Your message dated Sat, 21 Jan 2023 10:47:02 +0000 with message-id <e1pjboo-007xx6...@fasolo.debian.org> and subject line Bug#1015001: fixed in resteasy3.0 3.0.26-4 has caused the Debian Bug report #1015001, regarding resteasy3.0: CVE-2020-10688 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1015001: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015001 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: resteasy3.0 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for resteasy3.0. CVE-2020-10688[0]: | A cross-site scripting (XSS) flaw was found in RESTEasy in versions | before 3.11.1.Final and before 4.5.3.Final, where it did not properly | handle URL encoding when the RESTEASY003870 exception occurs. An | attacker could use this flaw to launch a reflected XSS attack. https://bugzilla.redhat.com/show_bug.cgi?id=1814974 https://github.com/quarkusio/quarkus/issues/7248 https://issues.redhat.com/browse/RESTEASY-2519 (restricted) https://github.com/resteasy/Resteasy/pull/2320 https://github.com/resteasy/Resteasy/commit/3fe881cf945c06bdb16895fbc73bc620694d2ba7 (4.6.0.Final) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-10688 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10688 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: resteasy3.0 Source-Version: 3.0.26-4 Done: Timo Aaltonen <tjaal...@debian.org> We believe that the bug you reported is fixed in the latest version of resteasy3.0, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1015...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Timo Aaltonen <tjaal...@debian.org> (supplier of updated resteasy3.0 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 21 Jan 2023 11:55:52 +0200 Source: resteasy3.0 Built-For-Profiles: noudeb Architecture: source Version: 3.0.26-4 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Timo Aaltonen <tjaal...@debian.org> Closes: 1015001 1028854 Changes: resteasy3.0 (3.0.26-4) unstable; urgency=medium . * patches: Drop Log4jLogger. (Closes: #1028854) * Drop all modules that dogtag-pki doesn't need. * RESTEASY-2519-fix-CVE-2020-10688.diff: Fix an XSS flaw. (Closes: #1015001) - CVE-2020-10688 * Restore activation api, add libjakarta-activation-java to build- depends. Checksums-Sha1: 9ba298e9314ed010eac0030d892e8d691be9ef34 2425 resteasy3.0_3.0.26-4.dsc 06104882af687c9e98a0b9ff70d985d4f5ae0ef4 8688 resteasy3.0_3.0.26-4.debian.tar.xz ab497a792cc55d1dbc629bdd4ef343b8cc102615 7340 resteasy3.0_3.0.26-4_source.buildinfo Checksums-Sha256: 9ea8b43ea0a7aadac5c359caf9db0b324012501ddb9e7baecad4b00168580a6b 2425 resteasy3.0_3.0.26-4.dsc 4f0e237c39f78dd03bc7d6365e40edd372182cccf82a42a58a66a882f254e41d 8688 resteasy3.0_3.0.26-4.debian.tar.xz a0cd08783cf02fb15c5d5e288962acb13f10b21e5f456fb7bfeb2719cdb0030b 7340 resteasy3.0_3.0.26-4_source.buildinfo Files: 8e0b687af9a6758dd0dc0a8301a59427 2425 java optional resteasy3.0_3.0.26-4.dsc 547c462ac6bfca14efff4dc01fdd4343 8688 java optional resteasy3.0_3.0.26-4.debian.tar.xz f99e7a9e96e6fd9d8d4d190e269afa0b 7340 java optional resteasy3.0_3.0.26-4_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEdS3ifE3rFwGbS2Yjy3AxZaiJhNwFAmPLtrYACgkQy3AxZaiJ hNyUYA//SKBWb7y2DJ6G+txJ9Hs+wAdPuLz7mOIHFV0MQt/DgZi/YvycFkqoYVEF F3lnNCEbc0ebpn2VUrC2kS+pNfaFkSFyrDfxgW8SC6WgDPEZoZ1V8M9Kn9799jdJ PjXzRKiSefx4FBE/qiwM9yLe0laVYKcrxanIXhpGMeB03f+GZUQ0hFJCJKsm3YEK aCD/ovffvebLhJ6e7227zmgzuo/9GctmCj3dTG7E0CL37ZqmYblUiT3P/un/AaV0 j9seeZuePIbZlw3q+80fTt5EW4KosF9ZiPnhp+nj4nSOADshqRXd0ummEAmHb7mw rKm/YEMygGxCARoocqT8Qg2+p1BxOpgdZQncuZ7t7n0flm1c3UJeER2AW9JCFu/D fsKv2QePRFfbi9i1c2J7a4qk1csULaKlAYWJ55OJWYht74Wj7EvKUbB5pHJvzBPc mJwBIrWGca8ZdfdPBXk3u6lh57WjaqtEUitFWGoVS3vryrf8UDed68jfb3t7Gxti i0ExxB8YyXxfB6ZJ4Iqgn9zkLgBjb/jzOFimzTuwtRMONnqd+CzaQQE5Pq564yaY qus4GZD95NbzF0LuRF1Wp2y0DUFcfa8jUUpwe+Drt2MyetwsojRqqHRPgADbJgjO CEaaf0V2By1hm//gi0YbTgz663oKJ9b0DwHuhRk+CQzCaP2CXi8= =vcKt -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
