Your message dated Mon, 05 Aug 2019 10:09:53 +0000 with message-id <e1huzw9-0004w5...@fasolo.debian.org> and subject line Bug#933745: fixed in tika 1.22-1 has caused the Debian Bug report #933745, regarding tika: CVE-2019-10093: Denial of Service in Apache Tika's 2003ml and 2006ml Parsers to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 933745: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933745 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: tika Version: 1.20-1 Severity: important Tags: security upstream Control: found -1 1.21-1 Hi, The following vulnerability was published for tika. CVE-2019-10093[0]: | In Apache Tika 1.19 to 1.21, a carefully crafted 2003ml or 2006ml file | could consume all available SAXParsers in the pool and lead to very | long hangs. Apache Tika users should upgrade to 1.22 or later. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-10093 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10093 [1] https://www.openwall.com/lists/oss-security/2019/08/02/3 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: tika Source-Version: 1.22-1 We believe that the bug you reported is fixed in the latest version of tika, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 933...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Emmanuel Bourg <ebo...@apache.org> (supplier of updated tika package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 05 Aug 2019 11:41:25 +0200 Source: tika Architecture: source Version: 1.22-1 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Emmanuel Bourg <ebo...@apache.org> Closes: 933744 933745 933746 Changes: tika (1.22-1) unstable; urgency=medium . * New upstream release - Fixes CVE-2019-10088: A carefully crafted or corrupt zip file can cause an out of memory error in RecursiveParserWrapper (Closes: #933744) - Fixes CVE-2019-10094: A carefully crafted package/compressed file that, when unzipped/uncompressed yields the same file (a quine), causes a stack overflow error in RecursiveParserWrapper (Closes: #933746) - Fixes CVE-2019-10093: A carefully crafted 2003ml or 2006ml file could consume all available SAXParsers in the pool and lead to very long hangs. (Closes: #933745) - Refreshed the patches - Ignore the new dependency on c3p0 (not used) Checksums-Sha1: 69ec0990d617453dfe50b66c1fad682e3f11326c 2754 tika_1.22-1.dsc 88c6cc8d3b91c77a12f7eb421acc94cf65ee4fd4 23333532 tika_1.22.orig.tar.xz e29a2e8bbbbfea3fd6b4554404d1ea742bee78b0 7640 tika_1.22-1.debian.tar.xz 454be34f89e6dfaccb2cc0f5f8d91da6a6c7b355 13207 tika_1.22-1_source.buildinfo Checksums-Sha256: ade5061dae979d66afa77b99e498c29ba6cec0e902f3700f6c87430e52030453 2754 tika_1.22-1.dsc 0407432e3581a65530fd8bff13f2848894b03b28fd46dc0dd7b16daa60b0f559 23333532 tika_1.22.orig.tar.xz b4820f6b2d679f81256d584b96e26487e804b9448b0030808d4a87973d53b41f 7640 tika_1.22-1.debian.tar.xz 857a247817eb93f5d160a51df9b1aea56ef331633d7230b42312281e167ad6fd 13207 tika_1.22-1_source.buildinfo Files: 9a53af116bd589963b241af204cb2db2 2754 java optional tika_1.22-1.dsc ac1619d5a5612b5c2f2fb878225354ce 23333532 java optional tika_1.22.orig.tar.xz e738ec8a00850fd72c579dfbbf15daee 7640 java optional tika_1.22-1.debian.tar.xz 0255bed2399db3962e55bcadaab90b20 13207 java optional tika_1.22-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAl1H+ssSHGVib3VyZ0Bh cGFjaGUub3JnAAoJEPUTxBnkudCsE+EQALAtKL/wuLNvZUK82WgK54pVUbdR7Igm l2t9iv8JSbIWh3tqaOpQfORHzDNpOsy8sDmnaUaKB2pRl/GFLgvyWLoglc/nyLN+ Uq4PriQP2WfynEjyN5cDTe0BPX+YMO20Sd85ki/6cgF31i3KdAeH7wKob4Jc60/p QRahBbDNVum8KB16+DQTv0Lzrx0tMpCcwRWSMGhPv0BFpOzDF5HdtWg33YG+1ysW z8ev1eBunIuglxpPfX5muCluBv6V9skrNTTHypD+eumsOSwE2AI+VGNtfGcOioIh 1q0BD8kBK0iG+VSiy91QaH83ADt4cIHfeKnC+svrHA9aZM5cf4X2qtKILuCDuuQv YXsHm/VX/YgNFkZ1jJER4gmiNkcMMI5ufUAAAIxeuhiovtywLC2QdqplwHB6HpuK IQt2N/1jVXoPvZWcivuYyx3QW1fVi69ItlXqq1RxwjPFh3MVCiL7xNDFBnQyGdLH bpw5Cil1PI507FIfEhSoaH6nzcEgVGTbhDHYF6LMeAoFA7vUaRQH5l4YOFTpJNRW XGkpNSYfYw8ZxpsD6zFma3HuPzPipe04lnUG+LgnmosI7Lh5Tl50fLRquU8LaufY cgO9R8IJF9qHiDlrU6NchCJ/3ttlIwHdL40M2XmaYZedME44lNiOc89QLSx/e443 CI8LHIJZ+OKn =VfAq -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
