Bug#655554: marked as done (jenkins-executable-war: Hash DoS vulnerability in Jenkins core)

[Debian Bug Tracking System]

Your message dated Sat, 14 Jan 2012 18:04:44 +0000
with message-id <e1rm7y8-00023d...@franck.debian.org>
and subject line Bug#655554: fixed in jenkins-executable-war 1.25-1
has caused the Debian Bug report #655554,
regarding jenkins-executable-war: Hash DoS vulnerability in Jenkins core
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
655554: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=655554
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: jenkins-executable-war
Version: 1.22-1
Severity: normal

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Jenkins suffers from the well publicised Hash DoS vulnerability:

http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-01-10.cb

This requires new upstream versions of jenkins-winstone and
jenkins-executable-war.

- -- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-8-generic (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

jenkins-executable-war depends on no packages.

jenkins-executable-war recommends no packages.

Versions of packages jenkins-executable-war suggests:
pn  jenkins-executable-war-doc  <none>

- -- no debconf information

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJPDqb3AAoJEL/srsug59jD1/QQALUO9DStN4fV1bPEz6JLCNaJ
lQLbcFcsp0mKLJTC/5/QgWc9rvEBuJHoSypZchDU+YL7kelL69hE7L980K02iqns
438JaF4jtaTJvqXyOGiizFKlPz5CKuImDWJ3kpAeejhlUImBq/ywD6lHvmFLafj1
Cy5HK9n9bjY7AlsdfSy6Ts6Rwa7IXt3BCi4XjBV88VrTA/CCGWXxBAmJSvz7grYT
olNfhifsIEikvmZEVgT12yYaYjj9U55mp13+tmCa+fNCyh0nGA0kXWDJOJU2qE5N
5JobAem3tc3fkN7KKTpf8a3SCceOS7BHQ/JvzrYOaKOWU6yvpUuxXn168xdKn9Co
3oOJiJ94/TyoZ4ualqLX6yKEf2OVX+JeVKqsZyX0CmVjK8nDanZdWZqQC3YmYDvH
VhDwn4ker5IAbffPigrjsf7AkAFr76ZpGyaivzKxxxxsDUPyP50I+u/SwgjDFzoK
mb87ST3O4mEsYFGy80h/WcmYpu75Q0xomf4IXEKBbY7tVVsaWuFtGBco/p/cP/he
qhyM7WWms5jqQk9IQGfTF7xXV/nezXg7IYtD3YMq1lEF0uy4208MDEDhP2yrgOMg
bf44iBoBnvuotUItETZ2TpRfAenlbPniJmzEs+8JGpgiUOC/9YG0Y/+7E1LQdVV4
eMZangouYRehlMSH8NCi
=Bj2o
-----END PGP SIGNATURE-----

--- End Message ---

--- Begin Message ---

Source: jenkins-executable-war
Source-Version: 1.25-1

We believe that the bug you reported is fixed in the latest version of
jenkins-executable-war, which is due to be installed in the Debian FTP archive:

jenkins-executable-war-doc_1.25-1_all.deb
  to main/j/jenkins-executable-war/jenkins-executable-war-doc_1.25-1_all.deb
jenkins-executable-war_1.25-1.debian.tar.gz
  to main/j/jenkins-executable-war/jenkins-executable-war_1.25-1.debian.tar.gz
jenkins-executable-war_1.25-1.dsc
  to main/j/jenkins-executable-war/jenkins-executable-war_1.25-1.dsc
jenkins-executable-war_1.25-1_all.deb
  to main/j/jenkins-executable-war/jenkins-executable-war_1.25-1_all.deb
jenkins-executable-war_1.25.orig.tar.gz
  to main/j/jenkins-executable-war/jenkins-executable-war_1.25.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 655...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James Page <james.p...@ubuntu.com> (supplier of updated jenkins-executable-war 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 12 Jan 2012 10:28:37 +0100
Source: jenkins-executable-war
Binary: jenkins-executable-war jenkins-executable-war-doc
Architecture: source all
Version: 1.25-1
Distribution: unstable
Urgency: low
Maintainer: Debian Java Maintainers 
<pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: James Page <james.p...@ubuntu.com>
Description: 
 jenkins-executable-war - Library for building executable .war files
 jenkins-executable-war-doc - Documentation for jenkins-executable-war-java
Closes: 655554
Changes: 
 jenkins-executable-war (1.25-1) unstable; urgency=low
 .
   [ James Page ]
   * New upstream release:
     - 
http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-01-10.cb
       Fix Hash DoS vulnerability by limiting the maximum number of
       parameters to 1000 (Closes: #655554, LP: #914628).
 .
   [ Damien Raude-Morvan ]
   * Add DM-Upload-Allowed flag for James Page.
Checksums-Sha1: 
 d56f04f91a2a52714f36a9d465e7aee2006d9584 2246 jenkins-executable-war_1.25-1.dsc
 48e502b8614f62e6ebdc10b5d993388ee4391988 10197 
jenkins-executable-war_1.25.orig.tar.gz
 eefd8d4b01ab3f6945691c89c90ab4011fb7eca6 4000 
jenkins-executable-war_1.25-1.debian.tar.gz
 a7e460b2ebc2fcf4c165a6a70bf436b94adeedea 19808 
jenkins-executable-war_1.25-1_all.deb
 b54ec0983451266d7ec7231f2bfadb968998659f 30146 
jenkins-executable-war-doc_1.25-1_all.deb
Checksums-Sha256: 
 233ee04c2c2215f86b4fb1934dedfdb262bee32217b2a3c078a2de0f9ca27d87 2246 
jenkins-executable-war_1.25-1.dsc
 fea89f75e1f36ac0bb8da78cdd139ac07a73804738411a0f6e6d5f8b5c53e484 10197 
jenkins-executable-war_1.25.orig.tar.gz
 5acc2d9cd470c8ed8fbe2e2d6fabbbe424ffed55fb7c62b724793480ecb8a7c1 4000 
jenkins-executable-war_1.25-1.debian.tar.gz
 f075217bc8066a98c0147621eefbbc73cc132dfa3619ee5d8be45a7aa092a820 19808 
jenkins-executable-war_1.25-1_all.deb
 a8d231a726e948b2a81428e8aa4731c6d20450c99b777121e9a3b67f0aa49bce 30146 
jenkins-executable-war-doc_1.25-1_all.deb
Files: 
 a10b2a89626fd7d39a88b439c802cfa8 2246 java optional 
jenkins-executable-war_1.25-1.dsc
 a915945872d5a947deb297e23879fcf0 10197 java optional 
jenkins-executable-war_1.25.orig.tar.gz
 de9738bde3b34c953b60dc4b63c27303 4000 java optional 
jenkins-executable-war_1.25-1.debian.tar.gz
 f10e0935c879466ab07a5e80f1460478 19808 java optional 
jenkins-executable-war_1.25-1_all.deb
 536a62ada7e1f7fd143e3b5f84ec591f 30146 doc optional 
jenkins-executable-war-doc_1.25-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJPEb9XAAoJEHXiDM0z50n8oKkP/j2ZD5pvdMmCdPS3TrNqaE26
vbumzLO2dk9J/fWdailQYeWa1kzodiXAJgc/2suWs0b4rRn/gXhJwTTe8nK2vwaH
VWCIbZtkJhl8YGFv2Vxku+sc6QX6OiN5F8BJYbZabZJIOT68ErwQpkUFtm9/Ec2V
q3uomztyKbL7KSLbdDrbnpVafIKBcHVRGcn8bpSq+mA1yNtcQdOTs+0NkRoArHlE
VX4aQcGdTKQpT4b+kI+j2myVw/taCdaUnZV0gZNepVNlJC3LYC6srUCRUUQeiWp8
Nca/ZJzqVdFVcneSguoXzS9gQ4MtZsRIxfLel965hsE4G6sEDRsf+6hruVpAfCku
VsEm4tjiwXn9snHTiCby5B6sYYEi1DHJzH4A1RM/ICJZXJGbkfM2KY7K/GpRR8GJ
R9DgUZ0m0MYhdgNXh0H0bbUcEb5+R1IhD1xkYMI0LoXrM2N/q7WrmKxVy4lijW39
Qcjih75QZ1nt5Py687lh4XTW2w55CiR5QHF58oarHLCXj8cEvfturDSZggTV0jOf
x7+06OtaRZREH+phNbkj6J+aVZEBST3QLMxQkb5HDRYg8CGX3Fi61+cTqKoqduAd
bA/6bmlbx4r7E4oX8lYBd++5W8pbwQOYWr2LRU5ex4VOsFuljL/aATiAYvS0yAlA
hJ97N0emtRRQRFFS2V3s
=SIJL
-----END PGP SIGNATURE-----

--- End Message ---

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.