Your message dated Mon, 04 Sep 2017 06:19:28 +0000
with message-id <e1dokji-00039u...@fasolo.debian.org>
and subject line Bug#860566: fixed in batik 1.9-1
has caused the Debian Bug report #860566,
regarding batik: CVE-2017-5662: information disclosure vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
860566: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860566
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: batik
Version: 1.5beta2-1
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for batik.
CVE-2017-5662[0]:
| In Apache Batik before 1.9, files lying on the filesystem of the
| server which uses batik can be revealed to arbitrary users who send
| maliciously formed SVG files. The file types that can be shown depend
| on the user context in which the exploitable application is running.
| If the user is root a full compromise of the server - including
| confidential or sensitive files - would be possible. XXE can also be
| used to attack the availability of the server via denial of service as
| the references within a xml document can trivially trigger an
| amplification attack.
The issue was annonced in [1], but at the time of writing this
bugreport I have no upstream reference apart [2].
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-5662
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5662
[1] http://www.openwall.com/lists/oss-security/2017/04/18/1
[2] https://xmlgraphics.apache.org/security.html
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: batik
Source-Version: 1.9-1
We believe that the bug you reported is fixed in the latest version of
batik, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 860...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christopher Hoskin <mans0...@debian.org> (supplier of updated batik package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 04 Sep 2017 06:57:58 +0100
Source: batik
Binary: libbatik-java
Architecture: source
Version: 1.9-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Christopher Hoskin <mans0...@debian.org>
Description:
libbatik-java - xml.apache.org SVG Library
Closes: 605063 860566
Changes:
batik (1.9-1) unstable; urgency=medium
.
* Team upload.
* Moved the package to Git
* Updated signing keys from
https://www.apache.org/dist/xmlgraphics/batik/KEYS
* Exclude jar files from documentation-sources
* Add repack script to remove non-free ICC profiles
* New upstream (1.9)
+ Fix "CVE-2017-5662: information disclosure vulnerability" Upstream
claim
BATIK-1139 is fixed in 1.9 (Closes: #860566)
* Disable old patches, pending further investigation
* Get package building again
+ maven-artifacts is no longer a target, explicitly add jars to
DEB_ANT_BUILD_TARGET
+ Add debian/debian/libbatik-java.poms, call mh_install to install jars
and poms, for closer alignment to other pkg-java packages
* Fix spellings in debian/manpages/rasterizer.1
* Remove redundant remove-js.patch
* Fix "batik is crashing (libbatik-java)" by patching build.xml to specify
classpaths as appropriate for Debian (Closes: #605063)
* Update Standards-Version from 3.9.8 to 4.0.0 (no change required)
* Update 06_fix_paths_in_policy_files.patch
* Remove bug805469.patch (fixed upstream
http://svn.apache.org/viewvc?view=revision&revision=1687506)
* Update debian/copyright
* Remove unnecessary greater-than versioned dependencies from debian/control
Checksums-Sha1:
6bb3201e990bc0061b7356a09d2c148908bd54c5 2195 batik_1.9-1.dsc
eb839782910346fe98b50052438fefb52fd37943 5665818 batik_1.9.orig.tar.gz
b567bf2f9110d0cfbb4f62c1a2f7bb4eaa90180c 32800 batik_1.9-1.debian.tar.xz
34c2600a113eb576ec5141724c581e8c54493b1b 10649 batik_1.9-1_amd64.buildinfo
Checksums-Sha256:
44e8df4c8abce1c285a83542d3efe655f5ae890cd0e5946097c10457252f96ba 2195
batik_1.9-1.dsc
a5ec2a8652411db69218ca3cbcaab877735e684af63de6c08f6629321f1b3761 5665818
batik_1.9.orig.tar.gz
b94691cd86c0833671e72765756829628ac16de7263d86fd51f85d4fb5653275 32800
batik_1.9-1.debian.tar.xz
95e714f25d3ac34414859c5119b23a7d6f218fde777342ff58507bda40052e5b 10649
batik_1.9-1_amd64.buildinfo
Files:
168ee81bc4e667c28d8657727cf0e745 2195 java optional batik_1.9-1.dsc
7c94980690cecd4b86bbde1c72d4e54f 5665818 java optional batik_1.9.orig.tar.gz
9bb270c7e492a329c1d171bf6bd07c81 32800 java optional batik_1.9-1.debian.tar.xz
6bc3fd4a13958e32a6babe31bb3cc67c 10649 java optional
batik_1.9-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEbctJ5K6JlvFsvhGhf6qUsnUUSpoFAlms7WIACgkQf6qUsnUU
Spr9oRAAlCtm1hHJjr0jorNTtomouiF7BfJv8l03T8L+UXQmi+DdIkJvCDluYF3n
ut92kLPaZvUCmQMr4Tf++QrT8AEpUxb6cL73OYjO/HxPBR92QUn8LRHC38I8UPxs
YCw8ZXKvMlWbsptG3V5hY27aqiPX27UsHUU3/Qpc3maI5PbpAY4Tfa/vv7jTCmAN
8krvhThSGLa087Hl0FOeKtRVSMGCWESv5psw8Pd52C6YsnSS3QDUFQP3L869M8vc
PgPV4hdA/86k13IXrbrpEvK7jsNLttwiB4xkcBXAtZl5Sdx3xwBsDhk+sryrhsVr
O4ghzf23nLQokfxsfQRg+H6m/FJS9VW/qh54E23xSwoan4qaXShxPZ9m6ewBQPPI
ZmUybev3/tChfr/tyY0U1CZf3W9Z9KLNkvr7IK7qja2Ol+e/XiYlQxKIj7ro6WpW
VL/45MG3qt2GV+bvbmGrwg/gb/vNMM4ol2d36H89FNsfxIoAsNjos8u8z5U7mRRg
4wVV8xn9fJxUvnzz5JXI+YPd+BovkPGNh37sjDDbOgbhoSymnZhDW5czcHSnNVRD
/Y37e0BQu42HoJI7hzVXOzU/Qf6znFoVzPTVIwCyMCtSwQXuN3xnzNWpTgHBz4dx
iXpoN9kqLzjG5BqD7HAYeion2UCa4P1C2KsA+vgG8FO0M3H+k2w=
=k5Jp
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
debian-j...@lists.debian.org for discussions and questions.
