Your message dated Wed, 04 Jan 2023 10:17:22 +0000
with message-id <[email protected]>
and subject line Bug#1025910: fixed in libcommons-net-java 3.6-1+deb11u1
has caused the Debian Bug report #1025910,
regarding libcommons-net-java: CVE-2021-37533
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1025910: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1025910
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libcommons-net-java
Version: 3.6-1
Severity: important
Tags: security upstream
Forwarded: https://issues.apache.org/jira/browse/NET-711
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libcommons-net-java.
CVE-2021-37533[0]:
| Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host
| from PASV response by default. A malicious server can redirect the
| Commons Net code to use a different host, but the user has to connect
| to the malicious server in the first place. This may lead to leakage
| of information about services running on the private network of the
| client. The default in version 3.9.0 is now false to ignore such
| hosts, as cURL does. See
| https://issues.apache.org/jira/browse/NET-711.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-37533
https://www.cve.org/CVERecord?id=CVE-2021-37533
[1] https://issues.apache.org/jira/browse/NET-711
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libcommons-net-java
Source-Version: 3.6-1+deb11u1
Done: Markus Koschany <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libcommons-net-java, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <[email protected]> (supplier of updated libcommons-net-java
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 29 Dec 2022 21:37:41 CET
Source: libcommons-net-java
Architecture: source
Version: 3.6-1+deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Markus Koschany <[email protected]>
Checksums-Sha1:
0e4c9c020e383167ae541efdab59807ff95d067a 2581
libcommons-net-java_3.6-1+deb11u1.dsc
9b066020b18f28f8d19c698690ac583ddd47c97e 7068
libcommons-net-java_3.6-1+deb11u1.debian.tar.xz
763e0af5854e58b70011acaba89ada2459f77d7a 14481
libcommons-net-java_3.6-1+deb11u1_amd64.buildinfo
Checksums-Sha256:
50b200893ccc0eb72df9c06493a3cce8aee8fbcef05d8abd2e9a49f10fc7ad1c 2581
libcommons-net-java_3.6-1+deb11u1.dsc
b34a957475c4d76b7585a0181e1141a9f807609f990a095674e5788ea28064ad 7068
libcommons-net-java_3.6-1+deb11u1.debian.tar.xz
a62537fc2b6d8ca133dd3e3fd59e47af75bc406e4ecd74f83bcdfd1962667bb8 14481
libcommons-net-java_3.6-1+deb11u1_amd64.buildinfo
Closes: 1025910
Changes:
libcommons-net-java (3.6-1+deb11u1) bullseye-security; urgency=high
.
* Non-maintainer upload by the LTS team.
* Fix CVE-2021-37533:
ZeddYu Lu discovered that the FTP client of Apache Commons Net, a Java
client API for basic Internet protocols, trusts the host from PASV response
by default. A malicious server can redirect the Commons Net code to use a
different host, but the user has to connect to the malicious server in the
first place. This may lead to leakage of information about services running
on the private network of the client. (Closes: #1025910)
Files:
d7f58811f0534c249991b366b2bbca4e 2581 java optional
libcommons-net-java_3.6-1+deb11u1.dsc
ab5bfeb84fc1c36bc2d44b82d1403d70 7068 java optional
libcommons-net-java_3.6-1+deb11u1.debian.tar.xz
d0fd06a427f7c18bca9e2d92dceace4b 14481 java optional
libcommons-net-java_3.6-1+deb11u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmOt+ppfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkLwYP/Rbqr97ZvrDy+Cm79yEX9ysWwVpxBRCrVuNP
Dt0WL+WveBJIwDjqNYH/JXj1xoyvsPjD8m7cv3zh53PPXcWBHDTEDNtVcnMdsbTv
NKbQDECLaxudln6K/w1rYxLvC4kWy6UdvY/w/F76ys3UBk2w0cqWv55oQCNqlYgM
ggdy6f73hHn5VD1ZU6ongg7TZBEbhoh5il9N7soK0ZZzssA9v+8aGXJ8lIkimXs5
fa5DCz1BZ33z81ETNOa5ckYf/iyxl9wFxDzblxXOKDp5iTSLMWDsbSdMTKz3MPVE
xCl00P3K4W72Dp6hG6Nm3s9A3FBOp05iq/0l36FSKmuCErXsx4CVLbUfUbtwsxwW
5z6qTU5WmV86DoZvIVOJi3GL4ydZT6Oz1YhKVdMpH7dF0t40KG3kmaUpPg5mU993
6xR7kyiqkJ+pf/dQzoE0qWbpITdkMdu5Sp+jU6wJdRK+4cWBTXPrmTel+yFWlNWw
h8uLcjB6QSUhAk8VmGW7zqM6gz6qGSAIvJNudt6j8QfGDRixtBkr+JA+eV0D6fgo
wr/Inz5XLk+NdeB9YRfKlYIVqwlwhMS7umahXFUn7B7GY0l6zUDKKMfL5omVM3QL
zQA/xMln5ew8deoOW/O8G0srT42Uj2Q0x2A1FhYmLCTroX5R90H6QDbFSP/4TNr8
8kSXgGw2
=yNYK
-----END PGP SIGNATURE-----
--- End Message ---
