Your message dated Mon, 16 Jan 2023 20:49:46 +0000
with message-id <[email protected]>
and subject line Bug#1029038: fixed in zip4j 2.11.2-3
has caused the Debian Bug report #1029038,
regarding zip4j: CVE-2023-22899
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1029038: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029038
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: zip4j
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for zip4j.
CVE-2023-22899[0]:
| Zip4j through 2.11.2, as used in Threema and other products, does not
| always check the MAC when decrypting a ZIP archive.
https://github.com/srikanth-lingala/zip4j/issues/485
https://github.com/srikanth-lingala/zip4j/commit/597b31afb473a40e8252de5b5def1876bab198d3
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-22899
https://www.cve.org/CVERecord?id=CVE-2023-22899
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: zip4j
Source-Version: 2.11.2-3
Done: tony mancill <[email protected]>
We believe that the bug you reported is fixed in the latest version of
zip4j, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
tony mancill <[email protected]> (supplier of updated zip4j package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 16 Jan 2023 12:12:37 -0800
Source: zip4j
Architecture: source
Version: 2.11.2-3
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: tony mancill <[email protected]>
Closes: 1029038
Changes:
zip4j (2.11.2-3) unstable; urgency=high
.
* Team upload.
.
[ Debian Janitor ]
* Remove constraints unnecessary since buster (oldstable)
.
[ tony mancill ]
* Add patch to always check MAC - CVE-2023-22899 (Closes: #1029038)
* Freshen years in debian/copyright
* Bump Standards-Version to 4.6.2
Checksums-Sha1:
72968824c56977c71f03f1661fb99c9f21050c62 1991 zip4j_2.11.2-3.dsc
15fd7e329e9ddf7ba3c7dd3832505d8ed0182977 4584 zip4j_2.11.2-3.debian.tar.xz
a207fbef5d2a427716b3acfff850ed520034f030 14284 zip4j_2.11.2-3_amd64.buildinfo
Checksums-Sha256:
435b90bf1c6ff5fb508bf868a52b98e1066f244148093ca3754af1c7f425b288 1991
zip4j_2.11.2-3.dsc
37ca70cc6b079f801b9f67912973e8d38c9708f91e0660acda9069129db20fb3 4584
zip4j_2.11.2-3.debian.tar.xz
8ba1bfb8aace8173d77681de0bc819cbd4a23c8eee246ee25a2ded0a87153880 14284
zip4j_2.11.2-3_amd64.buildinfo
Files:
fd7137963c76bc9600b71b973e72e759 1991 java optional zip4j_2.11.2-3.dsc
2ed0568e0cf632321fb4ce7b5831f028 4584 java optional
zip4j_2.11.2-3.debian.tar.xz
bd494bdb98e5f0f726062afa3fb2309e 14284 java optional
zip4j_2.11.2-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAmPFsMAUHHRtYW5jaWxs
QGRlYmlhbi5vcmcACgkQIdIFiZdLPpYF+RAAzZwOIAgyy20QOgxjfcpJg0M2IciK
MgtCDrTIhMVzy4Jwtdcs6CYZvHBMR6Z4oChA6s4RbbFrsdk797cLkXtnBgu1TXsP
F5dTFCsEIkc/7fU2Khc9M/FLGoFlSypWzbL7w1+/rH2jKV0gFvuvlIDt1WpCPmR3
XG43XbSExOXE0AWWh4aHdzxJbPNA/Kenow+atezNc1lNJtF35UaMIqrwvupORrz/
h+gO/apA4tKOGjjlArxqiViWgi9JGZ5mlmDt4YWvANehkoBngeMuH/jbr+VDUqtb
y5YOTAFKwbGRJ+wRL8HZeRWxoun3c0dK8zX/yQ27JPihGVYa2qYbXjwneF+C8FfA
dYmzV9ILoV2TBl6SZn8103pTOS4rG+SGqlw7mifSAApVX8PJx3S4716/7Ly8r9ab
XNEMpBFyyi19ZSmBmdewl1208McDGjle2lFMg6xhZzdtwser3iqluVZU56+dFPT/
uYWZ33AYfQAlFB2oCo+iIfTuaGt25jJ1GCL7zinIbU57Oao4QJlNEgwCiLE85x2C
DHs2ZTMWClQDfbDSWQU3mG3iMOuTFdjKvd8vG33QZqyEEp2F3ifyRWNfvlBVW/0p
SyL1CfB6dgtfuDgqnwcudCrxOU/X97L8mkWUSdX1eV4dYB17db/D6shUjnn3D+qb
W53G58f0i5vOoII=
=9nnh
-----END PGP SIGNATURE-----
--- End Message ---
