Your message dated Wed, 31 May 2017 01:02:08 +0000
with message-id <[email protected]>
and subject line Bug#860567: fixed in fop 1:1.1.dfsg2-1+deb8u1
has caused the Debian Bug report #860567,
regarding fop: CVE-2017-5661: information disclosure vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
860567: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860567
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: fop
Version: 1:1.0.dfsg-1
Severity: important
Tags: upstream security
Hi,
the following vulnerability was published for fop.
CVE-2017-5661[0]:
| In Apache FOP before 2.2, files lying on the filesystem of the server
| which uses FOP can be revealed to arbitrary users who send maliciously
| formed SVG files. The file types that can be shown depend on the user
| context in which the exploitable application is running. If the user
| is root a full compromise of the server - including confidential or
| sensitive files - would be possible. XXE can also be used to attack
| the availability of the server via denial of service as the references
| within a xml document can trivially trigger an amplification attack.
I was not able to verify that myself, but it is claimed to affect all
fop version from 1.0 up to 2.1.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-5661
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5661
[1] http://www.openwall.com/lists/oss-security/2017/04/18/2
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: fop
Source-Version: 1:1.1.dfsg2-1+deb8u1
We believe that the bug you reported is fixed in the latest version of
fop, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Bourg <[email protected]> (supplier of updated fop package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 24 May 2017 17:35:34 +0200
Source: fop
Binary: fop libfop-java fop-doc
Architecture: source all
Version: 1:1.1.dfsg2-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Emmanuel Bourg <[email protected]>
Description:
fop - XML formatter driven by XSL Formatting Objects (XSL-FO.)
fop-doc - XML formatter driven by XSL Formatting Objects (doc)
libfop-java - XML formatter driven by XSL Formatting Objects (XSL-FO.)
Closes: 860567
Changes:
fop (1:1.1.dfsg2-1+deb8u1) jessie-security; urgency=high
.
* Team upload.
* Fixed CVE-2017-5661: Information disclosure vulnerability (Closes: #860567)
Checksums-Sha1:
c8a766eb23c24297298d957e90d4ca76e895d4a6 2507 fop_1.1.dfsg2-1+deb8u1.dsc
21c1bd4397974bd5ffaa4fe6fa351bfecd5c93b5 8753464 fop_1.1.dfsg2.orig.tar.xz
c248ce9e8af758614e5f490eaed29c4c518c487a 842956
fop_1.1.dfsg2-1+deb8u1.debian.tar.xz
fd8806ffd24ccfbb3e8194269dcdc31d1b57a016 21838 fop_1.1.dfsg2-1+deb8u1_all.deb
a4774802e317238f8dd2c5e00fdee3405c1e273f 3198758
libfop-java_1.1.dfsg2-1+deb8u1_all.deb
cd67a0f8b23bc1d63c62628b3d700149120d674e 2494910
fop-doc_1.1.dfsg2-1+deb8u1_all.deb
Checksums-Sha256:
9e70fd85ce71f944a25e4130632e4f3c63fdf8ec826ccd5e4fe2eb2fc3c45cd7 2507
fop_1.1.dfsg2-1+deb8u1.dsc
8918d5de3079058ecb1714659c025927527d99f474fe8c1322a1d8ce73ec63b5 8753464
fop_1.1.dfsg2.orig.tar.xz
0bc6ede8422056c758691ddfd2d269daec5492ec724fe8fce14de0d6a5d6a0af 842956
fop_1.1.dfsg2-1+deb8u1.debian.tar.xz
d30281ef217dc39b7fc90f6273f3f4b7e2f8e8ab97def685a7a980c693752b4c 21838
fop_1.1.dfsg2-1+deb8u1_all.deb
e111dcca87688a968e162d9b6d0131cd24f969216aa6ff91511b4bb310b88060 3198758
libfop-java_1.1.dfsg2-1+deb8u1_all.deb
0ffce8a62e2295bbd83317a41f1da75fe0146904b81634ad6a3d3b8b55b5e3fc 2494910
fop-doc_1.1.dfsg2-1+deb8u1_all.deb
Files:
b8edc07af02e76937903f48b29442041 2507 text optional fop_1.1.dfsg2-1+deb8u1.dsc
5cf795e96e558260cbfa65dfe12aa0ed 8753464 text optional
fop_1.1.dfsg2.orig.tar.xz
b3e267b233985f7eca0c6964f98f5349 842956 text optional
fop_1.1.dfsg2-1+deb8u1.debian.tar.xz
2b6c07b48404d39cfab5811acc7b1260 21838 text optional
fop_1.1.dfsg2-1+deb8u1_all.deb
417d18d9d7b09d7e58fd5cfed0e47377 3198758 java optional
libfop-java_1.1.dfsg2-1+deb8u1_all.deb
3dd4e0640946d9bcc5b8287d2160ce2c 2494910 doc optional
fop-doc_1.1.dfsg2-1+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJZJhgwAAoJEPUTxBnkudCs+9EP/jnJ2LEgTfutyGLWUw6peqh0
0nEQxI0kqoXUz9A4TxI8EF44p1HV3sYn+aXO3TlW3cYUG/kyrcz/DvPojDhHEMPh
Xx2AySqaj3NHkboST4y2jQ0zGg9lmS0fjw7DcsegdrLBOSP/guBGK4sVpYtSnTGc
RV87y+lPb+Q/Wi2HxnlL6ZExXrEUgnjcANFND7uniMyyugC1T0pFnJ6INaOnz78r
Dmd6MWBVbDboOaKB/I3TvKkVtHDM8Qgpk84/JoDS56+Za4PIbef39EMgyojshyim
CVLpO6PTh+bIAokgp3ilmPrYbXypBE2YuuZOj7qRZeKqhNJU4Izyp0qUmH/U4dsb
yFu2fzIaR1p0OSi1705JIazJYXhHT0Yru/2EKMQeow3F6csCfKif/rTWBPCmJuJ0
iXhgHhMzFIJQ03pje2kEcd/WRnPSnEjoSC8ntBUci31ZLhSFzsQe5dC65yGxXooI
oMsz2mi3adxC5ua+IALWiKkvVI+tw728zgMm/LfdIiW3hNJs+IUyT53h7jLeDSQa
PnohT9TLhSEs9vwvKIYT7HfKo5+GQ0ojq6/okiiNe15vXTnNFbk43wGLjo5TSQ45
PIya3i3y8qcQKjlcdSejKjyDJo35yE9E7UVjzCb87KgUWk3bj5bz+WW4jb6WLkez
nVItxXnRe9gFoWhdwojX
=IYgZ
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
