Bug#628727: marked as done (httpcomponents-client security issue CVE-2011-1498)
Your message dated Sun, 03 Jul 2011 19:54:34 + with message-id and subject line Bug#628727: fixed in httpcomponents-client 4.0.1-1squeeze1 has caused the Debian Bug report #628727, regarding httpcomponents-client security issue CVE-2011-1498 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 628727: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628727 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: httpcomponents-client Version: 4.0.1-1 Severity: serious Tags: security Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for httpcomponents-client. CVE-2011-1498 [HTTPCLIENT-1061] Fixed critical bug causing Proxy-Authorization header to be sent to the target host when tunneling requests through a proxy server that requires authentication. http://www.apache.org/dist/httpcomponents/httpclient/RELEASE_NOTES-4.1.x.txt http://seclists.org/oss-sec/2011/q2/188 If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Please contact the security team to get the issue addressed in stable aswell. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1498 http://security-tracker.debian.org/tracker/CVE-2011-1498 --- End Message --- --- Begin Message --- Source: httpcomponents-client Source-Version: 4.0.1-1squeeze1 We believe that the bug you reported is fixed in the latest version of httpcomponents-client, which is due to be installed in the Debian FTP archive: httpcomponents-client_4.0.1-1squeeze1.debian.tar.gz to main/h/httpcomponents-client/httpcomponents-client_4.0.1-1squeeze1.debian.tar.gz httpcomponents-client_4.0.1-1squeeze1.dsc to main/h/httpcomponents-client/httpcomponents-client_4.0.1-1squeeze1.dsc libhttpclient-java_4.0.1-1squeeze1_all.deb to main/h/httpcomponents-client/libhttpclient-java_4.0.1-1squeeze1_all.deb libhttpmime-java_4.0.1-1squeeze1_all.deb to main/h/httpcomponents-client/libhttpmime-java_4.0.1-1squeeze1_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 628...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Miguel Landaeta (supplier of updated httpcomponents-client package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Wed, 29 Jun 2011 20:32:56 -0430 Source: httpcomponents-client Binary: libhttpclient-java libhttpmime-java Architecture: source all Version: 4.0.1-1squeeze1 Distribution: stable Urgency: high Maintainer: Debian Java Maintainers Changed-By: Miguel Landaeta Description: libhttpclient-java - HTTP/1.1 compliant HTTP agent implementation libhttpmime-java - HTTP/1.1 compliant HTTP agent implementation - mime4j extension Closes: 628727 Changes: httpcomponents-client (4.0.1-1squeeze1) stable; urgency=high . * Fixed critical bug causing Proxy-Authorization header to be sent to the target host when tunneling requests through a proxy server that requires authentication: CVE-2011-1498. (Closes: #628727). * Set Debian Java Team as Maintainer and add myself to Uploaders. Checksums-Sha1: 65ebe94e669426253a873549ef04dbac4fab6fee 2324 httpcomponents-client_4.0.1-1squeeze1.dsc 56d9bf8dfde9dc1312ace306e53b03f7d0e1f8fa 4433 httpcomponents-client_4.0.1-1squeeze1.debian.tar.gz 0e31cf3fc63b516e89ce5d64fb2b351476a2a7ea 270928 libhttpclient-java_4.0.1-1squeeze1_all.deb 2ba634f274e6b9e3f1741a97df5c7ba09f525c27 31922 libhttpmime-java_4.0.1-1squeeze1_all.deb Checksums-Sha256: f0e447402f88ea15264be15af926894163ba6f59df0d217dc003a350d404710c 2324 httpcomponents-client_4.0.1-1squeeze1.dsc 5b70569dfdf36ba43afdae42cb5b59939c863b1f3882c218b6d8191841dcb32b 4433 httpcomponents-client_4.0.1-1squeeze1.debian.tar.gz 7bc8488a8d48da592a0719fccb6f2817fbd7666c2e9f66eed272ab19e461d083 270928 libhttpclient-java_4.0.1-1squeeze1_all.deb 62f7b864dfa049e61afc62332e05fa39a164326b54c9d8b233ef9a557ca5bace 31922 libhttpmime-java_4.0.1-1squeeze1_all.deb Files: 96372bec0c915cb49f04c244346cfdcf 2324 java optional httpcomponents-client_4.0.1-1squeeze1.dsc a2ae1cd30cab32577d40efb05a4c5325 4433 java optional httpcomponents-client_4.0.1-1squeeze1.debian.tar.gz b9127243c2ebddb0b3fc729423a6ce20 270928 java optio
Bug#628727: marked as done (httpcomponents-client security issue CVE-2011-1498)
Your message dated Fri, 01 Jul 2011 05:17:24 + with message-id and subject line Bug#628727: fixed in httpcomponents-client 4.1.1-1 has caused the Debian Bug report #628727, regarding httpcomponents-client security issue CVE-2011-1498 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 628727: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628727 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: httpcomponents-client Version: 4.0.1-1 Severity: serious Tags: security Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for httpcomponents-client. CVE-2011-1498 [HTTPCLIENT-1061] Fixed critical bug causing Proxy-Authorization header to be sent to the target host when tunneling requests through a proxy server that requires authentication. http://www.apache.org/dist/httpcomponents/httpclient/RELEASE_NOTES-4.1.x.txt http://seclists.org/oss-sec/2011/q2/188 If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Please contact the security team to get the issue addressed in stable aswell. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1498 http://security-tracker.debian.org/tracker/CVE-2011-1498 --- End Message --- --- Begin Message --- Source: httpcomponents-client Source-Version: 4.1.1-1 We believe that the bug you reported is fixed in the latest version of httpcomponents-client, which is due to be installed in the Debian FTP archive: httpcomponents-client_4.1.1-1.debian.tar.gz to main/h/httpcomponents-client/httpcomponents-client_4.1.1-1.debian.tar.gz httpcomponents-client_4.1.1-1.dsc to main/h/httpcomponents-client/httpcomponents-client_4.1.1-1.dsc httpcomponents-client_4.1.1.orig.tar.gz to main/h/httpcomponents-client/httpcomponents-client_4.1.1.orig.tar.gz libhttpclient-java_4.1.1-1_all.deb to main/h/httpcomponents-client/libhttpclient-java_4.1.1-1_all.deb libhttpmime-java_4.1.1-1_all.deb to main/h/httpcomponents-client/libhttpmime-java_4.1.1-1_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 628...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Miguel Landaeta (supplier of updated httpcomponents-client package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Wed, 29 Jun 2011 00:13:18 -0430 Source: httpcomponents-client Binary: libhttpclient-java libhttpmime-java Architecture: source all Version: 4.1.1-1 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers Changed-By: Miguel Landaeta Description: libhttpclient-java - HTTP/1.1 compliant HTTP agent implementation libhttpmime-java - HTTP/1.1 compliant HTTP agent implementation - mime4j extension Closes: 628727 628731 Changes: httpcomponents-client (4.1.1-1) unstable; urgency=high . * New upstream release: Fixed critical bug causing Proxy-Authorization header to be sent to the target host when tunneling requests through a proxy server that requires authentication: CVE-2011-1498. (Closes: #628727). * New maintainer. (Closes: #628731). * Bump Standards-Version to 3.9.2. No changes were required. * Add Build-Depends on libmockito-java. * Update Vcs-* fields. Checksums-Sha1: 3a1fa570924b717d8332bb14d771db2ffe0aa320 2294 httpcomponents-client_4.1.1-1.dsc 0ef17a593669a08a3c41399a73fead81e621e5d7 1445826 httpcomponents-client_4.1.1.orig.tar.gz 33b8738482a3fc9f32728d226f599a73593c0dcd 3334 httpcomponents-client_4.1.1-1.debian.tar.gz 3022f9f539edc94ff6556eb5a88eaf3eea463af2 324200 libhttpclient-java_4.1.1-1_all.deb 4dbd825865f5ba83f942c7a70258c73a0b9340e2 34118 libhttpmime-java_4.1.1-1_all.deb Checksums-Sha256: a8dc8a2407711ae806f96f9a07fde42ce00630792413bc4c9626d831b554d342 2294 httpcomponents-client_4.1.1-1.dsc ca8384eaeefba78b3e185f072d66b57f276fbdae296ed08dba9a3dab51c8 1445826 httpcomponents-client_4.1.1.orig.tar.gz 0436f00cb3147d7ebc15b4f88f73ef3bbb820a9c631458de0f3844b67e50eb11 3334 httpcomponents-client_4.1.1-1.debian.tar.gz 0ce28146f046525465b4443d83227cefaa91f8aff1be09d919db01cdd29b1f35 324200 libhttpclient-java_4.1.1-1_all.deb f0c62afef206d315edaad68d7ed8d1334fdcb1dd8a865a83934af1adbcf9d92a 34
