Your message dated Wed, 22 Jun 2022 16:35:09 +0000 with message-id <e1o43jt-0001ge...@fasolo.debian.org> and subject line Bug#1012314: fixed in maven-shared-utils 3.3.4-1 has caused the Debian Bug report #1012314, regarding maven-shared-utils: CVE-2022-29599 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1012314: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012314 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: maven-shared-utils Version: 3.3.0-1 Severity: important Tags: security upstream Forwarded: https://issues.apache.org/jira/browse/MSHARED-297 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for maven-shared-utils. CVE-2022-29599[0]: | In Apache Maven maven-shared-utils prior to version 3.3.3, the | Commandline class can emit double-quoted strings without proper | escaping, allowing shell injection attacks. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-29599 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29599 [1] https://issues.apache.org/jira/browse/MSHARED-297 [2] https://github.com/apache/maven-shared-utils/pull/40 [3] https://github.com/apache/maven-shared-utils/commit/f751e614c09df8de1a080dc1153931f3f68991c9 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: maven-shared-utils Source-Version: 3.3.4-1 Done: Markus Koschany <a...@debian.org> We believe that the bug you reported is fixed in the latest version of maven-shared-utils, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1012...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated maven-shared-utils package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 22 Jun 2022 16:48:11 +0200 Source: maven-shared-utils Architecture: source Version: 3.3.4-1 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Closes: 1012314 Changes: maven-shared-utils (3.3.4-1) unstable; urgency=high . * Team upload. * New upstream version 3.3.4. - Fix CVE-2022-29599: Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks. (Closes: #1012314) * Switch to debhelper-compat = 13. * Declare compliance with Debian Policy 4.6.1. * Drop 01-backward-compatibility.patch. * Build-depend on libcommons-text-java. Checksums-Sha1: 8c9db265509b3601946e07f32dadc1f680c6a0dd 2541 maven-shared-utils_3.3.4-1.dsc 6fa4551d67affe2a8af9fd6d4d60816336b0651f 114640 maven-shared-utils_3.3.4.orig.tar.xz 3ab6e107efc23f3c40cda9e948ffd4d3e90288e2 3352 maven-shared-utils_3.3.4-1.debian.tar.xz 3cc8b6051aa3d25fba53e5ab850c3321f7775410 15915 maven-shared-utils_3.3.4-1_amd64.buildinfo Checksums-Sha256: 1d2f969f6e2c4675a9c74155bb2d14190d3770e21736adcd9da0ee62956e78a1 2541 maven-shared-utils_3.3.4-1.dsc 9c70b29d6c176dd3319e4c5b799af1e4dda60ba320b27d8d25ee14c21c67f61b 114640 maven-shared-utils_3.3.4.orig.tar.xz 5aa5c58a3236b9f1b99ccaab3003fa1f8cb8d03e6e86495478b1f4fab8a94003 3352 maven-shared-utils_3.3.4-1.debian.tar.xz 6aa8dc1a2b0d604fdc693c0b997d2e9ef47e85cb8275b9bcad7fa2b1830990ca 15915 maven-shared-utils_3.3.4-1_amd64.buildinfo Files: 87d68d1262c33172178267a7a9c6a61d 2541 java optional maven-shared-utils_3.3.4-1.dsc 3876512550855c8cc91d6b254db9359b 114640 java optional maven-shared-utils_3.3.4.orig.tar.xz 91804b448676ba61b3243cde68cfb1b3 3352 java optional maven-shared-utils_3.3.4-1.debian.tar.xz ed93044aab844e7b64ede5bd24fd60d2 15915 java optional maven-shared-utils_3.3.4-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmKzP4dfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1Hkj44QAJDj683CYONiU/9xFl8RULHt3yB77lC69eOB 3fYkx+6hE1nQzuGjdWtpz6cs0Cmi3YRutH5CM29FBo0hajPdz+C/stW1Vep6kqOk GSY9LJm8eGZD1HcfptfQwTRdthvz4N3Na6dWe07GEI7WHfOIXxgo35iGfIQQxyz1 bmrh9T5/OzM+VN1m3RiqNGOumSpepkcyNYfWi4ZI+xzK29cSmXbzx6f1Exu96kvY PrRsrZx/xwUVHA6tcHWBJfc5TXVeieb8AgoaGjrNqH2mfeCIrwyLq0Y33ZNJAgGf zDKlh4CgfhJHL9Az17WdTpBGe0PzmdzlndpMBCMVQaf5+CHKqMK3j8TPn242Y/al U41vvS3DqNCxjdEOdaJyzIGIf1m9lOtmY+Fe+N9RxxhgdtRva/7Juxg6U3MZ19AJ yAhNHaMMIidPyQqemX4OQEj5di2sMcCqweSf+KOC+ENpJwdURmB7DqkQ1mlB2Ske 3SIo5epVS6Ip3BUy5rvaTnqNnOXyUGgYM7R0892Kp15zzHQhHGrlYc/uphjRfS7T vb2XY1YTYtKfSOOLiKEeliLtdUkfMAStpUB3rrIS3pvGCJo1a0F8yKsJLND6+agW 79n41N+VCHN801yO90H5dbw9fW0/6iDs43DVFtOhckHGDQrscAtgI4PTp2PZe0CF VrO3c9rA =oSvV -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
