Your message dated Thu, 23 Feb 2023 04:19:07 +0000
with message-id <e1pv34v-00gold...@fasolo.debian.org>
and subject line Bug#1031733: fixed in libcommons-fileupload-java 1.4-2
has caused the Debian Bug report #1031733,
regarding libcommons-fileupload-java: CVE-2023-24998
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1031733: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031733
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libcommons-fileupload-java
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for libcommons-fileupload-java.
CVE-2023-24998[0]:
| Apache Commons FileUpload before 1.5 does not limit the number of
| request parts to be processed resulting in the possibility of an
| attacker triggering a DoS with a malicious upload or series of
| uploads.
https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy
https://github.com/apache/commons-fileupload/commit/e20c04990f7420ca917e96a84cec58b13a1b3d17
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-24998
https://www.cve.org/CVERecord?id=CVE-2023-24998
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: libcommons-fileupload-java
Source-Version: 1.4-2
Done: tony mancill <tmanc...@debian.org>
We believe that the bug you reported is fixed in the latest version of
libcommons-fileupload-java, which is due to be installed in the Debian FTP
archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1031...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
tony mancill <tmanc...@debian.org> (supplier of updated
libcommons-fileupload-java package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 22 Feb 2023 19:37:24 -0800
Source: libcommons-fileupload-java
Architecture: source
Version: 1.4-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<pkg-java-maintain...@lists.alioth.debian.org>
Changed-By: tony mancill <tmanc...@debian.org>
Closes: 1031733
Changes:
libcommons-fileupload-java (1.4-2) unstable; urgency=medium
.
* Team upload.
* Add patch for CVE-2023-24998 (Closes: #1031733)
* Include Apache NOTICE file in binary package
Checksums-Sha1:
5b114f57c6f8b2d63471849d97f8f2578f18812c 2361
libcommons-fileupload-java_1.4-2.dsc
7e1fc16001b9d042332eef88aeb7c2ada4bfb961 8712
libcommons-fileupload-java_1.4-2.debian.tar.xz
e524c8cfe63cb1b4fcedbbe82635c273a71ff32a 14336
libcommons-fileupload-java_1.4-2_amd64.buildinfo
Checksums-Sha256:
6b4282c935d0f208fd59007132e68390849251aa8419a77d6e4cb63717a3a61f 2361
libcommons-fileupload-java_1.4-2.dsc
d8b0c1a685ab2e0f59c50b73963d9a59e61f40a92f939fbd72dac8692a275d58 8712
libcommons-fileupload-java_1.4-2.debian.tar.xz
f502bd282fffb00b9c1d90ae55ce6ac046bd708bb642a63cb16e0ca868276700 14336
libcommons-fileupload-java_1.4-2_amd64.buildinfo
Files:
a6acbf97366c8b9cf55b3d4651cb5770 2361 java optional
libcommons-fileupload-java_1.4-2.dsc
2848f99a4f356a1b58cd3bfd2e3388eb 8712 java optional
libcommons-fileupload-java_1.4-2.debian.tar.xz
8c52010e5bc06f6be5b1896643db9e29 14336 java optional
libcommons-fileupload-java_1.4-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAmP24fwUHHRtYW5jaWxs
QGRlYmlhbi5vcmcACgkQIdIFiZdLPpaeTA//bQ06ZzbHfie60sh6BFiBd191J9Ep
zYhSr6VYdqQUNdUFniF4Z9y1NnTA0vdyiIscgJmSGudGPsIoe3ZufcnrStx908T4
exwLtOExA32r2H7dIuAHNXEaTi+zZK8naUZ6UD0IOAknW3OzcZ3V0anN6Re4Jk8i
QHffepI5jGgU4PfKHJKoGlPkRoF85Kppvmqp+8mnNwIHvT5zeIpRU7gIGWzmdBkP
NSOKiyy3c3cU5AqluMf/UdDpz9hXEt3WJPugJcoiUGN4s83HhvaOYCK0nNnlOgfb
OnUFej/90Rner8sYxKry1Kt66ZLjCyo9nTBchEQTciXnkbN+XCJcIFoHrjAM58aD
um12aKVoAV2mLfegj1EL/8GpaGGD45vm/rytGZ4q1YPNz7NU5FHUW2J9qRKYwvJp
ZU5EYQKMqm23wNZuhSRJwfMbU1P9XX5Dv9j6PKP4UAPlZ5BhEsqidRDbM0WQf7Jn
SVo9YD+mmc619ds3iQqCvLiI87qZbdAwpd3UK/a+EmE4ZumvluE2bBBMh0VyWMSn
b01tOHvAAUXb9WJ3A1k3tM3jUPFaPU886WbWjgeYEJeef8njKGeCiupRO3AQV94P
Y94oyyFuPqVpyafafZS2VXRQkPKXKF+CUZKA+OJnEdW8FcY7Oucw5mpRuN4eqPJW
gF7cmM1YydDdfEE=
=lO9I
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
debian-j...@lists.debian.org for discussions and questions.
