batik: CVE-2015-0250

Debian Bug report logs - #780897
batik: CVE-2015-0250

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: batik: CVE-2015-0250

Date: Sat, 21 Mar 2015 08:07:52 +0100

Source: batik
Version: 1.7-1
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for batik.

CVE-2015-0250[0]:
information disclosure

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-0250
[1] http://seclists.org/oss-sec/2015/q1/864

Regards,
Salvatore

Message #12 received at 780897@bugs.debian.org (full text, mbox, reply):

From: tony mancill <tmancill@debian.org>

To: 780897@bugs.debian.org

Subject: Re: Bug#780897: batik: CVE-2015-0250

Date: Sat, 21 Mar 2015 16:31:38 -0700

[Message part 1 (text/plain, inline)]

On 03/21/2015 12:07 AM, Salvatore Bonaccorso wrote:
> Source: batik
> Version: 1.7-1
> Severity: important
> Tags: security upstream
> 
> Hi,
> 
> the following vulnerability was published for batik.
> 
> CVE-2015-0250[0]:
> information disclosure
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2015-0250
> [1] http://seclists.org/oss-sec/2015/q1/864
> 
> Regards,
> Salvatore

Hello Salvatore,

Thank you for the bug report and the detailed information in
security-tracker.d.o.  I was able to reproduce the information
disclosure and test that the version just uploaded to unstable no longer
exhibits the disclosure.

Version 1.7+dfsg-5 addresses this bug for sid and should also be
appropriate for jessie.  I'll look at wheezy and squeeze next.

Thank you,
tony

[signature.asc (application/pgp-signature, attachment)]

Message #17 received at 780897-close@bugs.debian.org (full text, mbox, reply):

From: tony mancill <tmancill@debian.org>

To: 780897-close@bugs.debian.org

Subject: Bug#780897: fixed in batik 1.7+dfsg-5

Date: Sat, 21 Mar 2015 23:33:53 +0000

Source: batik
Source-Version: 1.7+dfsg-5

We believe that the bug you reported is fixed in the latest version of
batik, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 780897@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
tony mancill <tmancill@debian.org> (supplier of updated batik package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 21 Mar 2015 15:24:17 -0700
Source: batik
Binary: libbatik-java
Architecture: source all
Version: 1.7+dfsg-5
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: tony mancill <tmancill@debian.org>
Description:
 libbatik-java - xml.apache.org SVG Library
Closes: 771539 780897
Changes:
 batik (1.7+dfsg-5) unstable; urgency=medium
 .
   [ tony mancill ]
   * Team upload.
   * Update homepage URL to https://xmlgraphics.apache.org/batik/ in
     debian/control and debian/copyright. (Closes: #771539)
   * Add debian/patches/cve_2015_0250.patch to disable external XML entity
     resolution (information disclosure).  This addresses CVE-2015-0250.
     (Closes: #780897)
 .
   [ Emmanuel Bourg ]
   * Replaced the Build-Id in the manifests with a constant value
     to make the build reproducible.
Checksums-Sha1:
 705e68ba6f4c03e37a8259151c86c553463cbe84 2213 batik_1.7+dfsg-5.dsc
 bc9d69b97e2587e2a33435f9b88566e4d0bedd3b 12580 batik_1.7+dfsg-5.debian.tar.xz
 d7a66b06cc122f90cf634be692bc6aa456065472 2861372 libbatik-java_1.7+dfsg-5_all.deb
Checksums-Sha256:
 e733554f0a4106b7266b677dfb2982c9260e0448fb7d710698f05a2064f46352 2213 batik_1.7+dfsg-5.dsc
 8c5ab35e8edca96f119e7550e8839490dc526bbcec732740bac32c43762ea15d 12580 batik_1.7+dfsg-5.debian.tar.xz
 086e18bd07ba13cf4bd9af87b82d0347970f5a91625a01b0a77f1e23d156e0d2 2861372 libbatik-java_1.7+dfsg-5_all.deb
Files:
 3e58c10ce9d1a027cdfcf3e2af64d64c 2213 java optional batik_1.7+dfsg-5.dsc
 1d66de13c1bc0f4eda258e2eae70d51d 12580 java optional batik_1.7+dfsg-5.debian.tar.xz
 a6354d8253db3df6edbf6cd7100a56e5 2861372 java optional libbatik-java_1.7+dfsg-5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVDf4LAAoJECHSBYmXSz6Ws0cP+wV0YEeFTd8F6Q3GuYNWU0JD
Rf+pJucLrvRy4aSNci2f+B9aGJJyoNtYyspf5N4MtvPM4JVU/Pij5qEychShZf8r
ajSu85PAFCnvc65HLXsCAT4SkUXdWl/M6YYe8/jg5DAfZf0Tl+tqXR2imjiAnGJz
cgcF3AxilOAk4ywSFyPATBF71btwAKHoy29sSlk6T1V7aSCZhBp0TMMWdLDDCabH
ENrFdL+ATQMKRviaxhyi4dsssGL8S9vrU5I4nkqUF8f/VA0X215V8l8U9Nv+pRnv
UTgOWyB6thVNgLuFc53SP9UuOo9vF+gOXHqr4l0jPt10Jk6g+pDQPBmMiRa1SrPO
xo9nvOmuyyaNDHeg43bWKlLnXUotb+TTqxQVNL9xrUMe0BO7Zpb+t5GozctRqgW4
qPReweJ/Q+Gs8C+YbKOUH3LND7os6a4hSiO23OkGgSh4Tpvi7XoP0/qUgpFV4rhX
8HiiQv4Xdz2o/GG30NYbsG9WpwBszf0Uz8Fa9t+vY46s7WzzDHLpit0tzHt+nfzm
tSyoNuXqyBvGDYx/JhZFzKQ2ZsHAUXuDXBc1uP90mEreXCkd5MCZcrh497UqtFPO
GbJE2fiG45dBz05Zd1uqntQJH/uCbgbaAWHkOBUZ5ALJDwbsEZcLiG/tz6h8P5u5
FYVWtOUZxVWYD+s4Z7YB
=kO10
-----END PGP SIGNATURE-----

Message #22 received at 780897@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: tony mancill <tmancill@debian.org>, 780897@bugs.debian.org

Subject: Re: Bug#780897: batik: CVE-2015-0250

Date: Sun, 22 Mar 2015 15:02:38 +0100

Hi Tony,

On Sat, Mar 21, 2015 at 04:31:38PM -0700, tony mancill wrote:
> On 03/21/2015 12:07 AM, Salvatore Bonaccorso wrote:
> > Source: batik
> > Version: 1.7-1
> > Severity: important
> > Tags: security upstream
> > 
> > Hi,
> > 
> > the following vulnerability was published for batik.
> > 
> > CVE-2015-0250[0]:
> > information disclosure
> > 
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > 
> > For further information see:
> > 
> > [0] https://security-tracker.debian.org/tracker/CVE-2015-0250
> > [1] http://seclists.org/oss-sec/2015/q1/864
> > 
> > Regards,
> > Salvatore
> 
> Hello Salvatore,
> 
> Thank you for the bug report and the detailed information in
> security-tracker.d.o.  I was able to reproduce the information
> disclosure and test that the version just uploaded to unstable no longer
> exhibits the disclosure.

Thanks for the fixes! batik has now already be unblocked by Niels
Thykier AFAICS.

Regards,
Salvatore

Message #27 received at 780897@bugs.debian.org (full text, mbox, reply):

From: tony mancill <tmancill@debian.org>

To: team@security.debian.org

Cc: 780897@bugs.debian.org

Subject: wheezy-security update for batik (CVE-2015-0250)

Date: Wed, 25 Mar 2015 21:13:54 -0700

[Message part 1 (text/plain, inline)]

Dear Security Team,

I have prepared an update for batik [1] in wheezy to address
CVE-2015-0250.  Attached is the debdiff.  Please let me know if you
would like me to upload it.

Thank you,
tony

[1] https://security-tracker.debian.org/tracker/source-package/batik

[batik_1.7+dfsg-3.dsc_batik_1.7+dfsg-3+deb7u1.dsc.debdiff (text/plain, attachment)]

[signature.asc (application/pgp-signature, attachment)]

Message #32 received at 780897@bugs.debian.org (full text, mbox, reply):

From: Sébastien Delafond <seb@debian.org>

To: tony mancill <tmancill@debian.org>

Cc: team@security.debian.org, 780897@bugs.debian.org

Subject: Re: wheezy-security update for batik (CVE-2015-0250)

Date: Thu, 26 Mar 2015 09:40:31 +0100

On Mar/25, tony mancill wrote:
> I have prepared an update for batik [1] in wheezy to address
> CVE-2015-0250.  Attached is the debdiff.  Please let me know if you
> would like me to upload it.

Hi Tony,

I've reviewed your debdiff and it looks good. Please upload to
security-master-unembargoed, and we'll take it from there. Also, make
sure your package gets build with -sa, as batik will be new on
security-master.

Cheers,

--Seb

Message #37 received at 780897-close@bugs.debian.org (full text, mbox, reply):

From: Thorsten Alteholz <debian@alteholz.de>

To: 780897-close@bugs.debian.org

Subject: Bug#780897: fixed in batik 1.7-6+deb6u1

Date: Fri, 27 Mar 2015 19:03:30 +0000

Source: batik
Source-Version: 1.7-6+deb6u1

We believe that the bug you reported is fixed in the latest version of
batik, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 780897@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Alteholz <debian@alteholz.de> (supplier of updated batik package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 27 Mar 2015 19:30:00 +0100
Source: batik
Binary: libbatik-java
Architecture: source all
Version: 1.7-6+deb6u1
Distribution: squeeze-lts
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Thorsten Alteholz <debian@alteholz.de>
Description: 
 libbatik-java - xml.apache.org SVG Library
Closes: 780897
Changes: 
 batik (1.7-6+deb6u1) squeeze-lts; urgency=high
 .
   * Non-maintainer upload by the Squeeze LTS Team.
   * Add debian/patches/cve_2015_0250.patch to disable external XML entity
     resolution (information disclosure).  This addresses CVE-2015-0250.
     (Closes: #780897)
Checksums-Sha1: 
 6b494629c426f9d896a5e5bb7ee0f56d8da7ab5d 2330 batik_1.7-6+deb6u1.dsc
 6fbd1c593484bf5a7f8d9e2aadb5871c635b4753 12434325 batik_1.7.orig.tar.gz
 927d832999b451cb34a66702df8c98d18b9d0908 11763 batik_1.7-6+deb6u1.debian.tar.gz
 bd2a4fb27d293ceec79665fed7841b7dbffac5ed 9535078 libbatik-java_1.7-6+deb6u1_all.deb
Checksums-Sha256: 
 745fe5c5545f0bc0f66c50e0b2078ed3f06797ae41ad82438490a90245ab4d06 2330 batik_1.7-6+deb6u1.dsc
 ad4b3cc786f067eff03a9e30f7f9d43ddca749b36be267ee4eb437a02f3a0bc0 12434325 batik_1.7.orig.tar.gz
 5c2f17e848628ef2cec832f4dfab947c5e6c3f3fc6bf34896eb4a5c5c84ac525 11763 batik_1.7-6+deb6u1.debian.tar.gz
 1850590fa14b47b24acb7ec6e48bcb83d12c9da6847064930566f85bfd9a4cc2 9535078 libbatik-java_1.7-6+deb6u1_all.deb
Files: 
 41c02d12261cb358793d08ff9d6f5433 2330 java optional batik_1.7-6+deb6u1.dsc
 e102c0d999e9136b88ce1e6e56e3a6ac 12434325 java optional batik_1.7.orig.tar.gz
 803b2d905e85d3c69e137ee2bbefcd7f 11763 java optional batik_1.7-6+deb6u1.debian.tar.gz
 1afd9f596ff45e089d660c14f8cf48d0 9535078 java optional libbatik-java_1.7-6+deb6u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJVFacNXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHMgYQAJyiXpqpvb1X8k126RtL8tui
lFw+spLncH/UtIr5Jc7+6bCr4hqYcp46dypKXAhuclLCrJPdjPZJm9lVUts8FXQI
u9LTmHo1u9nLMBYF/DneMzvQ4WjCXsems2griB+IeGtujl6/3/g4FUs3MgeYtyMA
LY2Qtw3KWX2IH/rH4qrb+oQdyk/vmPG0EwdfM8pals4dkNW4QUxlWCiyhZRu7kuo
d1aXIz0zIn6lxwZJhacSZTW6zU1dMJWUmABXqMfOPeKxiIIA6eR4jT0vRLzHXew0
hbN4/74g2Y4UOn5cqAKRABzJwy7h8akpV3MBpYIjGmhjOJsO+YHAXPmoMWV5Z+B7
VwiEX+yWZBnRRJEe7S1xqXrM5wtPh4q/Vibnkq36DrbtE6x34yRBU+ZI8DCgTBzj
mSXLrbntXrxAr9GGDYTmNpfRiMeWFpgduWXys7mSSIsCn6Bva/U+1idDk1aS5Ycm
oKvY/bFMW1RAbB0ew4iERNQiqnhuQrrGTagiGuVWcw2o5JcjZU5XSYX0aEQylFVK
P4f/DE9YE59UoUJOqAjVHQ1WGqCFVPOEjdi2PKl/L7bKCulubGlhdSkPxiwPdLVj
JQWKXAVTlxkLwgvKQI6CAMvNEyGNoDgT66+MU6NN4UAmbNCZBxwSYfHvLzsRbAgX
5FZc2EV3hz5/e0rRX1Q8
=m5dl
-----END PGP SIGNATURE-----

Message #42 received at 780897-close@bugs.debian.org (full text, mbox, reply):

From: tony mancill <tmancill@debian.org>

To: 780897-close@bugs.debian.org

Subject: Bug#780897: fixed in batik 1.7+dfsg-3+deb7u1

Date: Sun, 29 Mar 2015 15:47:05 +0000

Source: batik
Source-Version: 1.7+dfsg-3+deb7u1

We believe that the bug you reported is fixed in the latest version of
batik, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 780897@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
tony mancill <tmancill@debian.org> (supplier of updated batik package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 24 Mar 2015 05:17:00 +0000
Source: batik
Binary: libbatik-java
Architecture: source all
Version: 1.7+dfsg-3+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: tony mancill <tmancill@debian.org>
Description: 
 libbatik-java - xml.apache.org SVG Library
Closes: 780897
Changes: 
 batik (1.7+dfsg-3+deb7u1) wheezy-security; urgency=high
 .
   * Team upload.
   * Add debian/patches/cve_2015_0250.patch to disable external XML entity
     resolution (information disclosure).  This addresses CVE-2015-0250.
     (Closes: #780897)
Checksums-Sha1: 
 0859c65dc3e5e61ded733b353916dba8963c35a9 2264 batik_1.7+dfsg-3+deb7u1.dsc
 b9e8d2bdedcb1ddf553c9b99115165264cf8b4b8 4290288 batik_1.7+dfsg.orig.tar.xz
 9603ec612a42fb5e01017f69c29d9e03d15a6046 12858 batik_1.7+dfsg-3+deb7u1.debian.tar.gz
 ccce71c3b8cf9f9c8619c7df068397864915b162 8699530 libbatik-java_1.7+dfsg-3+deb7u1_all.deb
Checksums-Sha256: 
 56ebcb1209ddb4b2f90dab2ca67c858fd3227272077213e9147ac844fdb2fcfb 2264 batik_1.7+dfsg-3+deb7u1.dsc
 2003bc124a01cedb1ebebda32c1412a0a8292573348d751f8b06fa24dcf03124 4290288 batik_1.7+dfsg.orig.tar.xz
 9c0de3e256d8cfb590d71abc502e997e090d0ce0083621ba68fa0db24495729e 12858 batik_1.7+dfsg-3+deb7u1.debian.tar.gz
 7131041547b048bfed0182a8244805783b744eb8dd50ec452b7674ba355961b1 8699530 libbatik-java_1.7+dfsg-3+deb7u1_all.deb
Files: 
 2fc3db85b876f69f4875a8bc9b505c7e 2264 java optional batik_1.7+dfsg-3+deb7u1.dsc
 dfd317fa0c7bc9782273c05d3045b90c 4290288 java optional batik_1.7+dfsg.orig.tar.xz
 0cb637c19e4d4d1c4bc438f9ea7de7fe 12858 java optional batik_1.7+dfsg-3+deb7u1.debian.tar.gz
 1ba8477bfcf677a0d5be7564e002daa8 8699530 java optional libbatik-java_1.7+dfsg-3+deb7u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVFOJKAAoJECHSBYmXSz6WkFYP+waR/2wu3Aapb6AMtvRw0dpG
Rvx55NkEb7148EphpunS68sYU1A3e2doemx0NY5JrxNkcVOKVSY/nDmyd6Q/pwwB
NX1PpsMvcrMvnJwGnB/3eRGIbP4wQLAsphxP8hFVSwLhCLeoINBE0qh40jis0IrL
+fJN0ZW1qdCJNYlzV94dWBpdULXdgbzDaFbKrafl4oGZt2gBaiCOMX4kQVd7dAQ2
QE5yj+CG31Q5pc+Lid3BO+rZ6xWSGRGslbT3DiSmHf/H7QJUlFMFNV8qsuo2HAjP
QqZTOcL0fxq0MDg73rDNB/a0z9tr5ZqUnYCBZoD3ZrBjQpQKLuILvImW6jGXKMuy
6/SkXqihKTqEdXqK3nbutfP8aNK+IR2fwX/vcYBneoFhUHzRgZNEY0dYHNYaD25y
g5Jy3n50gfIO9iSAwht4OyxgK8Wa8kzo7UA6F3bj37aJMh0X8Z0j9hasFmSlxllz
4fcqept42TgeuSVCQByT6iXNwbzf8CL0LAvswPmdBSdDECpKFTy8LqjQ5Mn+ljYB
S0oZdrV5Mss+pwz5o2ZtQtk/7k4WrxD1hQNnSkQd714ph0OWM0h63+zfi53GCTh7
kdb9qZijLAZCMJSppeXEoccbVRsSrrq+fJKl9KzRNGu1VlafAJb+OuMZgs9HSB1Q
7WAHy0sdCIUrctpllvL6
=gTBS
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.