Your message dated Wed, 13 Jun 2018 22:17:33 +0000 with message-id <e1fte58-0008sh...@fasolo.debian.org> and subject line Bug#900953: fixed in plexus-archiver 1.2-1+deb8u1 has caused the Debian Bug report #900953, regarding plexus-archiver: CVE-2018-1002200 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 900953: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900953 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: plexus-archiver Version: 3.5-1 Severity: grave Tags: patch security upstream Justification: user security hole Forwarded: https://github.com/codehaus-plexus/plexus-archiver/pull/87 Hi, The following vulnerability was published for plexus-archiver. CVE-2018-1002200[0]: | arbitrary file write vulnerability / arbitrary code execution using a | specially crafted zip file If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-1002200 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1002200 [1] https://github.com/codehaus-plexus/plexus-archiver/pull/87 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: plexus-archiver Source-Version: 1.2-1+deb8u1 We believe that the bug you reported is fixed in the latest version of plexus-archiver, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 900...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated plexus-archiver package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 10 Jun 2018 21:17:18 +0200 Source: plexus-archiver Binary: libplexus-archiver-java Architecture: all source Version: 1.2-1+deb8u1 Distribution: jessie-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 900953 Description: libplexus-archiver-java - Archiver plugin for the Plexus compiler system Changes: plexus-archiver (1.2-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fail when trying to extract outside of dest dir (CVE-2018-1002200) Fixes arbitrary file write vulnerability using a specially crafted zip file. (Closes: #900953) Checksums-Sha1: 657a8d10077a1ef86195640062b5fc2fc6c1bfcd 2487 plexus-archiver_1.2-1+deb8u1.dsc 73b0cb563903c97dfa276b44409b852da78ffcf1 125994 plexus-archiver_1.2.orig.tar.gz b0b0cddda2456ae3209ae5b79efa6e06c3a800d3 4404 plexus-archiver_1.2-1+deb8u1.debian.tar.xz a53e3e54ec6cfbafc818a62da41d3256b2106b7b 165576 libplexus-archiver-java_1.2-1+deb8u1_all.deb Checksums-Sha256: e8551f1d118da04c0b72932a15ae49d7354e084997ca412d636d3b61bad5f686 2487 plexus-archiver_1.2-1+deb8u1.dsc 37c48eaa6af2d88476b885849a4e7157190a918c0259eeab7ead00c52d7d4e59 125994 plexus-archiver_1.2.orig.tar.gz 511b9a9aef380b5e86ee4063133d0780e331a09ed41a4b5f9d00fb3783fd5454 4404 plexus-archiver_1.2-1+deb8u1.debian.tar.xz 989a071a9667323c1777794d94cba2ac57edf8ad91914f49881a5d7342de19df 165576 libplexus-archiver-java_1.2-1+deb8u1_all.deb Files: ea05ae8a053cd0f1665f9fc82545b07e 2487 java optional plexus-archiver_1.2-1+deb8u1.dsc 72ab4e8d4505f8db159dc760fe85aef1 125994 java optional plexus-archiver_1.2.orig.tar.gz d8a6b6749543a01c89196c62ea727f5d 4404 java optional plexus-archiver_1.2-1+deb8u1.debian.tar.xz 69d90ba3d7f5fb84ec9f05ec22c9df89 165576 java optional libplexus-archiver-java_1.2-1+deb8u1_all.deb -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsdeqVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EwfUP/0WhTz9A/hNP7qc8C4uCz9pR8bMHs4bS MZAxdVeVTSIoyRiavpWZ94cvMRlvKNb2TfBMasARrlGUQKHjd/TsHFdoX9V1pATb x+RrgZksZFZTkqrRKJzUToHHG/L5nx9iRzZlWvwWfbqOxBuNPBRUo3+Z47I4EKYC RJRA0ieNAq32h+4q0e1Fo0THCsB6WcqnIFQnQXkkYn+aO42TU8ezkfMrPYx1CI3z uqavA75gQVCXSi2adwN2raUHYuuNibNi1I2PU3W2xVFQeewgHgwrG5L0KF5eaQmT /Ca1ULuTiofb22lssAN5u0HOJEuFaBpGuh/xuH1WsodC9DusyS/dc4/ElUMJVCRx +KX1fyFaHmTQ1Qe75MnFy+AfwytjVdBBgsDJ9fbjv9wKpRzhabV3rydsbm1e9v3X 7/nkHOOiSNlTcktvka0uYNmIywsaTQs+jTcmhprsNUme7GQMBCuIm8OPp/L+9JdA Q4YYouaC8FfHHdCsp7IoJ3EykzHCM63zJqswyQDLUTOPJ2o6WwzCFZS0UEfqF/bf i/vywAinRyVcEcd4/PvNi/W8CJmRdLsS7V48EXinTs6amK7L/K/RZ+7kF+ufwsOp SAaMbP7NhCenvtN5xW2asg4A429/ysAz+vYpub0HknDrE4e4c1yaxsQ9pvc3EJ0s 3nFs435KuPi7 =9vFj -----END PGP SIGNATURE-----
--- End Message ---
