Your message dated Mon, 02 Aug 2021 06:48:26 +0000
with message-id <[email protected]>
and subject line Bug#984949: fixed in xmlgraphics-commons 2.4-2
has caused the Debian Bug report #984949,
regarding xmlgraphics-commons: CVE-2020-11988: SSRF due to improper input
validation by the XMPParser
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
984949: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984949
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: xmlgraphics-commons
Version: 2.4-1
Severity: important
Tags: security upstream
Forwarded: https://issues.apache.org/jira/browse/XGC-122
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for xmlgraphics-commons.
CVE-2020-11988[0]:
| Apache XmlGraphics Commons 2.4 is vulnerable to server-side request
| forgery, caused by improper input validation by the XMPParser. By
| using a specially-crafted argument, an attacker could exploit this
| vulnerability to cause the underlying server to make arbitrary GET
| requests.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-11988
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11988
[1] https://www.openwall.com/lists/oss-security/2021/02/24/1
[2]
https://github.com/apache/xmlgraphics-commons/commit/57393912eb87b994c7fed39ddf30fb778a275183
[3] https://issues.apache.org/jira/browse/XGC-122
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: xmlgraphics-commons
Source-Version: 2.4-2
Done: Markus Koschany <[email protected]>
We believe that the bug you reported is fixed in the latest version of
xmlgraphics-commons, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <[email protected]> (supplier of updated xmlgraphics-commons
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 02 Aug 2021 07:48:42 +0200
Source: xmlgraphics-commons
Architecture: source
Version: 2.4-2
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Markus Koschany <[email protected]>
Closes: 984949
Changes:
xmlgraphics-commons (2.4-2) unstable; urgency=high
.
* Team upload.
* Fix CVE-2020-11988:
Apache XmlGraphics Commons is vulnerable to server-side request forgery,
caused by improper input validation by the XMPParser. By using a
specially-crafted argument, an attacker could exploit this vulnerability to
cause the underlying server to make arbitrary GET requests.
(Closes: #984949)
Checksums-Sha1:
066502068fd79f7b70fd420a5d1b21bcf0e2937e 2506 xmlgraphics-commons_2.4-2.dsc
1322e9063b93306cd4caf8d543cf1c71d8f86c20 8384
xmlgraphics-commons_2.4-2.debian.tar.xz
fe440d425e9dc34a8d3eae1157ef974c3e0727cc 13904
xmlgraphics-commons_2.4-2_amd64.buildinfo
Checksums-Sha256:
0fbe9ba7f83b17fd1baa9f3036d0bd241472e8d9ed5fb575ebf2a5b7b623c1a5 2506
xmlgraphics-commons_2.4-2.dsc
0da539f875afb4cb8f01a1d70a7c14e57d2bf2f163e18c43107cd90debc02ac3 8384
xmlgraphics-commons_2.4-2.debian.tar.xz
abfdf4c123d1071848ec1a1fac5320699e42766347a210f7ea4bd884450acb47 13904
xmlgraphics-commons_2.4-2_amd64.buildinfo
Files:
b07bc17f9906b1a14a4e8a9ecb3fbe04 2506 java optional
xmlgraphics-commons_2.4-2.dsc
317ac3c4777df41fdde5a56427fbcb62 8384 java optional
xmlgraphics-commons_2.4-2.debian.tar.xz
565c25c97916e70cd14a7d989e4ff750 13904 java optional
xmlgraphics-commons_2.4-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmEHkRhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HktTcQAIxcXHE2pAY+2DHcCzlWngkbSemQDJp4amEF
YCVBXy/hrvJDDvb3CSOSykdG8OPX3eUbSm6BptldnHlS0YNyd9B+hCh9LSVVmoKd
c8a3bMaEASjyogMX4WuEzlCKG6StxAd/+0EmL6nZoYQXoDVDC3uubkb6qL4TF4OO
6mZszw9BInZLI5TaWhLoB7K5Q+HNsCaWS7F/B346yNlCfOpA9okc5HV1gJqRHNju
RrgdgQpd6YXgkVk23bDy4ITKWh4F5AiPI6GdSFJ4K0ibGxcePqENvlKvaoSKWNJi
nV8CweH4Hu1Gad8WyUA9XLlqoSXE6cBlq78XOj2Ij7KUNsTBY7vpiv8+Oz6vLW/A
7t2Y/BONuoJJBo9oJpsqyxm6eHS+dnbAHmYqEPd2HfsdbKLPvVnTxb1DGtixjeJy
cBCXQjC6rkBcNo4okdTsvSJH9RmMEAba9UoiYnQgHGcByjBO/8LlQITPnpIhDFVH
V0Aa+istO7Dso0iFNpTul+D6cJmRYnvAnjUrf8nkv4/L0c9gF65xfJyWp/9g2SiN
aeby14ttzbzr48QB+2qtT4X9BCXwa8aK+HG03LJibG03KrbZc9+nUGXAAMvVQAKq
VSgHEaZrwHvulLWC9n5IR5S504hZyELHMrK2mdUVSHZMAPP7z/ODMl7NhHEqpCIc
reF/rJwK
=2sHl
-----END PGP SIGNATURE-----
--- End Message ---
