Debian Bug report logs -
#858301
libapache-poi-java: CVE-2017-5644
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 20 Mar 2017 20:36:01 UTC
Severity: important
Tags: security, upstream
Found in version libapache-poi-java/3.10.1-2
Fixed in version libapache-poi-java/3.17-1
Done: Emmanuel Bourg <ebourg@apache.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#858301; Package src:libapache-poi-java.
(Mon, 20 Mar 2017 20:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Mon, 20 Mar 2017 20:36:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libapache-poi-java
Version: 3.10.1-2
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for libapache-poi-java.
CVE-2017-5644[0]:
denial-of-service
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-5644
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5644
[1] http://www.openwall.com/lists/oss-security/2017/03/20/9
Regards,
Salvatore
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#858301.
(Thu, 17 Jan 2019 10:12:05 GMT) (full text, mbox, link).
Message #8 received at 858301-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #858301 in libapache-poi-java reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/java-team/libapache-poi-java/commit/db76629f966aa09a5bf0c07034f3f9961fe10077
------------------------------------------------------------------------
The new release fixes CVE-2017-5644 (Closes: #858301)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/858301
Added tag(s) pending.
Request was from Emmanuel Bourg <ebourg@apache.org>
to 858301-submitter@bugs.debian.org.
(Thu, 17 Jan 2019 10:12:05 GMT) (full text, mbox, link).
Reply sent
to Emmanuel Bourg <ebourg@apache.org>:
You have taken responsibility.
(Thu, 17 Jan 2019 10:39:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 17 Jan 2019 10:39:05 GMT) (full text, mbox, link).
Message #15 received at 858301-close@bugs.debian.org (full text, mbox, reply):
Source: libapache-poi-java
Source-Version: 3.17-1
We believe that the bug you reported is fixed in the latest version of
libapache-poi-java, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 858301@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated libapache-poi-java package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 17 Jan 2019 10:43:53 +0100
Source: libapache-poi-java
Binary: libapache-poi-java libapache-poi-java-doc
Architecture: source
Version: 3.17-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
libapache-poi-java - Apache POI - Java API for Microsoft Documents
libapache-poi-java-doc - Apache POI - Java API for Microsoft Documents (Documentation)
Closes: 800958 858301 888651
Changes:
libapache-poi-java (3.17-1) unstable; urgency=medium
.
* Team upload.
* New upstream release (Closes: #800958)
- Fixes CVE-2017-5644: XML Entity Expansion (XEE) attack with specially
crafted OOXML file (Closes: #858301)
- Fixes CVE-2017-12626: Infinite Loops while parsing crafted WMF, EMF, MSG
and macros. Out of memory errors while parsing crafted DOC, PPT and XLS
(Closes: #888651)
- Refreshed the patches
- New dependencies on libcurvesapi-java and libcommons-collections4-java
- Updated the path to the Maven artifacts produced by the build
- Added xmlbeans to the build classpath
- Patched the xsds to resolve the external schemas in offline mode
- Disabled the JMH benchmarks
* Build with Java 8 temporarily
* Standards-Version updated to 4.3.0
Checksums-Sha1:
f3709123708d1e328d320baa668b2e065e4a96f3 2504 libapache-poi-java_3.17-1.dsc
6b31a72cdca37494362ca9a0dc9b2095d543ff26 71723032 libapache-poi-java_3.17.orig.tar.xz
3a3bebb374f4a459482092f1d5d115814e8aa03a 11736 libapache-poi-java_3.17-1.debian.tar.xz
309fe75367457bc457c1165558a61071865fcf2c 14547 libapache-poi-java_3.17-1_source.buildinfo
Checksums-Sha256:
112ae1fe5383bdaa9cf1db75b0eb65da5a319e4cf3efc5eb71732267e7bb2ba1 2504 libapache-poi-java_3.17-1.dsc
d6491e73830b0331e66a431fd9823f682ac1a81b80412f28658d32018b6dec1e 71723032 libapache-poi-java_3.17.orig.tar.xz
319489d9cf3b659f8d3369d53dc61c71c8e44558a064a13a9edcca473a6d677e 11736 libapache-poi-java_3.17-1.debian.tar.xz
3dc591d35fdf0bc203a3744ca0e11bc1d0c4d44b79541005407462f94dc72296 14547 libapache-poi-java_3.17-1_source.buildinfo
Files:
490ac72e18356a51470a5107d2a61f01 2504 java optional libapache-poi-java_3.17-1.dsc
85b30b6906fc2943cf2817c4f718b323 71723032 java optional libapache-poi-java_3.17.orig.tar.xz
c747cabf11998ed0a73aa6a9cfa3a1cd 11736 java optional libapache-poi-java_3.17-1.debian.tar.xz
955554d170ef838800e4a1543c728bcf 14547 java optional libapache-poi-java_3.17-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAlxAVEMSHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCsIiIP/jlWPBZsfjuWDjuk+t1wyWi73X1iUu6N
t4nd9u4omGhCNjTVuCw825VoyHS3k7erXakyfMtxk5RpGLWn4Ifj2kEYHVfCYb4d
HMA94lu2tPpRhS5BCLN9H6BxskIPi06S1FYb5DqbT+m4ZIPDtMV5d8DG50F6xieh
ygM070ZyD3IYBblYKXkQmoBsL80c8gdCLIozJpbG3zMV69P6GQDwurAnajBs7tdY
vMP0h4nRyHn3IrlAHvrFgWy6xxlcMiv1y2G/xtREQr339rTqpIF7SZBSZ17gQIjY
srWwZygAIF8AKMjPpB0oNZZgGz0SnApgkpotgiaLVp9i7vHy2hMdtlIWoz0s9qoP
M9eQyvTMlWYh72vCiqc0guAycPBrFSKK/CdOHh48jAZYmU9hh/E6oEaQ1BHktIQp
edIw7/GSbAjkKdJKITfMt5KFd6LfFuJVUODuBFE/M1AGNCyu/PL7uFQfPmaURmRE
h/lFKUtX57Hk3EZx6OWQ3QJzt0volmoNTpY9O3kUlWI7XfWsxHpil0WxV3xV/zwv
Pl4FuTeNor14hXlwD4HbniDShwpyfUfma812b7cmAwP8qi51iUhsGV9NQNFunzo7
UkGBGKxPzb/MgqNOYvhdyBqjbP6sxFEp97mXbUkt7yM0ehLtROw9CTlz0MceWNX5
09UVHKPhvN0Y
=TMsi
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 Feb 2019 07:25:02 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:17:47 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon