Your message dated Tue, 30 Oct 2018 10:06:29 +0000 with message-id <e1ghqur-0002mt...@fasolo.debian.org> and subject line Bug#897009: fixed in uimaj 2.10.2-1 has caused the Debian Bug report #897009, regarding uimaj: CVE-2017-15691: XML external entity expansion (XXE) attack exposure to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 897009: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897009 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: uimaj Version: 2.4.0-2 Severity: grave Tags: security upstream Hi, The following vulnerability was published for uimaj, filling for now with RC severity. CVE-2017-15691[0]: | In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to | 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to | 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to | an XML external entity expansion (XXE) capability of various XML | parsers. UIMA as part of its configuration and operation may read XML | from various sources, which could be tainted in ways to cause | inadvertent disclosure of local files or other internal content. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-15691 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15691 [1] https://uima.apache.org/security_report#CVE-2017-15691 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: uimaj Source-Version: 2.10.2-1 We believe that the bug you reported is fixed in the latest version of uimaj, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 897...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Emmanuel Bourg <ebo...@apache.org> (supplier of updated uimaj package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 30 Oct 2018 10:43:18 +0100 Source: uimaj Binary: libuima-core-java libuima-vinci-java libuima-adapter-soap-java libuima-adapter-vinci-java libuima-cpe-java libuima-document-annotation-java libuima-tools-java uima-utils uima-examples uima-doc Architecture: source Version: 2.10.2-1 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Emmanuel Bourg <ebo...@apache.org> Description: libuima-adapter-soap-java - Library to provide SOAP web services within UIMA libuima-adapter-vinci-java - Library to provide Vinci web services within UIMA libuima-core-java - Core library for the UIMA framework libuima-cpe-java - Library for the UIMA Collection Processing Engine libuima-document-annotation-java - Library for the UIMA document annotation libuima-tools-java - UIMA library for the UIMA tools libuima-vinci-java - Library to handle Vinci web service protocol uima-doc - Documentation for the Apache UIMA framework uima-examples - Examples of UIMA components uima-utils - UIMA tools Closes: 897009 912268 Changes: uimaj (2.10.2-1) unstable; urgency=medium . * Team upload. * New upstream release - Refreshed the patches - Fixes CVE-2017-15691: XML external entity expansion (XXE) attack exposure (Closes: #897009) * Fixed the build failure with Java 11 (Closes: #912268) * Standards-Version updated to 4.2.1 * Use salsa.debian.org Vcs-* URLs * Removed the debian/orig-tar.sh script Checksums-Sha1: aaee8b5325465a6402e620e7a43cc3b39897d34f 3105 uimaj_2.10.2-1.dsc 10a352a25c2bee449b9dca77f6585d53ab5b2a50 8813808 uimaj_2.10.2.orig.tar.xz eb23d18c7300fe169e7c53154c483267bcab8e0b 18816 uimaj_2.10.2-1.debian.tar.xz 0d3fe8a0155bd4920b9d3d75b7febc7edc5fe973 14661 uimaj_2.10.2-1_source.buildinfo Checksums-Sha256: 507455f77d5e81c992f82a190d1428eba83ae2a8c4fe4c428f90ed5a38d6a0d2 3105 uimaj_2.10.2-1.dsc 174e2e129e8dde3a0953be874453c6ff67bf722bcb31db10151e13bdec5599ad 8813808 uimaj_2.10.2.orig.tar.xz c30e22fc0608acc1ed40e33699c8fc9ac9f56368dc24327f0896ed674f55e001 18816 uimaj_2.10.2-1.debian.tar.xz 7fc5e69efff0bcbc2b2de9148006faacc540786a57e5c6de9ed228db06977cc8 14661 uimaj_2.10.2-1_source.buildinfo Files: b477ad68f0ead60e73b825febde8d8c5 3105 java optional uimaj_2.10.2-1.dsc 53abdc2ee39f34889105bba54c73f3f5 8813808 java optional uimaj_2.10.2.orig.tar.xz 7200f29b125eb7a3dc20006acf9bc1de 18816 java optional uimaj_2.10.2-1.debian.tar.xz 04a5126f2d6e2dedf036faf30796763e 14661 java optional uimaj_2.10.2-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAlvYKegSHGVib3VyZ0Bh cGFjaGUub3JnAAoJEPUTxBnkudCsjfEQAIIMRPS/u9JG/9rsg9mzqUQt5amzNT/Q BSPNkmbEe2jelbAy3KrhE+Rp/UYqE7XMrew9HCqHeyutEBlhPfbO6+xcXpka2GbL gi1g/8NS6a4P1tilZFpBNfOeuXWEAtpKimMlTKHZYGAhVCmIi8tDOs9U0h7WdI2E Cv8JZyicfk5RuqkLrP4tfHQLlDqIOPmnFGsJsePjZ7LffkjiirK77PdzSs6XRu6Q B3gt7C9EnLYE6cigtzggGPtiC/8qOe28u7vXAK1V2rZW1RWTuV7Z2Wli7lwiNDxl XFtOaFgN5YDf1IUFWBfi82cbzfZXRMx+6WmCTm1ChY9t7e0lvHVBJ1qe2zpEX+34 woYIg/iHt0Jf69Ud4hTZTQBsPRSBIeLOs2camV/+jjfhd+4CFQozU7DshDuQym8s 018fkVR3H2tdS+hp1tgi0HEwCCNB8h8vhsb6cX/DN+1hMHcMag9wQkZTXZbi8aWX D0lEBmw0jm8Mp7Hohf/zVnyNslFzgbfQZMtnF3zs99cy1SLZsjgpoFTIh11X58dc N2E5AWdqvjKyE5TQyeCQzfrjnbx9VEhBZVNLGxb5juJwyRVEc2BISuNhwKzTPtrT 2ynLdibAA8pDYFGAEloV7D6Su6XatATk+fmU2EdKdLJKZa0hFxq7aIgomlsG+15S /G1y8ASjHVzZ =WDPw -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
