Debian Bug report logs -
#977399
groovy: CVE-2020-17521
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#977399; Package src:groovy.
(Mon, 14 Dec 2020 18:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Mon, 14 Dec 2020 18:42:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: groovy
Version: 2.4.20-1
Severity: important
Tags: security upstream
Forwarded: https://issues.apache.org/jira/browse/GROOVY-9824
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for groovy.
CVE-2020-17521[0]:
| Apache Groovy provides extension methods to aid with creating
| temporary directories. Prior to this fix, Groovy's implementation of
| those extension methods was using a now superseded Java JDK method
| call that is potentially not secure on some operating systems in some
| contexts. Users not using the extension methods mentioned in the
| advisory are not affected, but may wish to read the advisory for
| further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13,
| 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14,
| 3.0.7, 4.0.0-alpha-2.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-17521
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17521
[1] https://issues.apache.org/jira/browse/GROOVY-9824
[2] https://www.openwall.com/lists/oss-security/2020/12/06/1
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#977399.
(Mon, 14 Dec 2020 23:12:02 GMT) (full text, mbox, link).
Message #8 received at 977399-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #977399 in groovy reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/java-team/groovy/-/commit/b87426022d13f0c079a66867d7a2906eec6bc12e
------------------------------------------------------------------------
Fix CVE-2020-17521: Apache Groovy Information Disclosure
Closes: #977399
Thanks: Salvatore Bonaccorso for the report.
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/977399
Added tag(s) pending.
Request was from Markus Koschany <noreply@salsa.debian.org>
to 977399-submitter@bugs.debian.org.
(Mon, 14 Dec 2020 23:12:02 GMT) (full text, mbox, link).
Reply sent
to Markus Koschany <apo@debian.org>:
You have taken responsibility.
(Mon, 14 Dec 2020 23:36:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 14 Dec 2020 23:36:03 GMT) (full text, mbox, link).
Message #15 received at 977399-close@bugs.debian.org (full text, mbox, reply):
Source: groovy
Source-Version: 2.4.21-1
Done: Markus Koschany <apo@debian.org>
We believe that the bug you reported is fixed in the latest version of
groovy, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 977399@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated groovy package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 14 Dec 2020 23:32:02 +0100
Source: groovy
Architecture: source
Version: 2.4.21-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Closes: 977399
Changes:
groovy (2.4.21-1) unstable; urgency=medium
.
* Team upload.
* d/watch: Track only the supported 2.4.x versions until we can upgrade
groovy.
* New upstream version 2.4.21.
- Fix CVE-2020-17521: Apache Groovy Information Disclosure.
Thanks to Salvatore Bonaccorso for the report. (Closes: #977399)
* Declare compliance with Debian Policy 4.5.1.
Checksums-Sha1:
8192e9d2e028bab9e8c9b51e54f5c2ff6ffcfe8d 2529 groovy_2.4.21-1.dsc
8c02175b1416b4a1c70adb696af8c866169eda03 3030876 groovy_2.4.21.orig.tar.xz
ff78a15f4af6fb5b0b1e2fac034a51e22dcd39f4 27672 groovy_2.4.21-1.debian.tar.xz
cb5a592d4ce50139876d1604b1e88da97132d06a 12421 groovy_2.4.21-1_amd64.buildinfo
Checksums-Sha256:
91182a53f3358ca56f4ae99a61182237b83096b4e68db4a40abad0798ac2ebca 2529 groovy_2.4.21-1.dsc
b8a4b4262e02f4f4106990d0b5f5ba694b961da28657a7928b41c3a42baa6a24 3030876 groovy_2.4.21.orig.tar.xz
f621048d9a6171ae9d1e63be13bdf892371de3a13a6869d1cd929417cd1c0f14 27672 groovy_2.4.21-1.debian.tar.xz
6f1a37666986de5a9999933c3d52c466abf33405801ad22a8438214d4b4ff177 12421 groovy_2.4.21-1_amd64.buildinfo
Files:
09edc201d3ccf00afae71c1f74e55b92 2529 java optional groovy_2.4.21-1.dsc
1efd8881ea60a1de09d5af7b4fc02e45 3030876 java optional groovy_2.4.21.orig.tar.xz
95fae3413e5114ef84dd89f43eb618ac 27672 java optional groovy_2.4.21-1.debian.tar.xz
20a710a5836fcb65c679db8924d49583 12421 java optional groovy_2.4.21-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl/X8ERfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hk4aIP/0YhFU+5n02B8s7rGZ5XH8gLCLzADJL2TazI
iVTWzG969I4CfXNm89/r5QOaU97q6E0Bm6ktSKWDaxhUEaW+aVbytXnHEU88DNDn
IHCpd9fRJQiAnFY5kTGZleSsx1VbYwrsTPnpPYuSrZLDnDpkWs8p+AdmCGzhAGr8
S9XZJK/+pTisARztOCeTRtCVm6Xdoj2xxFRxraObrEDbf3tCp9TxqDMZo3379sQw
YFdrsWtA3O1OEdA0lXLGz5pFuHVZG3k3zVw49rdqA5/4k+QpSAiSufECW6D6W9rN
KsfeMZz+DsHJ6Omm+LMEbPgwR54wz3a/+4RrDeAwfbuKixRjp65vu0u6x1O/1DRl
4XDLKcWCAxeUamaHkk/mGK+LoNDhzRY+ULJz3NxAehqd/0TmAhgHI5i53a0bIIbF
ANbTIlmUEJOkNuiCbj2W6WbIEYB/E8TWdrxt6UEY9p5xPBJVps/Bxw/RpXPR9GsX
tB6kwXfsqALdHO/JrgU2Bn1rAc9R0b2P6kJ1g7OLMf6+Xc4Bn3q/RzQjf6JcEANe
rjBQ4tRbjjLS0Di65eN2j4gbu8sB7XAl6iXrDBqUWE2JYdnZtocg5W2aVoDF88t/
B+q7elrusj5NF3a6eArdkntWsV5FrgpmQsyqu8Jvhpaxi3kcAk+ivghrIWDDE21s
hz/LJfNT
=vaW4
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Dec 15 07:58:05 2020;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon