Your message dated Tue, 30 Oct 2018 10:06:29 +0000
with message-id <e1ghqur-0002mt...@fasolo.debian.org>
and subject line Bug#897009: fixed in uimaj 2.10.2-1
has caused the Debian Bug report #897009,
regarding uimaj: CVE-2017-15691: XML external entity expansion (XXE) attack 
exposure
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
897009: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897009
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: uimaj
Version: 2.4.0-2
Severity: grave
Tags: security upstream

Hi,

The following vulnerability was published for uimaj, filling for now
with RC severity.

CVE-2017-15691[0]:
| In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to
| 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to
| 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to
| an XML external entity expansion (XXE) capability of various XML
| parsers. UIMA as part of its configuration and operation may read XML
| from various sources, which could be tainted in ways to cause
| inadvertent disclosure of local files or other internal content.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-15691
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15691
[1] https://uima.apache.org/security_report#CVE-2017-15691

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: uimaj
Source-Version: 2.10.2-1

We believe that the bug you reported is fixed in the latest version of
uimaj, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 897...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg <ebo...@apache.org> (supplier of updated uimaj package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 30 Oct 2018 10:43:18 +0100
Source: uimaj
Binary: libuima-core-java libuima-vinci-java libuima-adapter-soap-java 
libuima-adapter-vinci-java libuima-cpe-java libuima-document-annotation-java 
libuima-tools-java uima-utils uima-examples uima-doc
Architecture: source
Version: 2.10.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 
<pkg-java-maintain...@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebo...@apache.org>
Description:
 libuima-adapter-soap-java - Library to provide SOAP web services within UIMA
 libuima-adapter-vinci-java - Library to provide Vinci web services within UIMA
 libuima-core-java - Core library for the UIMA framework
 libuima-cpe-java - Library for the UIMA Collection Processing Engine
 libuima-document-annotation-java - Library for the UIMA document annotation
 libuima-tools-java - UIMA library for the UIMA tools
 libuima-vinci-java - Library to handle Vinci web service protocol
 uima-doc   - Documentation for the Apache UIMA framework
 uima-examples - Examples of UIMA components
 uima-utils - UIMA tools
Closes: 897009 912268
Changes:
 uimaj (2.10.2-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream release
     - Refreshed the patches
     - Fixes CVE-2017-15691: XML external entity expansion (XXE) attack exposure
       (Closes: #897009)
   * Fixed the build failure with Java 11 (Closes: #912268)
   * Standards-Version updated to 4.2.1
   * Use salsa.debian.org Vcs-* URLs
   * Removed the debian/orig-tar.sh script
Checksums-Sha1:
 aaee8b5325465a6402e620e7a43cc3b39897d34f 3105 uimaj_2.10.2-1.dsc
 10a352a25c2bee449b9dca77f6585d53ab5b2a50 8813808 uimaj_2.10.2.orig.tar.xz
 eb23d18c7300fe169e7c53154c483267bcab8e0b 18816 uimaj_2.10.2-1.debian.tar.xz
 0d3fe8a0155bd4920b9d3d75b7febc7edc5fe973 14661 uimaj_2.10.2-1_source.buildinfo
Checksums-Sha256:
 507455f77d5e81c992f82a190d1428eba83ae2a8c4fe4c428f90ed5a38d6a0d2 3105 
uimaj_2.10.2-1.dsc
 174e2e129e8dde3a0953be874453c6ff67bf722bcb31db10151e13bdec5599ad 8813808 
uimaj_2.10.2.orig.tar.xz
 c30e22fc0608acc1ed40e33699c8fc9ac9f56368dc24327f0896ed674f55e001 18816 
uimaj_2.10.2-1.debian.tar.xz
 7fc5e69efff0bcbc2b2de9148006faacc540786a57e5c6de9ed228db06977cc8 14661 
uimaj_2.10.2-1_source.buildinfo
Files:
 b477ad68f0ead60e73b825febde8d8c5 3105 java optional uimaj_2.10.2-1.dsc
 53abdc2ee39f34889105bba54c73f3f5 8813808 java optional uimaj_2.10.2.orig.tar.xz
 7200f29b125eb7a3dc20006acf9bc1de 18816 java optional 
uimaj_2.10.2-1.debian.tar.xz
 04a5126f2d6e2dedf036faf30796763e 14661 java optional 
uimaj_2.10.2-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAlvYKegSHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCsjfEQAIIMRPS/u9JG/9rsg9mzqUQt5amzNT/Q
BSPNkmbEe2jelbAy3KrhE+Rp/UYqE7XMrew9HCqHeyutEBlhPfbO6+xcXpka2GbL
gi1g/8NS6a4P1tilZFpBNfOeuXWEAtpKimMlTKHZYGAhVCmIi8tDOs9U0h7WdI2E
Cv8JZyicfk5RuqkLrP4tfHQLlDqIOPmnFGsJsePjZ7LffkjiirK77PdzSs6XRu6Q
B3gt7C9EnLYE6cigtzggGPtiC/8qOe28u7vXAK1V2rZW1RWTuV7Z2Wli7lwiNDxl
XFtOaFgN5YDf1IUFWBfi82cbzfZXRMx+6WmCTm1ChY9t7e0lvHVBJ1qe2zpEX+34
woYIg/iHt0Jf69Ud4hTZTQBsPRSBIeLOs2camV/+jjfhd+4CFQozU7DshDuQym8s
018fkVR3H2tdS+hp1tgi0HEwCCNB8h8vhsb6cX/DN+1hMHcMag9wQkZTXZbi8aWX
D0lEBmw0jm8Mp7Hohf/zVnyNslFzgbfQZMtnF3zs99cy1SLZsjgpoFTIh11X58dc
N2E5AWdqvjKyE5TQyeCQzfrjnbx9VEhBZVNLGxb5juJwyRVEc2BISuNhwKzTPtrT
2ynLdibAA8pDYFGAEloV7D6Su6XatATk+fmU2EdKdLJKZa0hFxq7aIgomlsG+15S
/G1y8ASjHVzZ
=WDPw
-----END PGP SIGNATURE-----

--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to