Your message dated Mon, 25 Mar 2024 05:35:03 +0000 with message-id <e1rocz9-00bbvs...@fasolo.debian.org> and subject line Bug#1067513: fixed in commons-configuration2 2.10.1-1 has caused the Debian Bug report #1067513, regarding commons-configuration2: CVE-2024-29131 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1067513: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067513 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: commons-configuration2 Version: 2.8.0-2 Severity: important Tags: security upstream Forwarded: https://issues.apache.org/jira/browse/CONFIGURATION-840 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for commons-configuration2. CVE-2024-29131[0]: | Out-of-bounds Write vulnerability in Apache Commons | Configuration.This issue affects Apache Commons Configuration: from | 2.0 before 2.10.1. Users are recommended to upgrade to version | 2.10.1, which fixes the issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-29131 https://www.cve.org/CVERecord?id=CVE-2024-29131 [1] https://issues.apache.org/jira/browse/CONFIGURATION-840 [2] https://www.openwall.com/lists/oss-security/2024/03/20/4 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: commons-configuration2 Source-Version: 2.10.1-1 Done: tony mancill <tmanc...@debian.org> We believe that the bug you reported is fixed in the latest version of commons-configuration2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1067...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. tony mancill <tmanc...@debian.org> (supplier of updated commons-configuration2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 24 Mar 2024 21:43:35 -0700 Source: commons-configuration2 Architecture: source Version: 2.10.1-1 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: tony mancill <tmanc...@debian.org> Closes: 1067513 1067514 Changes: commons-configuration2 (2.10.1-1) unstable; urgency=medium . * Team upload. * New upstream version 2.10.1 (Closes: #1067513, #1067514) CVE-2024-29131, CVE-2024-29133 * Ignore spotbugs maven plugin * Ignore org.apache.maven.plugins:maven-pmd-plugin * Add Build-Dep on libmockito-java and liblog4j2-java Checksums-Sha1: f87b15f4c5b13254dfeb3057fd0b31f64df1c6c2 2684 commons-configuration2_2.10.1-1.dsc a7bd29e7072c432344e781f6c6d7096541a38fb7 666940 commons-configuration2_2.10.1.orig.tar.xz 4071172cca28491af971e5e7f821f91a1994320d 5036 commons-configuration2_2.10.1-1.debian.tar.xz d46822382aa88fbd87821a5e4e7b64edc4018746 17604 commons-configuration2_2.10.1-1_amd64.buildinfo Checksums-Sha256: 52b9ee19c3572e46f83de7bc2e563135dd2cf85366952fc8bc7abb6c594efb6d 2684 commons-configuration2_2.10.1-1.dsc 3df256ecf5683cdc9b7b72113712a0d31e2d72eabc6400005406db134dc22439 666940 commons-configuration2_2.10.1.orig.tar.xz 44b3dd85437f546b41ed6c838ca117be209bf57f5ae6ae4a46811032de59a6ba 5036 commons-configuration2_2.10.1-1.debian.tar.xz 9449cb8d86e5e46f6336f9ad2a5bed247954b3fca2fe48cd0249672f1587262a 17604 commons-configuration2_2.10.1-1_amd64.buildinfo Files: e0500831e9f927a4590fa3425620800a 2684 java optional commons-configuration2_2.10.1-1.dsc cbd39112a507d641371276333c2a439d 666940 java optional commons-configuration2_2.10.1.orig.tar.xz 2311ad118ce1d9204788e582f220768c 5036 java optional commons-configuration2_2.10.1-1.debian.tar.xz 196b33ff8b525fe38b0990e56db934bf 17604 java optional commons-configuration2_2.10.1-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAmYBBakUHHRtYW5jaWxs QGRlYmlhbi5vcmcACgkQIdIFiZdLPpb0QRAAm1bUxAJjLaheyPrgBQAx6wzX11AH jOuBlImXvFHx8MM/dkKJGJX6Y020YEvsT5Fu+CnUiEPXxngj3R2sv28j910bLjBB DVGrQACox6J3yUKdfPrASOCahjT+dFP4XVuzNKdJPTW5Kw1ifldveA7VSN+tAVMj U/PLO8RusBDpQhpv3sSrIGjcxD6XzV/+jW2MJ1V2Ltt+NaD7PKc5Wdp3BJK3jQ2H p6y67/BAYja/irxX1d56WenI+4Z9L8kvFpMt3vxQLl7CZhgNPoPbR6HpS2lbp+LI 34Gf6N+cT2qhfIOWFoEO9rSPkfyf+e7L0dZWiryHXIJnuJAdWJ9m5ZvoaS2qXPsN PSByL+HmwgE5QWbpxX/xRawaou3cnC8NCeBQDoelNDIX3a9DWX0QWZMZo885l74G CsJY3CuPw8z9gEeX/6Ry6QhK/aXqMr/oWuxh1KUek8zLAJOpfB0jlqB74jTz1rqf FFI9fih9c/r4n/taAy0nzonFCaxsZOZbphk+nbPruE7y3jUugLQbbpw+h9SYAKI1 SHMrM8xruq1rbOfYFOqDkvJPxyaTe371k9+hU5Nqpqv4d59cmbsZDh20ljy5Nt85 NqEsJ/PpXWVXWTBrqbu8L3UXExZPPk/9HbfRC+ZYjqSeshKYFASAh9Pg/qcjXsyu 1Hnd7uP8PSLKgMg= =tp4s -----END PGP SIGNATURE-----pgpkRkEPzPnkd.pgp
Description: PGP signature
--- End Message ---
__ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.