Debian Bug report logs -
#791957
apache-directory-api: CVE-2015-3250
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 9 Jul 2015 17:51:05 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in version apache-directory-api/1.0.0~M20-1
Fixed in version apache-directory-api/1.0.0~M20-3
Done: Emmanuel Bourg <ebourg@apache.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#791957
; Package src:apache-directory-api
.
(Thu, 09 Jul 2015 17:51:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Thu, 09 Jul 2015 17:51:09 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: apache-directory-api
Version: 1.0.0~M20-1
Severity: important
Tags: security upstream fixed-upstream
Hi Emmanuel,
the following vulnerability was published for apache-directory-api,
filling a bug in the BTS to have it documented. AFAICS no much
information but it is fixed in new upstream version 1.0.0~M31. Could
you update the package to it?
CVE-2015-3250[0]:
timing attack vulnerability
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-3250
[1] http://www.openwall.com/lists/oss-security/2015/07/07/5 (note
there was a typo in the CVE referenced there)
Regards,
Salvatore
Reply sent
to Emmanuel Bourg <ebourg@apache.org>
:
You have taken responsibility.
(Thu, 09 Jul 2015 21:39:13 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Thu, 09 Jul 2015 21:39:14 GMT) (full text, mbox, link).
Message #10 received at 791957-close@bugs.debian.org (full text, mbox, reply):
Source: apache-directory-api
Source-Version: 1.0.0~M20-3
We believe that the bug you reported is fixed in the latest version of
apache-directory-api, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 791957@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated apache-directory-api package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 09 Jul 2015 23:07:02 +0200
Source: apache-directory-api
Binary: libapache-directory-api-java
Architecture: source all
Version: 1.0.0~M20-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
libapache-directory-api-java - Apache Directory LDAP API
Closes: 791957
Changes:
apache-directory-api (1.0.0~M20-3) unstable; urgency=medium
.
* Fixed CVE-2015-3050: Timing Attack vulnerability (Closes: #791957)
Checksums-Sha1:
55aac573819d7404ea06fa22ffbad9ce4155310a 2445 apache-directory-api_1.0.0~M20-3.dsc
775948de97e40f9ae6370ad9ee21091c3a9aceee 6460 apache-directory-api_1.0.0~M20-3.debian.tar.xz
fd465fa8653497001b88465d2eda2932a24f5f94 2113946 libapache-directory-api-java_1.0.0~M20-3_all.deb
Checksums-Sha256:
31e5114ce0a0888575465c95eb7c7345bc11890b086aa2dd3fd88d07d6ae7c14 2445 apache-directory-api_1.0.0~M20-3.dsc
7de5c7cdf12c463b7470526f33c618756519509dc741175e9ca461992d3bd8a3 6460 apache-directory-api_1.0.0~M20-3.debian.tar.xz
0589105d955a827d150551951632f66eb9acbc8360165db51f4cd1d0d19442e1 2113946 libapache-directory-api-java_1.0.0~M20-3_all.deb
Files:
6986f30d644dd32d39e4ca5fe6d94c8c 2445 java optional apache-directory-api_1.0.0~M20-3.dsc
33093c0de30f1c999db5b53c3e3d1585 6460 java optional apache-directory-api_1.0.0~M20-3.debian.tar.xz
22a3271d97bae7d9aabe8046de1540b1 2113946 java optional libapache-directory-api-java_1.0.0~M20-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJVnuO2AAoJEPUTxBnkudCsYrEQAK8KNjbIBSojmfwPaq1in5Q6
BrCI85AKCYJgdjDEt+sRu/EI7nY6ybnroJLU5UL/tDXXeJ+q1hMqw2KfJSptZn27
lPoSr5JjipnnPFBYhRWXMHMthL7vsQi4uOcQ5mfE3ih4HV4ewcvAzIwbBmZrRShw
JxYad7QR8bNnedX5lb4Hf46y/bDW3gn35KzVAI+rjXaUADNcFoY+SyQr/7gabLFa
Lt3EfIr5+w0dGBDEW44kzdovNIChYjaeCo6XT8c5uW2luwxzFdUWOacIiuB0PiG0
eOinmcuwq9NW+5wh0OOWw9zBNsYqis79LtBykNv7ldt3tyH8A4N3AzbwJqCgQMf6
XVCLpuYkOajzHJbXEBO0hTyMhm7cgXk5/WoARksA6GNF7PhBGTFER7mzE8M4Ll/z
h5wBkfrYrHAB23KHq+UVXFov3Xxhq8KxBbeCmiyDuclqGeIdhCrYA19sNxSAlOQN
yP20HwHPQG21N+HI+8/K/CLqP3/ywN01Lb86P5JJa2LHa6r5faUQ1jiRpAbS1Gqq
K9RswYsxdlvwvNCUz+FyhGd2OAf1eg+8nqBj5RkoK7/cY+X2nS3SSVK5XTYZdoCI
DTUsk+kGqau3tsob3BQ3UNN8cReeXK79yqgy+COUZUaVyKsTBttdl1Ah6J9B7V0X
YymFrJ0ZyjmkjxBGwS2o
=H8cT
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Wed, 12 Aug 2015 07:31:12 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:25:33 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.