Debian Bug report logs -
#674448
CVE-2012-2098
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Thu, 24 May 2012 18:15:02 UTC
Severity: grave
Tags: security
Found in version libcommons-compress-java/1.2-1
Fixed in version libcommons-compress-java/1.4.1-1
Done: Miguel Landaeta <miguel@miguel.cc>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#674448; Package libcommons-compress-java.
(Thu, 24 May 2012 18:15:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Thu, 24 May 2012 18:15:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libcommons-compress-java
Version: 1.2-1
Severity: grave
Tags: security
Please see https://commons.apache.org/compress/security.html
Fixed in 1.4.1. This doesn't warrant a DSA, but you could fix
it through a point update for Squeeze 6.0.6.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#674448; Package libcommons-compress-java.
(Sun, 17 Jun 2012 23:09:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Miguel Landaeta <miguel@miguel.cc>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Sun, 17 Jun 2012 23:09:02 GMT) (full text, mbox, link).
Message #10 received at 674448@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 674448 + pending
thanks
On Thu, May 24, 2012 at 08:13:35PM +0200, Moritz Muehlenhoff wrote:
> Package: libcommons-compress-java
> Version: 1.2-1
> Severity: grave
> Tags: security
>
> Please see https://commons.apache.org/compress/security.html
>
> Fixed in 1.4.1. This doesn't warrant a DSA, but you could fix
> it through a point update for Squeeze 6.0.6.
This is already fixed in the svn repo. A new package will be uploaded soon.
--
Miguel Landaeta, miguel at miguel.cc
secure email with PGP 0x6E608B637D8967E9 available at http://keyserver.pgp.com/
"Faith means not wanting to know what is true." -- Nietzsche
[signature.asc (application/pgp-signature, inline)]
Added tag(s) pending.
Request was from Miguel Landaeta <miguel@miguel.cc>
to control@bugs.debian.org.
(Sun, 17 Jun 2012 23:09:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#674448; Package libcommons-compress-java.
(Thu, 21 Jun 2012 04:45:02 GMT) (full text, mbox, link).
Acknowledgement sent
to tony mancill <tmancill@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Thu, 21 Jun 2012 04:45:02 GMT) (full text, mbox, link).
Message #17 received at 674448@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On 06/17/2012 04:11 PM, Miguel Landaeta wrote:
> tags 674448 + pending
> thanks
>
> On Thu, May 24, 2012 at 08:13:35PM +0200, Moritz Muehlenhoff wrote:
>> Package: libcommons-compress-java
>> Version: 1.2-1
>> Severity: grave
>> Tags: security
>>
>> Please see https://commons.apache.org/compress/security.html
>>
>> Fixed in 1.4.1. This doesn't warrant a DSA, but you could fix
>> it through a point update for Squeeze 6.0.6.
>
> This is already fixed in the svn repo. A new package will be uploaded soon.
Built and ready for upload, awaiting xz-java (new build-dep) to make it
through NEW.
How would the point update work for Squeeze given that there is a new
build dependency that needs to be added to Squeeze as well? Once we
have approval, can we simply upload both the new package and the updated
libcommons-compress-java at the same time?
Cheers,
tony
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#674448; Package libcommons-compress-java.
(Thu, 21 Jun 2012 14:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Miguel Landaeta <miguel@miguel.cc>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Thu, 21 Jun 2012 14:42:03 GMT) (full text, mbox, link).
Message #22 received at 674448@bugs.debian.org (full text, mbox, reply):
On Thu, Jun 21, 2012 at 12:12 AM, tony mancill <tmancill@debian.org> wrote:
> How would the point update work for Squeeze given that there is a new
> build dependency that needs to be added to Squeeze as well? Once we
> have approval, can we simply upload both the new package and the updated
> libcommons-compress-java at the same time?
I'll check upstream repository during this weekend to try to backport the fix.
--
Miguel Landaeta, miguel at miguel.cc
secure email with PGP 0x6E608B637D8967E9 available at http://keyserver.pgp.com/
"Faith means not wanting to know what is true." -- Nietzsche
Added blocking bug(s) of 674448: 677942
Request was from tony mancill <tmancill@debian.org>
to control@bugs.debian.org.
(Tue, 26 Jun 2012 18:45:05 GMT) (full text, mbox, link).
Reply sent
to Miguel Landaeta <miguel@miguel.cc>:
You have taken responsibility.
(Fri, 29 Jun 2012 21:26:49 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Fri, 29 Jun 2012 21:26:49 GMT) (full text, mbox, link).
Message #29 received at 674448-close@bugs.debian.org (full text, mbox, reply):
Source: libcommons-compress-java
Source-Version: 1.4.1-1
We believe that the bug you reported is fixed in the latest version of
libcommons-compress-java, which is due to be installed in the Debian FTP archive:
libcommons-compress-java_1.4.1-1.debian.tar.gz
to main/libc/libcommons-compress-java/libcommons-compress-java_1.4.1-1.debian.tar.gz
libcommons-compress-java_1.4.1-1.dsc
to main/libc/libcommons-compress-java/libcommons-compress-java_1.4.1-1.dsc
libcommons-compress-java_1.4.1-1_all.deb
to main/libc/libcommons-compress-java/libcommons-compress-java_1.4.1-1_all.deb
libcommons-compress-java_1.4.1.orig.tar.gz
to main/libc/libcommons-compress-java/libcommons-compress-java_1.4.1.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 674448@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Miguel Landaeta <miguel@miguel.cc> (supplier of updated libcommons-compress-java package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 17 Jun 2012 18:08:36 -0430
Source: libcommons-compress-java
Binary: libcommons-compress-java
Architecture: source all
Version: 1.4.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Miguel Landaeta <miguel@miguel.cc>
Description:
libcommons-compress-java - Java API for working with tar, zip and bzip2 files
Closes: 674448
Changes:
libcommons-compress-java (1.4.1-1) unstable; urgency=medium
.
* Team upload.
* New upstream release. CVE-2012-2098 is fixed. (Closes: #674448).
* Replace B-D on junit with junit4.
* Add B-D on libxz-java.
* Fix clean target to allow twice in a row builds.
Checksums-Sha1:
b857e142fdcdc716d816c772ed696f5f50f0e578 2162 libcommons-compress-java_1.4.1-1.dsc
9e9542ba94351ad410dcd0fea1ceaf265f54f81c 3228776 libcommons-compress-java_1.4.1.orig.tar.gz
82de52fc0c32dadc628941f7b7c285067db69290 3018 libcommons-compress-java_1.4.1-1.debian.tar.gz
ecfe0a9febc00da38c04c032963e6ca98bb3f36a 224098 libcommons-compress-java_1.4.1-1_all.deb
Checksums-Sha256:
b50bd9daa0fa0ab871d7097c9b3c7fe514953c607efad9f23bd89381f6213c54 2162 libcommons-compress-java_1.4.1-1.dsc
b4f34aa03df917b785479e147381eea86c5c17e9067ddf8c27301ff6cd0aa91c 3228776 libcommons-compress-java_1.4.1.orig.tar.gz
4e8addfd04a4ea631e835b05248a036fc8fb29de482e1b8bb60e34331a3f4a91 3018 libcommons-compress-java_1.4.1-1.debian.tar.gz
f49ccf8488c9a14ba68d2f103db5b390c908caadebcbb354492bbcad5ee27415 224098 libcommons-compress-java_1.4.1-1_all.deb
Files:
ff3e615d448e8da031a03e431433c9d1 2162 java optional libcommons-compress-java_1.4.1-1.dsc
f26e9d94dd83976d76dfa5e1052abb49 3228776 java optional libcommons-compress-java_1.4.1.orig.tar.gz
002444c53a511a65678557504cf630ae 3018 java optional libcommons-compress-java_1.4.1-1.debian.tar.gz
fd16669272e1ed38f51f96ffb06fa7a5 224098 java optional libcommons-compress-java_1.4.1-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBAgAGBQJP4qYDAAoJECHSBYmXSz6W2yMP/RDq1uP3WKtVRXK2wyrJUTQS
8Iz6pqVxHcZLJMN3S1Z4hUkWsQkyqDsG/oAP4bws9HNOlvSI87TNbzP6r3XYLcQr
FIGMqgd8iKOCvQiLhlWLwUuy+y3rIEcndOlsd5WXmrZUvM5XCQh4MvHxYyyBw0FO
cCQbtL2LFwiVCIPjJ4s//cNWAnz6PXH0IXTAGcJhRHFm60VZz4I/9lJJFgxlVTx9
R2058Uw1UZ7ZwUiHOhlV8Jdcaehm+g1qiJgtEG9H/5QkHLFzf68gXJS6uIzFCqC5
sEde3Y4sfYEuAzMCW2tkh4siypaBFyy2ROa8kr03ZVmsCqx84JLUXDgvjUIvsRzJ
VE+1z3QY7XxZw+WkRGFDJX7hA0PDRv9EPgUbfaG8NnGiGNd3BTxu+E0ypDY01y4L
LzWHeb2ENmaWev27qAZOoOU2v9Ze80LjHx1dwS/+nfBPlFLrARikYpw7q/f/XY/l
88L3TXtUHaTOPz9G5KSOuBirLJeEw67b2/wtJ78i/0rJ0TbegPIBYHw7zSE9BfkX
JY78hjt5nknFJPKwMahESlc8piporIn9CSBRS44Wsq7kxvHs3u9b+Maj7OsIPbbc
j/ioPRnEOkC6Hb1gzwQpcRWMalIhumAfaG1m+nmBoYsdhoR4ru3vq2A2CDUKv39r
6Rwxv2Vcwi8tTMJmxxZs
=5nru
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#674448; Package libcommons-compress-java.
(Wed, 18 Jul 2012 15:00:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Miguel Landaeta <miguel@miguel.cc>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Wed, 18 Jul 2012 15:00:03 GMT) (full text, mbox, link).
Message #34 received at 674448@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Thu, May 24, 2012 at 08:13:35PM +0200, Moritz Muehlenhoff wrote:
> Package: libcommons-compress-java
> Version: 1.2-1
> Severity: grave
> Tags: security
>
> Please see https://commons.apache.org/compress/security.html
>
> Fixed in 1.4.1. This doesn't warrant a DSA, but you could fix
> it through a point update for Squeeze 6.0.6.
Hi Moritz,
I had prepared an upload to fix this issue in stable.
Are you OK with an upload to stable then?
Cheers,
--
Miguel Landaeta, miguel at miguel.cc
secure email with PGP 0x6E608B637D8967E9 available at http://keyserver.pgp.com/
"Faith means not wanting to know what is true." -- Nietzsche
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#674448; Package libcommons-compress-java.
(Wed, 18 Jul 2012 15:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Wed, 18 Jul 2012 15:18:03 GMT) (full text, mbox, link).
Message #39 received at 674448@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
* Miguel Landaeta <miguel@miguel.cc> [2012-07-18 17:02]:
> On Thu, May 24, 2012 at 08:13:35PM +0200, Moritz Muehlenhoff wrote:
> > Please see https://commons.apache.org/compress/security.html
> >
> > Fixed in 1.4.1. This doesn't warrant a DSA, but you could fix
> > it through a point update for Squeeze 6.0.6.
>
> I had prepared an upload to fix this issue in stable.
>
> Are you OK with an upload to stable then?
Please notify the release team before.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 16 Aug 2012 07:25:49 GMT) (full text, mbox, link).
Bug unarchived.
Request was from jmw@debian.org
to control@bugs.debian.org.
(Fri, 17 Aug 2012 11:18:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#674448; Package libcommons-compress-java.
(Sat, 18 Aug 2012 12:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Sat, 18 Aug 2012 12:03:03 GMT) (full text, mbox, link).
Message #48 received at 674448@bugs.debian.org (full text, mbox, reply):
Package: libcommons-compress-java
Dear maintainer,
Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
squeeze (6.0.6) - use target "stable"
Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.
I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.
For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].
0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/674448/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc
Thanks,
with his security hat on:
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#674448; Package libcommons-compress-java.
(Sat, 18 Aug 2012 21:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Sat, 18 Aug 2012 21:21:03 GMT) (full text, mbox, link).
Message #53 received at 674448@bugs.debian.org (full text, mbox, reply):
On Sat, 2012-08-18 at 11:15 +0000, Jonathan Wiltshire wrote:
> Package: libcommons-compress-java
>
> Dear maintainer,
>
> Recently you fixed one or more security problems and as a result you closed
> this bug. These problems were not serious enough for a Debian Security
> Advisory, so they are now on my radar for fixing in the following suites
> through point releases:
That's already requested via #681996.
Regards,
Adam
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 16 Sep 2012 07:27:31 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:51:57 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon