Debian Bug report logs -
#759526
not-yet-commons-ssl: CVE-2014-3604
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Thu, 28 Aug 2014 06:18:02 UTC
Severity: grave
Tags: security, upstream
Fixed in version not-yet-commons-ssl/0.3.15-1
Done: tony mancill <tmancill@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#759526; Package not-yet-commons-ssl.
(Thu, 28 Aug 2014 06:18:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Thu, 28 Aug 2014 06:18:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: not-yet-commons-ssl
Severity: grave
Tags: security
Justification: user security hole
This was assigned CVE-2014-3604:
http://lists.juliusdavies.ca/pipermail/not-yet-commons-ssl-juliusdavies.ca/2014-August/000832.html
Cheers,
Moritz
Added tag(s) upstream.
Request was from tony mancill <tmancill@debian.org>
to control@bugs.debian.org.
(Sat, 30 Aug 2014 17:39:11 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#759526; Package not-yet-commons-ssl.
(Tue, 09 Sep 2014 16:30:15 GMT) (full text, mbox, link).
Acknowledgement sent
to Matthew Vernon <matthewv@chiark.greenend.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Tue, 09 Sep 2014 16:30:15 GMT) (full text, mbox, link).
Message #12 received at 759526@bugs.debian.org (full text, mbox, reply):
Hi,
Upstream have released 0.3.15, which fixes this bug. I’m still away (and will be for a while yet); would one of the java team mind uploading 0.3.15, please? Hopefully it’ll just drop in on top of the existing packaging…
Thanks,
Matthew
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#759526; Package not-yet-commons-ssl.
(Wed, 10 Sep 2014 05:42:10 GMT) (full text, mbox, link).
Acknowledgement sent
to tony mancill <tmancill@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Wed, 10 Sep 2014 05:42:11 GMT) (full text, mbox, link).
Message #17 received at 759526@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On 09/09/2014 09:27 AM, Matthew Vernon wrote:
> Hi,
>
> Upstream have released 0.3.15, which fixes this bug. I’m still away (and will be for a while yet); would one of the java team mind uploading 0.3.15, please? Hopefully it’ll just drop in on top of the existing packaging…
>
> Thanks,
>
> Matthew
Hi Matthew.
I'm taking a look at it now and think it will be mostly straightforward.
There are a few new build-deps to be added and a new patch to be created
for build.xml. The only thing that gives me pause is that upstream is
building against the latest version of bouncycastle, 1.51, which is
newer than what we have in Debian right now. I'll know soon whether
this causes an issue.
Cheers,
tony
P.S. Anyone on the Java Team interested in looking at getting a newer
version of BC into the archive for jessie?
[signature.asc (application/pgp-signature, attachment)]
Reply sent
to tony mancill <tmancill@debian.org>:
You have taken responsibility.
(Thu, 11 Sep 2014 06:36:09 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Thu, 11 Sep 2014 06:36:09 GMT) (full text, mbox, link).
Message #22 received at 759526-close@bugs.debian.org (full text, mbox, reply):
Source: not-yet-commons-ssl
Source-Version: 0.3.15-1
We believe that the bug you reported is fixed in the latest version of
not-yet-commons-ssl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 759526@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
tony mancill <tmancill@debian.org> (supplier of updated not-yet-commons-ssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 10 Sep 2014 22:56:26 -0700
Source: not-yet-commons-ssl
Binary: libnot-yet-commons-ssl-java libnot-yet-commons-ssl-java-doc
Architecture: source all
Version: 0.3.15-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: tony mancill <tmancill@debian.org>
Description:
libnot-yet-commons-ssl-java - Not-yet-commons-SSL is a library to make SSL in Java easier
libnot-yet-commons-ssl-java-doc - Documentation for Not-yet-commons-SSL
Closes: 759526
Changes:
not-yet-commons-ssl (0.3.15-1) unstable; urgency=medium
.
* Team upload.
* New upstream release.
- Fixes CVE-2014-3604. (Closes: #759526)
* debian/control:
- Add Vcs- fields; package is now available in pkg-java git.
- Bump Standards-Version to 3.9.5.
- Add build-deps needed for junit tests.
* Use debhelper 9.
* Enable unit tests.
* Fix lintian warning in debian/copyright regarding MIT/X11 license.
Checksums-Sha1:
19a6008f112eec469c2917b545c6d1516fb0aaf5 2283 not-yet-commons-ssl_0.3.15-1.dsc
80a97f9e4314b87204bf140a6596dbb06ec2f631 554171 not-yet-commons-ssl_0.3.15.orig.tar.bz2
0833b82696692dece693343e775addc34eb40fc8 5280 not-yet-commons-ssl_0.3.15-1.debian.tar.xz
4cf2b7d37fca1f303946fdaa5f33518cefd44d01 269028 libnot-yet-commons-ssl-java_0.3.15-1_all.deb
72991162c715612d834caa48594bf00dc648cd79 318106 libnot-yet-commons-ssl-java-doc_0.3.15-1_all.deb
Checksums-Sha256:
fdb2532e36aac30346f604078124ba6fb202b01ad429b94a17dc271d39703e72 2283 not-yet-commons-ssl_0.3.15-1.dsc
394fc7e791b74a15129d9a962968aa303da943ec7b71f0a13389d4bf7d892101 554171 not-yet-commons-ssl_0.3.15.orig.tar.bz2
7436963ed65c1d5da60f2a13a6b41d333b04482e533f9e35738fb41af901aeae 5280 not-yet-commons-ssl_0.3.15-1.debian.tar.xz
2afbb6434dd8f44ed872e9a066605241441a94c0fce7c4bc97063187bbd6f46c 269028 libnot-yet-commons-ssl-java_0.3.15-1_all.deb
b451a1925b384d4beac68f3923be7c59607ae8ab15e57c8592c7900d11dd8846 318106 libnot-yet-commons-ssl-java-doc_0.3.15-1_all.deb
Files:
086e692e60a347ef30716ea24077b6d5 269028 java optional libnot-yet-commons-ssl-java_0.3.15-1_all.deb
b3901dad368a32e8595c866459145f01 318106 doc optional libnot-yet-commons-ssl-java-doc_0.3.15-1_all.deb
1859b78704e25c8a671a77ef2be01857 2283 java optional not-yet-commons-ssl_0.3.15-1.dsc
6ea7c615072b64b505e20425bf631753 554171 java optional not-yet-commons-ssl_0.3.15.orig.tar.bz2
1597499e22e13370243097efcd32658b 5280 java optional not-yet-commons-ssl_0.3.15-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJUET3cAAoJECHSBYmXSz6W7TgQALc1vbj8f/PFuJ34R7Y1clH6
1WqTRBsyrTjhRGZRBVxfYDYSZNxoRXhQX0B7+MqRM6FVOzJRkbLXNpcBHfRIl7cZ
C2McLIb0FJnr54DKklEx2qzH9XBVTFBTNuKJDllOe5Rzvu+IyEEf7qKHkeaVkqaY
hn5D9ey+FSoyux9RI5w+nhas0qhOEXUz41OUn+GhPUG/8VBFYVZ8dcKP6fXZHupf
JRzBbxDEE1Kx1bblk8nRMIAAx6M3pwwkwgBGx7tlkrI/nmnq+kT4iaLwDH4pBb0V
SP4nRyZ2hmOmb42QjZ0s+pp36aroDKVrKoWChn6eF4/Xzo41xjPZ6nbJ6+CIzwof
IMTZYqWAJ1ixw3LcuKbP/i/klmwJ+oMJTOP6qFW/YMDI9phUUOP8j2SwgPYxQ6Ty
tmgONAPGJxf6n/GMiBzQCFxfZg1pXcgr7WPk3TRrGNkhXxTWcuW7HJdygKWz8DmO
TW39w+ScSM90eVnlKGGrxTVHRfmEgOYEAS0IeHuvhhkq/RzLD5cI7P3a6c1pw9OC
mrvaOM3Q6vNaswWgSv4XTSpUYsmDuji9tp4ZOnuPu4mIDSVl1SnCihz3ah6NFukY
Z1PhWQDHZa1sOoagCTDGiRjYSGqfFldk0yo2ip9ubJI/bx3UhgK7dW/9nfzEWy0A
bR1dboyXJzQfszdGJxno
=hHLK
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 14 Oct 2014 07:28:41 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:31:41 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon