Your message dated Sat, 24 Jun 2023 21:53:33 +0000 with message-id <e1qdbch-007q2v...@fasolo.debian.org> and subject line Bug#1038979: fixed in guava-libraries 32.0.1-1 has caused the Debian Bug report #1038979, regarding guava-libraries: CVE-2020-8908 CVE-2023-2976 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1038979: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1038979 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: guava-libraries Version: 31.1-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerabilities were published for guava-libraries. CVE-2020-8908[0]: | A temp directory creation vulnerability exists in all versions of | Guava, allowing an attacker with access to the machine to | potentially access data in a temporary directory created by the | Guava API com.google.common.io.Files.createTempDir(). By default, on | unix-like systems, the created directory is world-readable (readable | by an attacker with access to the system). The method in question | has been marked @Deprecated in versions 30.0 and later and should | not be used. For Android developers, we recommend choosing a | temporary directory API provided by Android, such as | context.getCacheDir(). For other Java developers, we recommend | migrating to the Java 7 API | java.nio.file.Files.createTempDirectory() which explicitly | configures permissions of 700, or configuring the Java runtime's | java.io.tmpdir system property to point to a location whose | permissions are appropriately configured. CVE-2023-2976[1]: | Use of Java's default temporary directory for file creation in | `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on | Unix systems and Android Ice Cream Sandwich allows other users and | apps on the machine with access to the default Java temporary | directory to be able to access the files created by the class. Even | though the security vulnerability is fixed in version 32.0.0, we | recommend using version 32.0.1 as version 32.0.0 breaks some | functionality under Windows. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-8908 https://www.cve.org/CVERecord?id=CVE-2020-8908 [1] https://security-tracker.debian.org/tracker/CVE-2023-2976 https://www.cve.org/CVERecord?id=CVE-2023-2976 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: guava-libraries Source-Version: 32.0.1-1 Done: tony mancill <tmanc...@debian.org> We believe that the bug you reported is fixed in the latest version of guava-libraries, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1038...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. tony mancill <tmanc...@debian.org> (supplier of updated guava-libraries package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 23 Jun 2023 22:27:47 -0700 Source: guava-libraries Architecture: source Version: 32.0.1-1 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: tony mancill <tmanc...@debian.org> Closes: 1038979 Changes: guava-libraries (32.0.1-1) unstable; urgency=medium . * Team upload. * New upstream version 32.0.1 (Closes: #1038979) Addresses insecure temp directory creation See: CVE-2020-8908 CVE-2023-2976 * Bump Standards-Version to 4.6.2 (no changes) * Freshen years in debian/copyright * Remove 04-source-encoding.patch; applied upstream * Refresh remaining patches for upstream 32.0.1 * Ignore com.google.errorprone:error_prone_core * Patch out reference to com.google.errorprone:error_prone_core * Remove get-orig-source target from debian/rules * Update debian/rules to use DEB_VERSION_UPSTREAM * Update debian/watch to use xz compression Checksums-Sha1: fec1e58c6c7fb5d84b2a7665be5b4ced2cc25cac 2349 guava-libraries_32.0.1-1.dsc 20a51cf8dec261ba1d87c0b7672de10fa69132c8 3410548 guava-libraries_32.0.1.orig.tar.xz 2cba0b628cb713e93fcdfe79298fd9f895b4d399 21844 guava-libraries_32.0.1-1.debian.tar.xz 26c10349547df24f55f06ac9badd971c41a8f3b4 14814 guava-libraries_32.0.1-1_amd64.buildinfo Checksums-Sha256: 8e5048b5406ffdf17fe32860b2bea7bd5fe28c99285cd2ff11c2fa326987c0ac 2349 guava-libraries_32.0.1-1.dsc 9fe8fb149a2e9a0e24de658fb094767182593e64e21ba00556bc53ee35deae2c 3410548 guava-libraries_32.0.1.orig.tar.xz d36dd6df68408648b541ae2ae14a79bea227700ab9293b3465e85d4a39c60c29 21844 guava-libraries_32.0.1-1.debian.tar.xz d90cc979e95c8949e9810e206cdfb5f9137e9a6db6263aa58d7b538b00711c21 14814 guava-libraries_32.0.1-1_amd64.buildinfo Files: ee6bbcc2afb419bf9ea902841f28a40d 2349 java optional guava-libraries_32.0.1-1.dsc fb2aed9a2c52b7f546539beb4675eeed 3410548 java optional guava-libraries_32.0.1.orig.tar.xz 48678299cdd8b992798f354d83628c2d 21844 java optional guava-libraries_32.0.1-1.debian.tar.xz e709e5c8022647497524ad0b0e696fc6 14814 java optional guava-libraries_32.0.1-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAmSXYOAUHHRtYW5jaWxs QGRlYmlhbi5vcmcACgkQIdIFiZdLPpYHWQ//UNP0qEPSkcWUZoOGX+DWe88k7HDo ZQmo+oQCpskWpOWsClqdS+8b4e2I2WqH9c5gd1uMhFwfzJ07HZjHKM8O6MOtpda8 ljfRNfVT8DmhoVAFUXsWvXeUnXpePPTiTxp8KINq0IN7++KDK0RnFTz+GJvG3ToF +oGVr7O3ZEMEbnGi7b5Gslw1TqBMoqSl17v74KsRyBkHQKX8x1jkfWClEF0jPB2C rMKu/qBEG7GwcxEDGCnJW3QQJw8BuhqYvpKBm9uKExiIUjOiTDPnTIrUW+nb4ytA kPDI2mrEVZIc9IjGbu2u9d/HUrzoH4UUF1D3h8SMFz/nHr2LAFPQGjOXH01uHw9u yTdApwYAe8W4ifnxr3qcMWHZ0ygWHrIATMJiU9aBpJlevss9JvJYnHCKucFQyCrm In49D/uVE/0lriclfyOQG3xbcLNL8i7ZUsr06DXV2nWTFaTlSVEF+N2sCFKlD5iO +Fl94EV12v+WPL6jXJbuc78Z19HAR6rNsch8gnOluYl8tRy1U1ZCeYAAJteTypDM Nc2I3r1USbEsG+vATK58x8JEjQFP0lSMMSp/ExTVFFrqbUh02L/boZ5KHqCyhZBK ZkbRPGIVoAhe9qkLhxriXDdtIhoE2VsxTDNal8YUwjE8kvTpVBreZiYYysbGCha9 MLOXwDiQ18jXEn4= =KF/M -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
