Your message dated Thu, 14 Jun 2018 19:17:10 +0000 with message-id <e1ftxk6-0004ch...@fasolo.debian.org> and subject line Bug#900953: fixed in plexus-archiver 2.2-1+deb9u1 has caused the Debian Bug report #900953, regarding plexus-archiver: CVE-2018-1002200 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 900953: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900953 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: plexus-archiver Version: 3.5-1 Severity: grave Tags: patch security upstream Justification: user security hole Forwarded: https://github.com/codehaus-plexus/plexus-archiver/pull/87 Hi, The following vulnerability was published for plexus-archiver. CVE-2018-1002200[0]: | arbitrary file write vulnerability / arbitrary code execution using a | specially crafted zip file If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-1002200 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1002200 [1] https://github.com/codehaus-plexus/plexus-archiver/pull/87 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: plexus-archiver Source-Version: 2.2-1+deb9u1 We believe that the bug you reported is fixed in the latest version of plexus-archiver, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 900...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated plexus-archiver package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 10 Jun 2018 16:49:48 +0200 Source: plexus-archiver Binary: libplexus-archiver-java Architecture: source Version: 2.2-1+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Description: libplexus-archiver-java - Archiver plugin for the Plexus compiler system Closes: 900953 Changes: plexus-archiver (2.2-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Fail when trying to extract outside of dest dir (CVE-2018-1002200) Fixes arbitrary file write vulnerability using a specially crafted zip file. (Closes: #900953) Checksums-Sha1: b240cce32f14ba1f7074af0ca35e0ef718872ee0 2480 plexus-archiver_2.2-1+deb9u1.dsc bcbe1e9013634eb77c20b90729c0434df9a11246 136141 plexus-archiver_2.2.orig.tar.gz 2ac61f5c2eec9e3ffa532280bbe0cc9300a50a54 4924 plexus-archiver_2.2-1+deb9u1.debian.tar.xz 3dc5d05a123c571d10063c6e3bec7c460be62b70 6188 plexus-archiver_2.2-1+deb9u1_source.buildinfo Checksums-Sha256: 840aeb21bbe2b43850123ec4b542cba9457eea26e766b63522576789616e1ce8 2480 plexus-archiver_2.2-1+deb9u1.dsc 93572eafdbf0e037303a5a1ed7e91b9cb251a9072ae513067efa5ca3ca32570e 136141 plexus-archiver_2.2.orig.tar.gz 4fccf74ef9cbea391933543f7cbd697aff405756c70b46a24aa355cd6c2376ab 4924 plexus-archiver_2.2-1+deb9u1.debian.tar.xz a50060addb77050187942a4cb64de024b3fc70f85cf53804650eccafb24b8cfe 6188 plexus-archiver_2.2-1+deb9u1_source.buildinfo Files: 5d56f32b90171db07195165d8eb1300d 2480 java optional plexus-archiver_2.2-1+deb9u1.dsc d3325095c0859aeac96aa14d7276a9d3 136141 java optional plexus-archiver_2.2.orig.tar.gz 4df7e694bc223a6171b0e1073dcfa5ff 4924 java optional plexus-archiver_2.2-1+deb9u1.debian.tar.xz 496b98e813ce1698fed3ae3ed9fe0648 6188 java optional plexus-archiver_2.2-1+deb9u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsdQPZfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EHZ8QAIHNfzrr4KHOeg1RqEtRe3SiaFP5glqC hBItfRF9CZavsfjipEj+eBHlu02prZYos+idX/sNV1v1JoP2Cm2sbv0sLtRyknjD Iv2blbu3r/ajC2onZPdXtROkgO7xprguoB246CFEd9Zc8m7B1MpphO4UWc2yLm6g TOx5XW8I3f5jcWqyhMfdaAxhfrN1ptRKDXO26iqvMqMtYysuRYaUtBy7smNOB2mP BV9Ipsu2W7Kr6l0QECDTho421nYGmwzKcwgQhw4fQfLKeZfa0HtexPKM6202HdEm yT3/nraZ1LlMTi912umXuz3W/SntLIPMF/Wntwe8Dj1XLsq0/ZoDsXeH5VX4UqMh 0XJQRgDZIc/BWzwk/nbZxkOSXR+o2MqvgRAIfADS1Sa/zTZzmo6KhVPQbjUOddPh LUJvmvMAwRZM4HIEyqNF5nCRJEe4gP1aKMQKyGm5zox/SWLOty0pqnZEl3bmyRfn UhWPOR9Yv4CBXEpLM6rvtUmEg8AlbVYnjhz8f+MkR5Rjgy3TU1JBy1TuuOlMlQG8 WCNC+2j9HdAnXRCs/vm0LrUjJVd+tYl6KEJE3grAZZiZs9TlhcxG6PNPdYJZyxfT 0A/JMN1WFKeochRQZaLmOpqX3rN17YIS/IIHwdHDL0gTWSpaqVGbDGlwln3h8tgZ XMKO5pp4HeY/ =0J42 -----END PGP SIGNATURE-----
--- End Message ---
