss4j_1.6.15-2.debian.tar.xz
9c89700350af318e28122623408b8108a923f21edf16dd76cf05bce2bc9e1584 342064 libwss4j-java_1.6.15-2_all.deb
Files:
fd08438daabc8ebdc12855052c47f2d5 2124 java optional wss4j_1.6.15-2.dsc
bda8c06272cb1f22413e8a55619e0901 9548 java optional wss4j_1.6.15-2.debian.tar.xz
82181395bd8f9f68e3a3157c0bb6f81f 342064 java optional libwss4j-java_1.6.15-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJU3GrgAAoJEPUTxBnkudCssR8QAISJdMUJjehMXcPjaVaAaAr1
HhHyq6BWoko1xgER1rxo53uVLFTbHFFv3DZea6Mi8j5XihWwXsBiofcyc6hWFl51
ZU2zLuU5oImy+oCZ5AcD1Ej1z4rLJNiDNMr4aBwl271CehULRbVREcVJfHdxeoWS
Ra29TXcjUV7M6cnGWaXHOFS8/Y6RGrSFY9FH2zgt8Rs4ubsnnxWQTcXyUNJE/iM0
AjNcgiixv/v2fnT1Fjvj5TTJdSzxsErQ3AlfGWlpBW1MAfPTIKPNmEceQF851ois
NktPLPEHMf1yD7a6NjClkOkf0ucF01IDg8tIkQ2I2GlQe7jtvWzLEkkdp/6qxy34
UsrEJQdPMJe+aDW/3Bln2RjnmnM38bl65/TjYhBQ2KSZj+Z6hbZk7KVvLY6ExUEk
9gU1NK8GmWoHLZwduCwfbVxKi2iCsroBj1eSSX0X2JPllsxwFRxUcYynAQoXfrsn
NR6sopazpPiV1qTSw4fsUfrcIERRgEw1+1n79UEVPyawsvfVkBd6fVFeStxMnf2y
VsKe/az6CJFunbXekz3nGJ+Qv+xPHpGffCRwvncdoKgjqHz9wTna/K9ktDs0pLUg
N2D1oU7lq6zvek5JGRX4fk7LySda5hmwj6pshM4LmTJi5lzvbIhZ7sFEtYRMLrag
3ASaDBGKaZenmQnXI8Jl
=BAPI
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 May 2015 07:47:59 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:30:55 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon