Your message dated Thu, 14 Sep 2023 17:51:09 +0000 with message-id <e1qgquf-006s8a...@fasolo.debian.org> and subject line Bug#1035952: fixed in apache-jena 4.9.0-1 has caused the Debian Bug report #1035952, regarding apache-jena: CVE-2023-22665 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1035952: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035952 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: apache-jena X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for apache-jena. CVE-2023-22665[0]: | There is insufficient checking of user queries in Apache Jena versions | 4.7.0 and earlier, when invoking custom scripts. It allows a remote | user to execute arbitrary javascript via a SPARQL query. https://lists.apache.org/thread/s0dmpsxcwqs57l4qfs415klkgmhdxq7s If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-22665 https://www.cve.org/CVERecord?id=CVE-2023-22665 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: apache-jena Source-Version: 4.9.0-1 Done: Markus Koschany <a...@debian.org> We believe that the bug you reported is fixed in the latest version of apache-jena, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1035...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated apache-jena package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 14 Sep 2023 19:21:03 +0200 Source: apache-jena Architecture: source Version: 4.9.0-1 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Closes: 1035952 1041108 Changes: apache-jena (4.9.0-1) unstable; urgency=medium . * New upstream version 4.9.0. - Fix CVE-2023-22665: (Closes: #1041108) There is insufficient checking of user queries in Apache Jena versions 4.7.0 and earlier, when invoking custom scripts. It allows a remote user to execute arbitrary javascript via a SPARQL query. - Fix CVE-2023-32200: (Closes: #1035952) There is insufficient restrictions of called script functions in Apache Jena versions 4.8.0 and earlier. It allows a remote user to execute javascript via a SPARQL query. This issue affects Apache Jena: from 3.7.0 through 4.8.0. * B-D on libcaffeine-java and libcommons-collections4-java. * Ignore org.roaringbitmap:RoaringBitmap artifact. Needs packaging. * Rebase and update the patches for the new release. Checksums-Sha1: 245f1749d90701cfac0a53795c77d67828d15ae0 2602 apache-jena_4.9.0-1.dsc a2e572a91a91cde46582a716592b0592462aa898 36144688 apache-jena_4.9.0.orig.tar.gz efcb5d0a450bacf17651b382af332f95c68a84ac 19408 apache-jena_4.9.0-1.debian.tar.xz 1aeaf1ded1bf34d5b0e9392354cff0d9587ab013 15199 apache-jena_4.9.0-1_amd64.buildinfo Checksums-Sha256: c68e858c8435bc0f3ffee858c9aad713f5cb685a2623429d6410d990b747e5f2 2602 apache-jena_4.9.0-1.dsc 204c7c02982b4f84e817fbefd07ad9fe6e7ecf3d1e5451686e2bcba290500aef 36144688 apache-jena_4.9.0.orig.tar.gz 1ad064935e7befcbf667ef1ae32452ffb16363cb6fc554488afcb9afb5d946c2 19408 apache-jena_4.9.0-1.debian.tar.xz b85fba0258916198909857c48087ce0d559fd244cb5771a60f327f60d57cf4b3 15199 apache-jena_4.9.0-1_amd64.buildinfo Files: 65cd283dae2117e42f4c87ca1c913ee4 2602 java optional apache-jena_4.9.0-1.dsc 3d320c9a5ea1fd5d509aff6bfeb4b74e 36144688 java optional apache-jena_4.9.0.orig.tar.gz bd2d75acc955dad803d9c2a068953d6a 19408 java optional apache-jena_4.9.0-1.debian.tar.xz 87ff3a4257fc816c85024002f9e5a0df 15199 java optional apache-jena_4.9.0-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmUDRRlfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkssoQALyG46XVieg/+H60uZaQzp+bvHDE4eBGLL46 dcaMvki5Eoa/mXvBxxT/scL2axIIUL334lJ8uVNofqPhbNaNRj1Sih9FuHinDE9O 7Naa9bKne++NlSBbNV4TTtzNW62SyYu/qOQ8NLzTCkGJ6GQfaPRH4pj+rGxIR1Jx a+dvjPqXXTvqNpNLkd7pYqsBv/Mit9qZLo/6HMorlVbvLbwm9rRFV48CvVMRWH7N UI+FsG+bfJ5xzrdd1qgldVKaAdFl8fmTZ2idWW100kJtPZql2xLOdPBekKM6xMgC TcvCpQCfSUOYlxx1Z0nHFL5tfPrTlWLdcmxYUPQIRwFf3rD158N9+avXOtWsv8O0 m4orTS5UjX/XQX6f4EFYJ9SMH9su/0qXVgoGQiohb+sTm6AagCJqxmbiBGZ8of9d ddlHKbj5VuB+TMg39m+MlMGUYST/RrInFO/MBxKNlvgUr8Kqx7RTQ2kK4/3P5eCK JWCjr5NmZZJm3t3W9MBtODDOFSll8bfsDbu3d90zATfiSwizs0ojFr57rX9nxi9r vqBZgkoYC8Uxft9Dab8t8hcnbG8IAfRonqNvpHdoJCdX0OtPUBZw9lia6WLkMVu8 WplHW1hN/l37Yek8j15ep8d960o25c9g8a2z0pbmE0zS4rVC3X+CJiGstOj1yQhi vmDcqzhR =21jH -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
