Debian Bug report logs -
#918736
libthrift-java: CVE-2018-1320
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#918736; Package src:libthrift-java.
(Tue, 08 Jan 2019 21:00:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Tue, 08 Jan 2019 21:00:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libthrift-java
Version: 0.9.1-2
Severity: important
Tags: patch security upstream
Forwarded: https://issues.apache.org/jira/browse/THRIFT-4506
Hi,
The following vulnerability was published for libthrift-java.
CVE-2018-1320[0]:
| Apache Thrift Java client library versions 0.5.0 through 0.11.0 can
| bypass SASL negotiation isComplete validation in the
| org.apache.thrift.transport.TSaslTransport class. An assert used to
| determine if the SASL handshake had successfully completed could be
| disabled in production settings making the validation incomplete.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-1320
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1320
[1] https://issues.apache.org/jira/browse/THRIFT-4506
[2] https://github.com/apache/thrift/commit/d973409661f820d80d72c0034d06a12348c8705e
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org.
(Mon, 14 Jan 2019 17:42:06 GMT) (full text, mbox, link).
Severity set to 'grave' from 'important'
Request was from Moritz Muehlenhoff <jmm@debian.org>
to control@bugs.debian.org.
(Mon, 28 Jan 2019 15:57:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#918736; Package src:libthrift-java.
(Wed, 06 Feb 2019 18:57:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Wed, 06 Feb 2019 18:57:07 GMT) (full text, mbox, link).
Message #14 received at 918736@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Dear maintainer,
I've uploaded a new version of libthrift-java, versioned as 0.9.1-2.1 to
fix CVE-2018-1320. Please find attached the debdiff.
Regards,
Markus
[libthrift-java.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, attachment)]
Reply sent
to Markus Koschany <apo@debian.org>:
You have taken responsibility.
(Wed, 06 Feb 2019 19:21:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 06 Feb 2019 19:21:03 GMT) (full text, mbox, link).
Message #19 received at 918736-close@bugs.debian.org (full text, mbox, reply):
Source: libthrift-java
Source-Version: 0.9.1-2.1
We believe that the bug you reported is fixed in the latest version of
libthrift-java, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 918736@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated libthrift-java package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 06 Feb 2019 19:04:12 +0100
Source: libthrift-java
Architecture: source
Version: 0.9.1-2.1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Closes: 918736
Changes:
libthrift-java (0.9.1-2.1) unstable; urgency=high
.
* Non-maintainer upload.
* Fix CVE-2018-1320:
It was discovered that it was possible to bypass SASL negotiation
isComplete validation in the org.apache.thrift.transport.TSaslTransport
class. An assert used to determine if the SASL handshake had successfully
completed could be disabled in production settings making the validation
incomplete. (Closes: #918736)
Checksums-Sha1:
d1b8333774342a9b9dafa6661bb6264d9557d3eb 2301 libthrift-java_0.9.1-2.1.dsc
126eab3f003eae06e620e7964eb9b227926c2e11 3224 libthrift-java_0.9.1-2.1.debian.tar.xz
22a30bbc5be1f9e0a3145eba3a16edcd854bae2a 16747 libthrift-java_0.9.1-2.1_amd64.buildinfo
Checksums-Sha256:
2dc5b734bbbeb6ef40a65f0c722f6e259201d9b9fa2de3476d5cc30e5a8b3778 2301 libthrift-java_0.9.1-2.1.dsc
ec2bce943cde5acf766ca853ec9b5afc2b00ee73973aa2e047477b87e9f877b5 3224 libthrift-java_0.9.1-2.1.debian.tar.xz
fbc6e0046c49f613200c918ab90fbbed944168d906a9f120d584594a8d0b7618 16747 libthrift-java_0.9.1-2.1_amd64.buildinfo
Files:
f2a6d2269e9e46f8baa1e272ea67bb59 2301 java extra libthrift-java_0.9.1-2.1.dsc
9cb7931277a664e2e7f045b552d949be 3224 java extra libthrift-java_0.9.1-2.1.debian.tar.xz
4bc2728fb4eacc7713e7991ae5173801 16747 java extra libthrift-java_0.9.1-2.1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlxbLNtfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkicIP+gOOyd9rUsSEHZawREnX5wpMV2gIBtkYxilL
kyXgPx7CDCJQpdx62qR2YlGKhQx55OlXu5vg2SQQGMoGACaWnO1z5OvW2yTnoA+c
Xh5/uSRE5eFqTJAh+WTU0HZ+6WMYh6kLfcuzkwiLclrAFV6mYkwqYxXTUZ6R/224
t16M+WzvuS2PK7VCuWL5bxxthsKugVkzMDMuPck16l53t1+HjoSK4kRPNv7YqBdc
c66HB/B/n1N6/Cf6TPWnZx/Ku2Bm07PcrTJHI975oGbL3JeLndAekjOUODR65arO
j5fLX9n7WbiiWIVYR+HMMeK5DzOlFcs+EmN91OjGTI4oY8mpx1TSyd91gHRCidII
bFOF1Jj9XnUNHAA31zYGMYNn8S7ZXekOLliko+p20+QdffqAbUiU6Gmp2aUDBtOj
3chXi6j5wyatyd0cQ0gFBgxf1YLx+EHtt7+PTXURsbz8UY/1V8R/YSg2yf2vlwub
8+lYkvCcRg4gTiPhAJR4Dn1UeignIl8/Rd5va2Qce09VVnn2ABzYhrNI07IBHtdV
qNNLUaErmmWGdrTw4le32Qr96Q118uMhnCgainEOy+o7vnho0m4v8fwABb8a8rJm
2y99DQBKA7wctT/KLYAmSUfu+RLvWyysH4wX0UEjnT4dj/2p0JUhsk8wCtSR0y1J
1OFB5NOM
=GP+i
-----END PGP SIGNATURE-----
Reply sent
to Andreas Beckmann <anbe@debian.org>:
You have taken responsibility.
(Sat, 08 Jun 2019 17:36:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 08 Jun 2019 17:36:04 GMT) (full text, mbox, link).
Message #24 received at 918736-close@bugs.debian.org (full text, mbox, reply):
Source: libthrift-java
Source-Version: 0.9.1-2.1~deb9u1
We believe that the bug you reported is fixed in the latest version of
libthrift-java, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 918736@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Beckmann <anbe@debian.org> (supplier of updated libthrift-java package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 05 Jun 2019 02:55:16 +0200
Source: libthrift-java
Binary: libthrift-java
Architecture: source
Version: 0.9.1-2.1~deb9u1
Distribution: stretch
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Andreas Beckmann <anbe@debian.org>
Description:
libthrift-java - Java language support for Thrift
Closes: 918736
Changes:
libthrift-java (0.9.1-2.1~deb9u1) stretch; urgency=medium
.
* Non-maintainer upload.
* Rebuild for stretch.
.
libthrift-java (0.9.1-2.1) unstable; urgency=high
.
* Non-maintainer upload.
* Fix CVE-2018-1320:
It was discovered that it was possible to bypass SASL negotiation
isComplete validation in the org.apache.thrift.transport.TSaslTransport
class. An assert used to determine if the SASL handshake had successfully
completed could be disabled in production settings making the validation
incomplete. (Closes: #918736)
Checksums-Sha1:
2f8644b57303fd19a2641d2db299a261491a7ae7 2203 libthrift-java_0.9.1-2.1~deb9u1.dsc
9b0a6d34e1ba07debc8ea3e6232f07d7bd943b5b 3288 libthrift-java_0.9.1-2.1~deb9u1.debian.tar.xz
279c985f85a6bdcec3bf5d4a5d4e66993f536420 15015 libthrift-java_0.9.1-2.1~deb9u1_source.buildinfo
Checksums-Sha256:
0588b44f236fabef34aa13897966648ca3d219c97fc4ef054313fbf7fd349383 2203 libthrift-java_0.9.1-2.1~deb9u1.dsc
002509827e42d6cef130629052cbba9acf729c0f6c675c90bccf0304045665c4 3288 libthrift-java_0.9.1-2.1~deb9u1.debian.tar.xz
5ffbd4f3f04f6107fec1f042b9c2fbefe72c293eaaa851f754c75e19251f1ea5 15015 libthrift-java_0.9.1-2.1~deb9u1_source.buildinfo
Files:
dfc52f5a6052f663fe3375bd71eadb32 2203 java extra libthrift-java_0.9.1-2.1~deb9u1.dsc
3cc21675499a3adaaa074831ed39453c 3288 java extra libthrift-java_0.9.1-2.1~deb9u1.debian.tar.xz
b31117c8f12a8c7b119c8958c3c75270 15015 java extra libthrift-java_0.9.1-2.1~deb9u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCAAuFiEE6/MKMKjZxjvaRMaUX7M/k1np7QgFAlz3F4wQHGFuYmVAZGVi
aWFuLm9yZwAKCRBfsz+TWentCEUQD/4pqsy31r4ISw6FtvPBB+zmXhzziZszwiA9
RwtP8+xOEvEN6DHCS1qajtX0BWuYq+zov+cL0Xzz6xaOTc3xgB2GlZ2v+J4qHnJ4
mSFjJDPKQdU3csSAy/P1aHh4IduLN+roUTmUaBfqZd8Z38WqhHJY5pcn0gzHtGom
gd9OhXzPGPJ33gUHlhjCYBRALnE3sl2JO1rJrMDBiUkY09mXKkIRwUNRciEIvjNK
Sm2jY0dFMDclVV0z7umE77G+TzTLRKbxAiR5/Kq2DpfZiLADIyASCsWkPBdcbfJC
PccMGPHYedb/qbuX4AnvugKaXkNfVcPTQ0e/Bf9Ku7/J86t5qyG412LGPr6ZMLBz
V2VkWNlID73Hm3bas1VYKuni2rWxgT67fBu/SB+nQjNIuQuPk9kXHHGaBWzjB3Wz
z5saCTbFisc4Jey0K4XOIBij1InjBfH65FiQpE9ojVLbMXkTGes6jiEgTozdQnd9
H4ivqe9t77sKrWsOIC4xpKBUibZUIB8DzERjNnJj1Sh5JHGi6fJ0AsiPeiumIxwT
Sp7DKN1A0J0/Q0s98cCNQuuZ0xYFnECPCQK3gAMGK0uE9pbmuWSdgyf5DR/cfcXd
64bjYTsBQZvt9vAq8AlBi48tZ01ZxdvgtwyiB2XPjq4ojJrcfiaMBoAbSbSVPqLG
t4aMZ4zu7g==
=uhK7
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:55:28 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon