Your message dated Sun, 29 Mar 2020 05:03:27 +0000
with message-id <e1jiq6z-0001bh...@fasolo.debian.org>
and subject line Bug#954713: fixed in commons-configuration2 2.7-1
has caused the Debian Bug report #954713,
regarding commons-configuration2: CVE-2020-1953
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
954713: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954713
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: commons-configuration2
Version: 2.2-1
Severity: grave
Tags: security upstream
Hi,
The following vulnerability was published for commons-configuration2.
CVE-2020-1953[0]:
| Apache Commons Configuration uses a third-party library to parse YAML
| files which by default allows the instantiation of classes if the YAML
| includes special statements. Apache Commons Configuration versions
| 2.2, 2.3, 2.4, 2.5, 2.6 did not change the default settings of this
| library. So if a YAML file was loaded from an untrusted source, it
| could therefore load and execute code out of the control of the host
| application.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-1953
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1953
[1] https://www.openwall.com/lists/oss-security/2020/03/13/1
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: commons-configuration2
Source-Version: 2.7-1
Done: tony mancill <tmanc...@debian.org>
We believe that the bug you reported is fixed in the latest version of
commons-configuration2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 954...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
tony mancill <tmanc...@debian.org> (supplier of updated commons-configuration2
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 28 Mar 2020 21:32:41 -0700
Source: commons-configuration2
Architecture: source
Version: 2.7-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<pkg-java-maintain...@lists.alioth.debian.org>
Changed-By: tony mancill <tmanc...@debian.org>
Closes: 954713
Changes:
commons-configuration2 (2.7-1) unstable; urgency=medium
.
* Team upload
* Update debian/watch to repack as .xz and use https URL
* New upstream version 2.7, CVE-2020-1953 (Closes: #954713)
* Specify debhelper compat 12 via debhelper-compat dependency
* Add build-dep on libcommons-text-java
* Remove get-orig-source target from debian/rules
* Set source and target in maven.properites to Java 8
* Specify debhelper compat 12 via debhelper-compat dependency
* Add build-dep on libcommons-text-java
* Remove get-orig-source target from debian/rules
* Set source and target in maven.properites to Java 8
* Set "Rules-Requires-Root: no" in debian/control
* Bump Standards-Version to 4.5.0
* Freshen years in debian/copyright
* Update Vcs URLs to point to Salsa
* Ship NOTICE.txt with binary package
Checksums-Sha1:
9c26050cfe51409544db4e5fd0e1cc28d8b40056 2960 commons-configuration2_2.7-1.dsc
a5a68cc0d52fa2fcaf8ac78d0c1b7dfb8cf03e77 683052
commons-configuration2_2.7.orig.tar.xz
65b366763ce14ee0cc2b52aca4a764e40f88d674 4944
commons-configuration2_2.7-1.debian.tar.xz
473025b5bf26982f32bfbae0bfad59286eed9aa7 16710
commons-configuration2_2.7-1_amd64.buildinfo
Checksums-Sha256:
97199bdc7f8de5b38d698633705ea97652c0b3f557ef34caa6be94560d30db68 2960
commons-configuration2_2.7-1.dsc
a660e24f2b9a6da759a2638d896002917820195220809426bf157ea3f873efe0 683052
commons-configuration2_2.7.orig.tar.xz
ce60894973d0c0d4c5ccbe2bf5f2ee2c04bf7ab7263d38572e5c2507e85356a6 4944
commons-configuration2_2.7-1.debian.tar.xz
b1636890d8443bf07b77d726718810a77f82db3e90adcb0b1c1abde0294d9fd5 16710
commons-configuration2_2.7-1_amd64.buildinfo
Files:
2e689fe1e0183147b75be2dc051df8a4 2960 java optional
commons-configuration2_2.7-1.dsc
0c7b3a8354415725421b67d6d7235464 683052 java optional
commons-configuration2_2.7.orig.tar.xz
c93536197fbfd3bf7c373695454acdfd 4944 java optional
commons-configuration2_2.7-1.debian.tar.xz
68ee464142042d950286889388bbbefc 16710 java optional
commons-configuration2_2.7-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAl6AJzkUHHRtYW5jaWxs
QGRlYmlhbi5vcmcACgkQIdIFiZdLPpZRyw/+J477X0jCxbSt+kj2A1zs2ptQf57B
ig2AZ7UJPQhqH5jig471MSFa2R/Nf73QeQXngNOcBOnEbcbFfQUoaQDf3P8fFZch
Ww84lsS6w381qKPy5LBEt5gOU1JTjLxLR/uOzmy95lxjNH6V1r5Ao25KTwudkSOk
u7HHjWgwJgwzJU7K4agnj/q1vYgQKL71MpXVGQY32n7AwF8RqzkyK8d0BCX5eCzE
UKSJtdzfRjkr1nBSYaWQhQgtyEl4J4WoRyYIdHcVh3E6VZhmMJaSgWZUU6VQno8U
shuPs07tOWbzi8H9eSXxHUB1Rky8LtqmLIOXuVrJsVZkYWC6XgjwrRJIwPK96lZb
CWo21iVXwzY5kDCf8JTIk6INdve//vFcPzPTI24/T0bIdw9SObJQhMFuqJfgC+m8
6VPNmnL/oRM5CcQCzvNSKjS+S5cA3ixIdjNEMiyBzLYKdKACNmi3wpk/h6nscxRT
TKia3y1Vw8rD8i0SiKciI8L98cCadQtl9cm+VGAvYM1rkDZ6oi03N9Msrc7gFZLN
zy2QmwEhqdOlF8mwpMtO3FQBJ1FjStq43P7UGj1idJkAKVWifEI2gJMXo/j+UcTr
C8W2v8Pg+FvAecE1ewuOfavZfmA6AkGn6aEHjaZu3snvRE9aAEStMCNY+w6y0r08
nMmLuIEvqPA+3O8=
=ziMq
-----END PGP SIGNATURE-----
--- End Message ---
