Your message dated Sat, 15 Oct 2022 21:10:45 +0000
with message-id <e1ojoqf-007jr9...@fasolo.debian.org>
and subject line Bug#1021787: fixed in commons-text 1.10.0-1
has caused the Debian Bug report #1021787,
regarding commons-text: CVE-2022-42889
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1021787: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021787
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: commons-text
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for commons-text.
CVE-2022-42889[0]:
| Apache Commons Text performs variable interpolation, allowing
| properties to be dynamically evaluated and expanded. The standard
| format for interpolation is "${prefix:name}", where "prefix" is used
| to locate an instance of org.apache.commons.text.lookup.StringLookup
| that performs the interpolation. Starting with version 1.5 and
| continuing through 1.9, the set of default Lookup instances included
| interpolators that could result in arbitrary code execution or contact
| with remote servers. These lookups are: - "script" - execute
| expressions using the JVM script execution engine (javax.script) -
| "dns" - resolve dns records - "url" - load values from urls, including
| from remote servers Applications using the interpolation defaults in
| the affected versions may be vulnerable to remote code execution or
| unintentional contact with remote servers if untrusted configuration
| values are used. Users are recommended to upgrade to Apache Commons
| Text 1.10.0, which disables the problematic interpolators by default.
https://www.openwall.com/lists/oss-security/2022/10/13/4
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-42889
https://www.cve.org/CVERecord?id=CVE-2022-42889
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: commons-text
Source-Version: 1.10.0-1
Done: tony mancill <tmanc...@debian.org>
We believe that the bug you reported is fixed in the latest version of
commons-text, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1021...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
tony mancill <tmanc...@debian.org> (supplier of updated commons-text package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 15 Oct 2022 13:23:14 -0700
Source: commons-text
Architecture: source
Version: 1.10.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<pkg-java-maintain...@lists.alioth.debian.org>
Changed-By: tony mancill <tmanc...@debian.org>
Closes: 1021787
Changes:
commons-text (1.10.0-1) unstable; urgency=medium
.
* Team upload.
* New upstream version 1.10.0
- Addresses CVE-2022-42889 (Closes: #1021787)
* Update debian/maven.ignoreRules for optional upstream deps
* Freshen years in debian/copyright
* Bump Standards-Version to 4.6.1
Checksums-Sha1:
e69e297aa91ff26029c40c970655631c060c57c3 2128 commons-text_1.10.0-1.dsc
470e67fa3aafd8570f709283f987f470043739c4 343578 commons-text_1.10.0.orig.tar.gz
790ea11f56f94d4b1f34841716d3a8dddc05fe79 2656
commons-text_1.10.0-1.debian.tar.xz
795972d888a23ba397169b1da14923c469ca2115 13457
commons-text_1.10.0-1_amd64.buildinfo
Checksums-Sha256:
95f323cea0f13dae71dc7c0cc2400ca323faeadaa40294294bdbf5041a6e91d0 2128
commons-text_1.10.0-1.dsc
3611aa48a9506e72c6b1bd9243fec284ab13aaf143031c389be610d136a2d4e3 343578
commons-text_1.10.0.orig.tar.gz
c307680e14c77de663fd6e1d9dcc0accc896907f235537206dfbff968348ab8e 2656
commons-text_1.10.0-1.debian.tar.xz
bd6cb1eaaa59595ef9c4804dc483f698413646b38a68de1cad3c60b127d197a9 13457
commons-text_1.10.0-1_amd64.buildinfo
Files:
6d5a2992e768cb8252807e1d23bcbf7b 2128 java optional commons-text_1.10.0-1.dsc
1f35ad2bad5457a7f61534fb5e4c9536 343578 java optional
commons-text_1.10.0.orig.tar.gz
b90e385c16022f8e33cd555b7bc411b0 2656 java optional
commons-text_1.10.0-1.debian.tar.xz
5399d4850d1a11dae141704bbbd8c2bc 13457 java optional
commons-text_1.10.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAmNLF60UHHRtYW5jaWxs
QGRlYmlhbi5vcmcACgkQIdIFiZdLPpZ7mRAAvENF+iNfrYGaRPZoFJclTOFdxOLN
72fh58H0+0hJ1L/7KDFqtmq8I9ytnwEPuIBQf1h+c4fnRPoRmeIxwaENfgN2NGtb
nqkh3GOs6+GyqFE9k/9Cwg5QQy3tTeC4IdYfiMEv0mbFtN3pmsYT8PPCkfW0Zrrp
dfkKyeCtWITQzMwVC/I3qAkvhiUFS0LtR0UmXHLkrzIwjILivwogMQ2q7YZz40tZ
KmGnV6ah7LGqpBvLoFZzbelr9MIa2HljYju3ZVAqZJKd72vKe/AJmG2kDFR4CFr+
41oJ86FnF0srj5x+JzlCF1HnQ9hX+xufNc/Bdr2bJtvx0y+3C/KKNGuo+aIFcV7X
iuRQV/SzpmXZ0RWHyqb6ZlMMOtYklpz9PLrdUhnSIxc2MKoB/B3snU9H1XweDgBA
QQJt+tsrfvTm0GQi86RkwhC06NqZ5UclHLdi2xLhIdRBPnzFLlplCt1JdDFx/+wE
0rMJFeThYwyysEELeX4005xV+F7F7vJuumdoDLG1zwX3G2FFcVUSblRanc+BP6AL
UEtEq70PACbHx+02P2PifrP6mNiKZApHRLW1cd3pPqCDRasgH8dMqPvwDpx+qDpl
URHRTMnl6ygnI7kQURJ+w2+iQMdFmSFgo0ECynBrEu+eDc9uDLpNOnSnFfkOAaZ0
M1Z4lrP/aCwQYXM=
=vhOf
-----END PGP SIGNATURE-----
--- End Message ---
