Bug#611786: marked as done (eclipse: cross-site scripting vulnerability in the help webapps)

[Debian Bug Tracking System]

Your message dated Fri, 11 Feb 2011 14:34:43 +0000
with message-id <e1pnu55-0006uu...@franck.debian.org>
and subject line Bug#611849: fixed in eclipse 3.5.2-9
has caused the Debian Bug report #611849,
regarding eclipse: cross-site scripting vulnerability in the help webapps
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
611849: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611849
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: eclipse-platform
Version: 3.5.2-6squeeze1
Severity: important
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi

These are reported as CVE-2008-7271 and CVE-2010-4647, which appear to be the
(nearly) same issue.  Upstream has fixed this with [1] and has made its way
into our git repositories in the upstream-3.6 branch[2].

~Niels

[1] https://bugs.eclipse.org/bugs/attachment.cgi?id=130767

[2] 
http://git.debian.org/?p=pkg-java/eclipse.git;a=commitdiff;h=68f899e621857ab6f44c7926b80c1da742bf7adf;hp=c4581570d622c04e03188f20aeb9f2149dff5724

- -- System Information:
Debian Release: 6.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages eclipse-platform depends on:
ii  ant                      1.8.0-4         Java based build tool like make
ii  ant-optional             1.8.0-4         Java based build tool like make - 
ii  default-jre [java6-runti 1:1.6-40        Standard Java or Java compatible R
ii  eclipse-platform-data    3.5.2-6squeeze1 Eclipse platform without plug-ins 
ii  eclipse-rcp              3.5.2-6squeeze1 Eclipse Rich Client Platform (RCP)
ii  gcj-4.4-jre [java5-runti 4.4.5-2         Java runtime environment using GIJ
ii  gcj-jre [java5-runtime]  4:4.4.5-1       Java runtime environment using GIJ
ii  java-common              0.40            Base of all Java packages
ii  libc6                    2.11.2-10       Embedded GNU C Library: Shared lib
ii  libcommons-codec-java    1.4-2           encoder and decoders such as Base6
ii  libcommons-el-java       1.0-6           Implementation of the JSP2.0 Expre
ii  libcommons-httpclient-ja 3.1-9           A Java(TM) library for creating HT
ii  libcommons-logging-java  1.1.1-8         commmon wrapper interface for seve
ii  libjasper-java           5.5.26-5        Implementation of the JSP Containe
ii  libjetty-java            6.1.24-6        Java servlet engine and webserver 
ii  libjsch-java             0.1.42-2        pure Java implementation of the SS
ii  liblucene2-java          2.9.2+ds1-1     Full-text search engine library fo
ii  libservlet2.5-java       6.0.28-9        Servlet 2.5 and JSP 2.1 Java API c
ii  openjdk-6-jre [java6-run 6b18-1.8.3-2    OpenJDK Java runtime, using Hotspo
ii  perl                     5.10.1-17       Larry Wall's Practical Extraction 
ii  sat4j                    2.2.0-3         Efficient library of SAT solvers i
ii  sun-java6-jre [java6-run 6.22-1          Sun Java(TM) Runtime Environment (

Versions of packages eclipse-platform recommends:
ii  eclipse-pde              3.5.2-6squeeze1 Eclipse Plug-in Development Enviro

Versions of packages eclipse-platform suggests:
ii  eclipse-jdt              3.5.2-6squeeze1 Eclipse Java Development Tools (JD

Versions of packages eclipse-platform is related to:
ii  eclipse-jdt              3.5.2-6squeeze1 Eclipse Java Development Tools (JD
ii  eclipse-pde              3.5.2-6squeeze1 Eclipse Plug-in Development Enviro

- -- no debconf information

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCAAGBQJNSQp4AAoJEAVLu599gGRCbdQP/0Ia6qMqbmo83im1YAfRMTHk
qSzBvYXs339p8AEVkE2dtFc/vxujsMcKINFdJrSJLCYAeXuTeUQWNQJGwuFVmCTC
FqDPzqriQ22Tzf9zbxBjp4aaCETYTb5cEJSn9iC527SaJxWAxey+WKK3gE7vKQBs
YrxxjfQIGq9dKcX3d9/zM5mogTfeC2O1dEVALs1Zo/DaiPZwu/E77RVxjo4mqz47
mBX08bwyncgRcGfHpTfDmk5KoiUxBjpj/bUjXNgfgbiaHrDMXXoj4zFYHXyovxnC
oQEU1HcX6hmMZDgOc5hLSaMKXs44Y/ZBRrZvsW6AOh0eqSC/EdX/85QbTkwbCKdz
HMAdWrXTu3J4A0qmKPAL4LWarp44KWwbPf52yFipCPrkU0Jv7dG8oHqlFgBUCYrq
t5grRRVgQeP4YIrTo8SKc5R++AVv9QKFjvvnQDhgBHTjc/jvpRez0UzaFjDLFFDE
CmkfW+5OeahlgoSEJo/f0GoYSkww1glAC7ItcNFE+0WSK6pvkXVQ2MxOsjhevyP+
z78eJU0svxJdhpcguP7UdfKKJ2VvecAG74atyLA18OeizsDLMzyjmlH+K9KXCZu2
B12YhJyshmwDm+kKYV3dE9fcN+tbFRPWNM+kZp5G4HqtHTS68YOB7k148UPx00Hp
p7nQ4DltHi3FXDQ7NIUh
=UCG+
-----END PGP SIGNATURE-----

--- End Message ---

--- Begin Message ---

Source: eclipse
Source-Version: 3.5.2-9

We believe that the bug you reported is fixed in the latest version of
eclipse, which is due to be installed in the Debian FTP archive:

eclipse-jdt_3.5.2-9_i386.deb
  to main/e/eclipse/eclipse-jdt_3.5.2-9_i386.deb
eclipse-pde_3.5.2-9_i386.deb
  to main/e/eclipse/eclipse-pde_3.5.2-9_i386.deb
eclipse-platform-data_3.5.2-9_all.deb
  to main/e/eclipse/eclipse-platform-data_3.5.2-9_all.deb
eclipse-platform_3.5.2-9_i386.deb
  to main/e/eclipse/eclipse-platform_3.5.2-9_i386.deb
eclipse-plugin-cvs_3.5.2-9_i386.deb
  to main/e/eclipse/eclipse-plugin-cvs_3.5.2-9_i386.deb
eclipse-rcp_3.5.2-9_i386.deb
  to main/e/eclipse/eclipse-rcp_3.5.2-9_i386.deb
eclipse_3.5.2-9.debian.tar.gz
  to main/e/eclipse/eclipse_3.5.2-9.debian.tar.gz
eclipse_3.5.2-9.dsc
  to main/e/eclipse/eclipse_3.5.2-9.dsc
eclipse_3.5.2-9_all.deb
  to main/e/eclipse/eclipse_3.5.2-9_all.deb
libequinox-osgi-java_3.5.2-9_all.deb
  to main/e/eclipse/libequinox-osgi-java_3.5.2-9_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 611...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Niels Thykier <ni...@thykier.net> (supplier of updated eclipse package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 11 Feb 2011 14:15:40 +0100
Source: eclipse
Binary: eclipse eclipse-jdt eclipse-pde eclipse-platform eclipse-platform-data 
eclipse-plugin-cvs eclipse-rcp libequinox-osgi-java
Architecture: source all i386
Version: 3.5.2-9
Distribution: unstable
Urgency: low
Maintainer: Debian Orbital Alignment Team 
<pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Niels Thykier <ni...@thykier.net>
Description: 
 eclipse    - Extensible Tool Platform and Java IDE
 eclipse-jdt - Eclipse Java Development Tools (JDT)
 eclipse-pde - Eclipse Plug-in Development Environment (PDE)
 eclipse-platform - Eclipse platform without plug-ins to develop any language
 eclipse-platform-data - Eclipse platform without plug-ins to develop any 
language (data)
 eclipse-plugin-cvs - Eclipse Team Integration (CVS support)
 eclipse-rcp - Eclipse Rich Client Platform (RCP)
 libequinox-osgi-java - Equinox OSGi framework
Closes: 611849 612738
Changes: 
 eclipse (3.5.2-9) unstable; urgency=low
 .
   * Bump version for sat4j. (Closes: #612738)
   * Backported patch for CVE-2010-4647. (Closes: #611849)
     - Fixes XSS in help browser application.
Checksums-Sha1: 
 d20db7eea322f9843dcc3fc4c6f5fc70a211a6ce 3184 eclipse_3.5.2-9.dsc
 a6b7a85c4ee1180e75514018100ae44e3335c785 101771 eclipse_3.5.2-9.debian.tar.gz
 56b1deba0acbeec2bb8fbeda362c4197a10bfad2 47152 eclipse_3.5.2-9_all.deb
 5cb0bd493f7e44b4455e634e08d427d534e90915 40005396 eclipse-jdt_3.5.2-9_i386.deb
 8de008f4934f4a53a9bb0001e149985277c4da4e 16097226 eclipse-pde_3.5.2-9_i386.deb
 0c63ddc3b62ddca52b304c8d81090d738b516990 40309078 
eclipse-platform_3.5.2-9_i386.deb
 042af5f4785c29bc35b32f311bf93c05b2d6bfcd 29628286 
eclipse-platform-data_3.5.2-9_all.deb
 ecabf5f0a7fbbe0cf962b69388412285e6875fbd 3190052 
eclipse-plugin-cvs_3.5.2-9_i386.deb
 5c27366c32d732adda891640c30c656e6cc1d412 15734574 eclipse-rcp_3.5.2-9_i386.deb
 7e377e64ef2fadafd4799af906342926b5ddf09c 3222918 
libequinox-osgi-java_3.5.2-9_all.deb
Checksums-Sha256: 
 c44579883cabe57faff8bccf835033bd174e898fdc457f0b2bc8da24279f368c 3184 
eclipse_3.5.2-9.dsc
 76a9422b388af004f372449c18123213949c52417b81caa2ff1a5480f5799b77 101771 
eclipse_3.5.2-9.debian.tar.gz
 048c16fdbde8255e75efb4815e0b99c90f5bb5385291e8cdb7165e569bf1272b 47152 
eclipse_3.5.2-9_all.deb
 733886ef0cc0cca60a6aca1a00ecf7b063e7813bf3fee8238443d87ed9fb4762 40005396 
eclipse-jdt_3.5.2-9_i386.deb
 733935f58b0651ecad175d78dcf4f089c7f3855e65cc97dbf8ded0cf34fa99cf 16097226 
eclipse-pde_3.5.2-9_i386.deb
 fe595b0dd5a2bdd6c13877ae9cc890201e544c92321be90af9aa56d8ec4d2fb8 40309078 
eclipse-platform_3.5.2-9_i386.deb
 ab9e21765d59d72c84321329452a73372603c3c991edecbde3c4633ec6f086f7 29628286 
eclipse-platform-data_3.5.2-9_all.deb
 7323f0067cbc444c79821d8fe70b6e547ca55771c3219c2f54f2b86e3e61534c 3190052 
eclipse-plugin-cvs_3.5.2-9_i386.deb
 81c463b65991e8a8ede21e7c4e0936dfbabc1a20e2e6c6d355359dd2c816ff99 15734574 
eclipse-rcp_3.5.2-9_i386.deb
 eb16cd07c636e1317501dabc0fa62b913cf691ef37e972625cca92f940316ede 3222918 
libequinox-osgi-java_3.5.2-9_all.deb
Files: 
 045e6a6a6e5e6d863945732a18954e70 3184 devel optional eclipse_3.5.2-9.dsc
 71c89dccd6964d87932414e836fda9f6 101771 devel optional 
eclipse_3.5.2-9.debian.tar.gz
 29cc00eef582cb626d715906daea55f5 47152 devel optional eclipse_3.5.2-9_all.deb
 85f483c2701ee391c609375f2d6ae21a 40005396 devel optional 
eclipse-jdt_3.5.2-9_i386.deb
 ed542965d00845edd188a92efdbdbb4f 16097226 devel optional 
eclipse-pde_3.5.2-9_i386.deb
 79534b0e07cd7a3ced9220af2429953d 40309078 devel optional 
eclipse-platform_3.5.2-9_i386.deb
 68ada72e56fe899a7f65240da6bb827c 29628286 devel optional 
eclipse-platform-data_3.5.2-9_all.deb
 934d175b8353501c5442384e2f5a998e 3190052 devel optional 
eclipse-plugin-cvs_3.5.2-9_i386.deb
 3053df1b22a43718a375b07fb9d20dd0 15734574 devel optional 
eclipse-rcp_3.5.2-9_i386.deb
 9d5d402e2121081e6b70597f0a18db94 3222918 java optional 
libequinox-osgi-java_3.5.2-9_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCAAGBQJNVT06AAoJEAVLu599gGRCUfEQAJWLsf4CDlP5GE78tgWKtCN7
35SrJSKJaTwgE3EF3nduWtRUU3oLOzyA9OyjM1g32mvMquk+BFAI31+4lRVYG5cJ
MeV/GEeB1I9VfDkopFfdW4qGYdIZJ2S3hPQ5C0D0azcaWt5b/UsyEu8194SLpQaB
G1p6o4ZhNpDtbetiIsqmPIR8Vl9OBjHwMqH+sbEDyfiG7pFeoM/E4/lkG9luxInn
N96D5vkbLlxyYlrITzj3wYdHJzHWBYfS9I/KR6XgRg0iBr1QYeGoeYbyfY5uAb8s
+lzOve6gqO2YdVH34RPBchnCg/OfdThLUY3xAt1PY0SA1thvGDzb1Yn0YmZlRZXh
T8FbZWn+dTuA5Xexws5vAigne5NnpaotsxzPgbvgHejwKG3bGOVSwjeN7dABQ1DU
kSFgTAx9vtyKzHVOkiHaUTspyYQ3TylkhKh9pmP3c0rU91q4AY1XfKJ4vGUVnxAj
zwqAVBsZRxhj8+UI/LT7cNaocG+0qWEV7dsdbaYkXmTrlkjpEdsdBFqgyAFcxjoX
aN/obDn0lId9ZvwVVY5ugraxuvoKx5AtIwBNYl7vm7RNNkWfMO4C8z/SX8Jd7Q50
3CWkD+V+AsaZbmylsw5EVSyHtE10u5qND9eOUxDYigE2XR71CGTakBmxnNpqAITu
OR4BZ+HQ4Y7jwOk9N0cM
=X1Z+
-----END PGP SIGNATURE-----

--- End Message ---

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers>. Please 
use
debian-j...@lists.debian.org for discussions and questions.