Processed: Re: jaxb 2.3.0.1-2 FTBFS

2018-06-03 Thread Debian Bug Tracking System 
Processing control commands:

> severity -1 serious
Bug #882525 [src:jaxb] netbeans FTBFS with jaxb 2.3.0
Severity set to 'serious' from 'important'

-- 
882525: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882525
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#900323: marked as done (undertow: CVE-2018-1067: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993))

2018-06-03 Thread Debian Bug Tracking System 
Your message dated Sun, 3 Jun 2018 21:02:34 +0200
with message-id <20180603190234.GA30870@eldamar.local>
and subject line Re: Bug#900323: undertow: CVE-2018-1067: HTTP header injection 
using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993)
has caused the Debian Bug report #900323,
regarding undertow: CVE-2018-1067: HTTP header injection using CRLF with UTF-8 
Encoding (incomplete fix of CVE-2016-4993)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
900323: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900323
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: undertow
Version: 1.4.3-1
Severity: important
Tags: security upstream
Forwarded: https://issues.jboss.org/browse/UNDERTOW-1302

Hi,

The following vulnerability was published for undertow, the original
CVE-2016-4993 fixed via 1.4.3 upstream was incomplete. No fix
available at the time of writing.

CVE-2018-1067[0]:
| In Undertow before versions 7.1.2.CR1, 7.1.2.GA it was found that the
| fix for CVE-2016-4993 was incomplete and Undertow web server is
| vulnerable to the injection of arbitrary HTTP headers, and also
| response splitting, due to insufficient sanitization and validation of
| user input before the input is used as part of an HTTP header value.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-1067
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1067
[1] https://issues.jboss.org/browse/UNDERTOW-1302

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: undertow
Source-Version: 1.4.25-1

On Tue, May 29, 2018 at 07:15:33AM +0200, Salvatore Bonaccorso wrote:
> Source: undertow
> Version: 1.4.3-1
> Severity: important
> Tags: security upstream
> Forwarded: https://issues.jboss.org/browse/UNDERTOW-1302
> 
> Hi,
> 
> The following vulnerability was published for undertow, the original
> CVE-2016-4993 fixed via 1.4.3 upstream was incomplete. No fix
> available at the time of writing.
> 
> CVE-2018-1067[0]:
> | In Undertow before versions 7.1.2.CR1, 7.1.2.GA it was found that the
> | fix for CVE-2016-4993 was incomplete and Undertow web server is
> | vulnerable to the injection of arbitrary HTTP headers, and also
> | response splitting, due to insufficient sanitization and validation of
> | user input before the input is used as part of an HTTP header value.

So there is now a bit more information available, and the issue was
already fixed with
https://github.com/undertow-io/undertow/commit/85d4478e598105fe94ac152d3e11e388374e8b86
which is in 1.4.25.Final.

Thus marking the issue as fixed in 1.4.25-1.

Regards,
Salvatore--- End Message ---
__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#900323: undertow: CVE-2018-1067: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993)

2018-06-03 Thread Salvatore Bonaccorso 
Source: undertow
Source-Version: 1.4.25-1

On Tue, May 29, 2018 at 07:15:33AM +0200, Salvatore Bonaccorso wrote:
> Source: undertow
> Version: 1.4.3-1
> Severity: important
> Tags: security upstream
> Forwarded: https://issues.jboss.org/browse/UNDERTOW-1302
> 
> Hi,
> 
> The following vulnerability was published for undertow, the original
> CVE-2016-4993 fixed via 1.4.3 upstream was incomplete. No fix
> available at the time of writing.
> 
> CVE-2018-1067[0]:
> | In Undertow before versions 7.1.2.CR1, 7.1.2.GA it was found that the
> | fix for CVE-2016-4993 was incomplete and Undertow web server is
> | vulnerable to the injection of arbitrary HTTP headers, and also
> | response splitting, due to insufficient sanitization and validation of
> | user input before the input is used as part of an HTTP header value.

So there is now a bit more information available, and the issue was
already fixed with
https://github.com/undertow-io/undertow/commit/85d4478e598105fe94ac152d3e11e388374e8b86
which is in 1.4.25.Final.

Thus marking the issue as fixed in 1.4.25-1.

Regards,
Salvatore

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

mckoisqldb_1.0.6-1_amd64.changes is NEW

2018-06-03 Thread Debian FTP Masters 
binary:libmckoisqldb-java is NEW.
binary:libmckoisqldb-java-doc is NEW.
binary:libmckoisqldb-java-doc is NEW.
binary:libmckoisqldb-java is NEW.
source:mckoisqldb is NEW.

Your package has been put into the NEW queue, which requires manual action
from the ftpteam to process. The upload was otherwise valid (it had a good
OpenPGP signature and file hashes are valid), so please be patient.

Packages are routinely processed through to the archive, and do feel
free to browse the NEW queue[1].

If there is an issue with the upload, you will receive an email from a
member of the ftpteam.

If you have any questions, you may reply to this email.

[1]: https://ftp-master.debian.org/new.html
 or https://ftp-master.debian.org/backports-new.html for *-backports

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Processing of mckoisqldb_1.0.6-1_amd64.changes

2018-06-03 Thread Debian FTP Masters 
mckoisqldb_1.0.6-1_amd64.changes uploaded successfully to localhost
along with the files:
  mckoisqldb_1.0.6-1.dsc
  mckoisqldb_1.0.6.orig.tar.gz
  mckoisqldb_1.0.6-1.debian.tar.xz
  libmckoisqldb-java-doc_1.0.6-1_all.deb
  libmckoisqldb-java_1.0.6-1_all.deb
  mckoisqldb_1.0.6-1_amd64.buildinfo

Greetings,

Your Debian queue daemon (running on host usper.debian.org)

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

snakeyaml_1.21-1_source.changes ACCEPTED into unstable

2018-06-03 Thread Debian FTP Masters 


Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 03 Jun 2018 17:02:57 +0100
Source: snakeyaml
Binary: libyaml-snake-java libyaml-snake-java-doc
Architecture: source
Version: 1.21-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 

Changed-By: Miguel Landaeta 
Description:
 libyaml-snake-java - YAML parser and emitter for the Java programming language
 libyaml-snake-java-doc - Documentation for SnakeYAML
Changes:
 snakeyaml (1.21-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream release.
   * Bump Standards-Version to 4.1.4. No changes were required.
   * Migrate Vcs-* URLs to salsa.d.o.
Checksums-Sha1:
 ceaffe54b747da7af32757a863cbbebdbec1030f 2208 snakeyaml_1.21-1.dsc
 8025df4d8732ca9cb9815fa58d9826c63705e342 360047 snakeyaml_1.21.orig.tar.gz
 fcb264e197f199c54d838eadd183cac8ee74f4bc 9484 snakeyaml_1.21-1.debian.tar.xz
 af6862d188cef1852458e69ca17259a2af5b62e2 11416 
snakeyaml_1.21-1_source.buildinfo
Checksums-Sha256:
 c4a9b153121350da6c15ff189381cb03fd7b80425852598bf842c3bdc9eeafde 2208 
snakeyaml_1.21-1.dsc
 92fe48e11a61171f612fdc6b077c4a6c85e2b78d9026f53b3602e2c3ee010282 360047 
snakeyaml_1.21.orig.tar.gz
 ee4877548529e158e923be8308fdf83bd23b4f294a4d7dab2695da30d1180570 9484 
snakeyaml_1.21-1.debian.tar.xz
 ec47acde030d8d696f9d22ba9554f6e691b6ef172e14812a0d711dc11e1bc3b6 11416 
snakeyaml_1.21-1_source.buildinfo
Files:
 a570dc9c458aefec50916a88131ff61c 2208 java optional snakeyaml_1.21-1.dsc
 9db1826a0b1580c8154c8139c6be8073 360047 java optional 
snakeyaml_1.21.orig.tar.gz
 9edcab6feee7376d7ca901ede86779fd 9484 java optional 
snakeyaml_1.21-1.debian.tar.xz
 6a197758975acccbb35a5d5c3b44223d 11416 java optional 
snakeyaml_1.21-1_source.buildinfo

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEEkc3nBW88mwOxGthr7jg/JIxzG0FAlsUEdIACgkQr7jg/JIx
zG1s/hAAhZC53DUfBgNQ28BFiyeLZpbtYCfK8F3o3j/HVjC8s3AJ5S055XNr3W54
3DK6+Ww5e3vKMmZnEqlOY2TDc5wrZkpJiWqgU6IDsh8mUGlsjb/UZetUygsH2qoQ
lf7c2lk8xUHw0xybcgk9uNgi51CTeUBg/jAgEM3GMtNfzkfgbkCbDXiAazFU2u4/
6fz4KJdmtpuPM/nsYpM35g5MJzRX0/cV73lgWaXyvBuuyt4U3aKj1gx3VJa2BH2Y
oIwLR5XOXztEg7c3scGOMtbGRApjhM7OSWqtcMA9AMtnpe1CSm3uVwTyX4HDd6gM
uyrj3uslkemnurM/ziYTLJL+rlQ4USoxZy/W2uEDF6uWot/JXUdZZqsTFS8Cb4BQ
H3rCJRwoZ4qJF57exhkyi4ll766m60ihy9v1IQ4udcCcvXLLRWbiGTL2yaPVpqM4
Tv5E7Wa5DxcDUVwjLyi57xkOVA9QMmM74u+tpCECgMXZULXnTQGsEDiceG+JYFZu
4qXc68fFFnyebdZrb9W/jzLuds4b2jgbYgesn6+kz4nXMqqXadI2nxkyUw+qJS+6
aZH8rEJWLkpaSYazklB/Uz7kbVz10Q/VOW9/y9CJaM7mVkpfCw8h+SuFPverrHyy
V4Gcdk+FGItcW2gALkZWFdYAJ/HhKoDeGfwI5tdAKoAbFmcRc4Q=
=hHHE
-END PGP SIGNATURE-


Thank you for your contribution to Debian.

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#882525: jaxb 2.3.0.1-2 FTBFS

2018-06-03 Thread Markus Koschany 
Control: reopen -1

jaxb 2.3.0.1-2 fails to build from source. Reopening.



signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Processed: jaxb 2.3.0.1-2 FTBFS

2018-06-03 Thread Debian Bug Tracking System 
Processing control commands:

> reopen -1
Bug #882525 {Done: Emmanuel Bourg } [src:jaxb] netbeans 
FTBFS with jaxb 2.3.0
'reopen' may be inappropriate when a bug has been closed with a version;
all fixed versions will be cleared, and you may need to re-add them.
Bug reopened
No longer marked as fixed in versions jaxb/2.3.0.1-2.

-- 
882525: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882525
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#899332: marked as done (CVE-2018-8012: Apache ZooKeeper Quorum Peer mutual authentication)

2018-06-03 Thread Debian Bug Tracking System 
Your message dated Sun, 03 Jun 2018 11:32:43 +
with message-id 
and subject line Bug#899332: fixed in zookeeper 3.4.9-3+deb8u1
has caused the Debian Bug report #899332,
regarding CVE-2018-8012: Apache ZooKeeper Quorum Peer mutual authentication
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
899332: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899332
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: zookeeper
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Fixed: 3.4.10-1

Hi,

The following vulnerability was published for zookeeper.

CVE-2018-8012[0]:
| No authentication/authorization is enforced when a server attempts to
| join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha
| through 3.5.3-beta. As a result an arbitrary end point could join the
| cluster and begin propagating counterfeit changes to the leader.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-8012
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8012

Please adjust the affected versions in the BTS as needed.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Source: zookeeper
Source-Version: 3.4.9-3+deb8u1

We believe that the bug you reported is fixed in the latest version of
zookeeper, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 899...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany  (supplier of updated zookeeper package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Wed, 23 May 2018 22:34:43 +0200
Source: zookeeper
Binary: libzookeeper-java zookeeper zookeeperd libzookeeper-java-doc 
libzookeeper-mt2 libzookeeper-st2 libzookeeper2 libzookeeper-mt-dev 
libzookeeper-st-dev zookeeper-bin python-zookeeper
Architecture: source all amd64
Version: 3.4.9-3+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian Java Maintainers 

Changed-By: Markus Koschany 
Description:
 libzookeeper-java - Core Java libraries for zookeeper
 libzookeeper-java-doc - API Documentation for zookeeper
 libzookeeper-mt-dev - Development files for multi threaded zookeeper C bindings
 libzookeeper-mt2 - Multi threaded C bindings for zookeeper
 libzookeeper-st-dev - Development files for single threaded zookeeper C 
bindings
 libzookeeper-st2 - Single threaded C bindings for zookeeper
 libzookeeper2 - C bindings for zookeeper - transitional package
 python-zookeeper - Python bindings for zookeeper
 zookeeper  - High-performance coordination service for distributed application
 zookeeper-bin - Command line utilities for zookeeper
 zookeeperd - Init control scripts for zookeeper
Closes: 899332
Changes:
 zookeeper (3.4.9-3+deb8u1) jessie-security; urgency=high
 .
   * Team upload.
   * Fix CVE-2018-8012:
 No authentication/authorization is enforced when a server attempts to join
 a quorum in Apache ZooKeeper. As a result an arbitrary end point could join
 the cluster and begin propagating counterfeit changes to the leader.
 (Closes: #899332)
Checksums-Sha1:
 998a04487105c16bbe274e99492f5698caa6dcf0 3155 zookeeper_3.4.9-3+deb8u1.dsc
 d69f715874b0b10dfbc78628fce46efed124e6b0 85904 
zookeeper_3.4.9-3+deb8u1.debian.tar.xz
 26049d166ecff43d7f10a7bef0f2f849ecc96cba 1357160 
libzookeeper-java_3.4.9-3+deb8u1_all.deb
 d4ad48201a4c49ea154c8853704bd5e1817c497f 141926 
zookeeper_3.4.9-3+deb8u1_all.deb
 b45f8ea49c91439febd422e23a59e52b0453d2ca 44086 
zookeeperd_3.4.9-3+deb8u1_all.deb
 e33dc030a7d615e4afff3bbcebb0076fa9eecf90 408444 
libzookeeper-java-doc_3.4.9-3+deb8u1_all.deb
 1605e7b097c67a8a91f2bb07fcd8ef8a640b5d1d 74838 
libzookeeper-mt2_3.4.9-3+deb8u1_amd64.deb
 2550b3a193d676ce20e69e4f37ea04756af7599c 72602 
libzookeeper-st2_3.4.9-3+deb8u1_amd64.deb
 35253bf9784d4f49360fa1b9adf295bafb5a75f9 40920 
libzookeeper2_3.4.9-3+deb8u1_amd64.deb
 03ca7858c1df8a72d31b286d843f57e9b05d1d23 90550

Bug#899374: marked as done (batik: CVE-2018-8013)

2018-06-03 Thread Debian Bug Tracking System 
Your message dated Sun, 03 Jun 2018 11:32:35 +
with message-id 
and subject line Bug#899374: fixed in batik 1.7+dfsg-5+deb8u1
has caused the Debian Bug report #899374,
regarding batik: CVE-2018-8013
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
899374: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899374
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: batik
Version: 1.5beta2-1
Severity: important
Tags: security upstream fixed-upstream

Hi,

The following vulnerability was published for batik.

CVE-2018-8013[0]:
Apache Batik information disclosure vulnerability

Unfortunately the report does not share details, but it was posted at
[1], refering as affected versions 1.0 up to 1.9.1 and fixed in 1.10.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-8013
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8013
[1] http://www.openwall.com/lists/oss-security/2018/05/23/1

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: batik
Source-Version: 1.7+dfsg-5+deb8u1

We believe that the bug you reported is fixed in the latest version of
batik, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 899...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany  (supplier of updated batik package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Wed, 30 May 2018 18:25:57 +0200
Source: batik
Binary: libbatik-java
Architecture: source all
Version: 1.7+dfsg-5+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian Java Maintainers 

Changed-By: Markus Koschany 
Description:
 libbatik-java - xml.apache.org SVG Library
Closes: 860566 899374
Changes:
 batik (1.7+dfsg-5+deb8u1) jessie-security; urgency=high
 .
   * Non-maintainer upload by the LTS team.
   * Fix CVE-2017-5662: XXE information disclosure. (Closes: #860566)
   * Fix CVE-2018-8013: information disclosure when deserializing a subclass of
 AbstractDocument. (Closes: #899374)
Checksums-Sha1:
 8fb1c80d46209741775983914a49fcfd1e1f4d96 2406 batik_1.7+dfsg-5+deb8u1.dsc
 b9e8d2bdedcb1ddf553c9b99115165264cf8b4b8 4290288 batik_1.7+dfsg.orig.tar.xz
 6f8bf33eca55ba17861790d33e155763e1137d49 13216 
batik_1.7+dfsg-5+deb8u1.debian.tar.xz
 e8fb3db286e99a4957bdfeb60e7491e541c1cc64 2857362 
libbatik-java_1.7+dfsg-5+deb8u1_all.deb
Checksums-Sha256:
 92b5a0e69774ce59e172146c08cbc6ace4b3c1e9071ad2fa782a464b61c0f8f1 2406 
batik_1.7+dfsg-5+deb8u1.dsc
 2003bc124a01cedb1ebebda32c1412a0a8292573348d751f8b06fa24dcf03124 4290288 
batik_1.7+dfsg.orig.tar.xz
 999690e66fca860ad148dd0e9644f34af2b2240d3002c70952277a2211e4a16e 13216 
batik_1.7+dfsg-5+deb8u1.debian.tar.xz
 d9ea60d22acdafacd739ed2e4b1837c43a4f3eb147e752c6105b2f0542d4342c 2857362 
libbatik-java_1.7+dfsg-5+deb8u1_all.deb
Files:
 0322ac72f75c8e4d2ad4df0d74ed01dc 2406 java optional batik_1.7+dfsg-5+deb8u1.dsc
 dfd317fa0c7bc9782273c05d3045b90c 4290288 java optional 
batik_1.7+dfsg.orig.tar.xz
 14cfa5f522198f00cd8605712a7a4a08 13216 java optional 
batik_1.7+dfsg-5+deb8u1.debian.tar.xz
 8234cf3833fab70f808053d597d1ff22 2857362 java optional 
libbatik-java_1.7+dfsg-5+deb8u1_all.deb

-BEGIN PGP SIGNATURE-

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlsP4yBfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkQDsP/RT7ffy4r/qal+5PZ2daeRLsxsj/aAt2llX7
7tC05540Zxn0MgVp8AwGW8nfK/UYF+aE/kYOylxCwyXvDiEa6OC0hUOJKZUt9hWq
2SKa69SSKbRvZF4wMbqUt4ZYCbRmgbxdxQSSvtTn+U3wKAk9GFkTcu/vCc6QzpMo
PB1XmHNbVkoc2ZwhlIxj21uzeEr5J8ofKaIuhcos6IgR0xaEfUjvN3s1LQky1zYZ
P3vk7I3z+YVnQoVXsvUn8J0H2xli9aMIUFZTHSSFdTnaoHB/fbmMJTsgFKEFrCWP
GnXyPKrw75IRzwFaiRtDGPKC7L+oHNgmbXRnagnM2MNigHqXSknD+BM34uVtwV3b
/I3cKn3pEuabUg9P1nAW+V5aISQzQq2U6tlaTy1vTi5zr8yAxY/2R3itS/bjdUol
ka4zWpgflOl5WnT7Yd3RP+NpqxXrhNWKRExRe0BFkV4BTY+Ahi6EFRupjwKXa5Zg
ZjKjadRHQMhYnud4IU7mqrHFI1q1M2RPpleVh+IwZfW03P1rGFNy7HGn2m70VkVr

Bug#899332: marked as done (CVE-2018-8012: Apache ZooKeeper Quorum Peer mutual authentication)

2018-06-03 Thread Debian Bug Tracking System 
Your message dated Sun, 03 Jun 2018 11:03:01 +
with message-id 
and subject line Bug#899332: fixed in zookeeper 3.4.9-3+deb9u1
has caused the Debian Bug report #899332,
regarding CVE-2018-8012: Apache ZooKeeper Quorum Peer mutual authentication
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
899332: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899332
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: zookeeper
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Fixed: 3.4.10-1

Hi,

The following vulnerability was published for zookeeper.

CVE-2018-8012[0]:
| No authentication/authorization is enforced when a server attempts to
| join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha
| through 3.5.3-beta. As a result an arbitrary end point could join the
| cluster and begin propagating counterfeit changes to the leader.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-8012
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8012

Please adjust the affected versions in the BTS as needed.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Source: zookeeper
Source-Version: 3.4.9-3+deb9u1

We believe that the bug you reported is fixed in the latest version of
zookeeper, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 899...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany  (supplier of updated zookeeper package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Wed, 23 May 2018 22:34:43 +0200
Source: zookeeper
Binary: libzookeeper-java zookeeper zookeeperd libzookeeper-java-doc 
libzookeeper-mt2 libzookeeper-st2 libzookeeper2 libzookeeper-mt-dev 
libzookeeper-st-dev zookeeper-bin python-zookeeper
Architecture: source all amd64
Version: 3.4.9-3+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Java Maintainers 

Changed-By: Markus Koschany 
Description:
 libzookeeper-java - Core Java libraries for zookeeper
 libzookeeper-java-doc - API Documentation for zookeeper
 libzookeeper-mt-dev - Development files for multi threaded zookeeper C bindings
 libzookeeper-mt2 - Multi threaded C bindings for zookeeper
 libzookeeper-st-dev - Development files for single threaded zookeeper C 
bindings
 libzookeeper-st2 - Single threaded C bindings for zookeeper
 libzookeeper2 - C bindings for zookeeper - transitional package
 python-zookeeper - Python bindings for zookeeper
 zookeeper  - High-performance coordination service for distributed application
 zookeeper-bin - Command line utilities for zookeeper
 zookeeperd - Init control scripts for zookeeper
Closes: 899332
Changes:
 zookeeper (3.4.9-3+deb9u1) stretch-security; urgency=high
 .
   * Team upload.
   * Fix CVE-2018-8012:
 No authentication/authorization is enforced when a server attempts to join
 a quorum in Apache ZooKeeper. As a result an arbitrary end point could join
 the cluster and begin propagating counterfeit changes to the leader.
 (Closes: #899332)
Checksums-Sha1:
 a6a48b15200bce99d31dbe225f9059b324c3cd77 3172 zookeeper_3.4.9-3+deb9u1.dsc
 a0a6168dcd380c5586c8dcfa144668f7a1a21c6d 1931392 zookeeper_3.4.9.orig.tar.xz
 2fe8590457e4515736317981af6fd1516b6abcaa 85716 
zookeeper_3.4.9-3+deb9u1.debian.tar.xz
 c5091e0426ba7598532af8408f8879e71e523fc4 370720 
libzookeeper-java-doc_3.4.9-3+deb9u1_all.deb
 9bf2bfacb54d0a632beabbf4a1cbeffada11c601 1359262 
libzookeeper-java_3.4.9-3+deb9u1_all.deb
 a5bef36affab800e5ac48c7c202bb184337ecae6 90994 
libzookeeper-mt-dev_3.4.9-3+deb9u1_amd64.deb
 4e0e903f7b9f756e9812fee183a1540055de49d8 112724 
libzookeeper-mt2-dbgsym_3.4.9-3+deb9u1_amd64.deb
 c967d314f53b91efebade14c13dab294c52e2ef9 75078 
libzookeeper-mt2_3.4.9-3+deb9u1_amd64.deb
 fc30b5d6d9cefca01d60bb4317681f7a09e753c7 88256 
libzookeeper-st-dev_3.4.9-3+deb9u1_amd64.deb
 14069b6a75858005e7baa6e2682c0f4280a4196b 105602

Bug#899374: marked as done (batik: CVE-2018-8013)

2018-06-03 Thread Debian Bug Tracking System 
Your message dated Sun, 03 Jun 2018 11:02:08 +
with message-id 
and subject line Bug#899374: fixed in batik 1.8-4+deb9u1
has caused the Debian Bug report #899374,
regarding batik: CVE-2018-8013
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
899374: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899374
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: batik
Version: 1.5beta2-1
Severity: important
Tags: security upstream fixed-upstream

Hi,

The following vulnerability was published for batik.

CVE-2018-8013[0]:
Apache Batik information disclosure vulnerability

Unfortunately the report does not share details, but it was posted at
[1], refering as affected versions 1.0 up to 1.9.1 and fixed in 1.10.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-8013
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8013
[1] http://www.openwall.com/lists/oss-security/2018/05/23/1

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: batik
Source-Version: 1.8-4+deb9u1

We believe that the bug you reported is fixed in the latest version of
batik, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 899...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany  (supplier of updated batik package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Wed, 30 May 2018 18:59:04 +0200
Source: batik
Binary: libbatik-java
Architecture: source all
Version: 1.8-4+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Java Maintainers 

Changed-By: Markus Koschany 
Description:
 libbatik-java - xml.apache.org SVG Library
Closes: 860566 899374
Changes:
 batik (1.8-4+deb9u1) stretch-security; urgency=high
 .
   * Team upload.
   * Fix CVE-2017-5662: XXE information disclosure. (Closes: #860566)
   * Fix CVE-2018-8013: information disclosure when deserializing a subclass of
 AbstractDocument. (Closes: #899374)
Checksums-Sha1:
 2ab776502c481cc9e2d43acc5b3abf30bb4fcb28 2373 batik_1.8-4+deb9u1.dsc
 874c6e71c37f13b706b18e5007f6c48b13183095 7504664 batik_1.8.orig.tar.gz
 1144d669a7c2251d1b5de7fc83d71d0037cd65d5 14528 batik_1.8-4+deb9u1.debian.tar.xz
 dfdd39e26731df20e550231da4d06ebf3fffe108 11593 
batik_1.8-4+deb9u1_amd64.buildinfo
 35bd8f6bf9309ec6462152f05197eb1091ec2f93 2891780 
libbatik-java_1.8-4+deb9u1_all.deb
Checksums-Sha256:
 0992d7d659d013610f22099fcdbd9ccef6ecd26d6ac07a9d22c2dd04a3d6a3c2 2373 
batik_1.8-4+deb9u1.dsc
 bfd18b0eb3f4ae32655f929e510b630bddb4e00ac3e08af4881027c635eb1624 7504664 
batik_1.8.orig.tar.gz
 c6fdce714d335d731befe02f394541dfc10f1f6307ba95be3c8d70e867f0f1bd 14528 
batik_1.8-4+deb9u1.debian.tar.xz
 abc0b0d9855953078e70e2cdee82d635669e0c9a2fa5b388ce24a1c736d44a9a 11593 
batik_1.8-4+deb9u1_amd64.buildinfo
 7a6a1c13462c834c3bba4c8a7d589b89f92bea44c9ea43306d098b82eb86cfc9 2891780 
libbatik-java_1.8-4+deb9u1_all.deb
Files:
 7597d60c294a4199b5a24f735fdb3577 2373 java optional batik_1.8-4+deb9u1.dsc
 8999291b3cfc8cda4673243d67d697e0 7504664 java optional batik_1.8.orig.tar.gz
 0379ade4865b5690ecfdd2a55b5a1c44 14528 java optional 
batik_1.8-4+deb9u1.debian.tar.xz
 56031a1d2d80207cf4813a1763bbfbcc 11593 java optional 
batik_1.8-4+deb9u1_amd64.buildinfo
 c1d08aeacd6b7581d47aae3bac948d38 2891780 java optional 
libbatik-java_1.8-4+deb9u1_all.deb

-BEGIN PGP SIGNATURE-

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlsP4hJfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkMr0P+gLGHZnrCcPBKx7sdL6jsKIi+IeIITu8uBK+
JrT78DEVznf8YZOw3mw41GaFo/bLHoC2epxgoXERSgBEYxEVA4EXmAv4ENtOhlJ8
pH0umSeW+XtCmgayPgw9sh5AsGj2O+xBT5UMstJJrJ9phrsNpQlEcpMNy86E0vib
jibsBNL72qt3pu79lqmYSFioTcJQUxXB4q5f+bTYYVk6CEv61UXwyScirtV1kPtm
h8ErSZaR/jy+/0KX1X32j+ad4Bl3D0cgp/x4uY7w4CQA74pbFQDDCRJpS/K43dGX
EFdpXR2eiPvRURdt7F4Ysfs1HkmUCWyw/UHwPWf6U4qprAb0d9Xx/rvTaZz6MThb

batik_1.8-4+deb9u1_amd64.changes ACCEPTED into proposed-updates->stable-new, proposed-updates

2018-06-03 Thread Debian FTP Masters 


Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Wed, 30 May 2018 18:59:04 +0200
Source: batik
Binary: libbatik-java
Architecture: source all
Version: 1.8-4+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Java Maintainers 

Changed-By: Markus Koschany 
Description:
 libbatik-java - xml.apache.org SVG Library
Closes: 860566 899374
Changes:
 batik (1.8-4+deb9u1) stretch-security; urgency=high
 .
   * Team upload.
   * Fix CVE-2017-5662: XXE information disclosure. (Closes: #860566)
   * Fix CVE-2018-8013: information disclosure when deserializing a subclass of
 AbstractDocument. (Closes: #899374)
Checksums-Sha1:
 2ab776502c481cc9e2d43acc5b3abf30bb4fcb28 2373 batik_1.8-4+deb9u1.dsc
 874c6e71c37f13b706b18e5007f6c48b13183095 7504664 batik_1.8.orig.tar.gz
 1144d669a7c2251d1b5de7fc83d71d0037cd65d5 14528 batik_1.8-4+deb9u1.debian.tar.xz
 dfdd39e26731df20e550231da4d06ebf3fffe108 11593 
batik_1.8-4+deb9u1_amd64.buildinfo
 35bd8f6bf9309ec6462152f05197eb1091ec2f93 2891780 
libbatik-java_1.8-4+deb9u1_all.deb
Checksums-Sha256:
 0992d7d659d013610f22099fcdbd9ccef6ecd26d6ac07a9d22c2dd04a3d6a3c2 2373 
batik_1.8-4+deb9u1.dsc
 bfd18b0eb3f4ae32655f929e510b630bddb4e00ac3e08af4881027c635eb1624 7504664 
batik_1.8.orig.tar.gz
 c6fdce714d335d731befe02f394541dfc10f1f6307ba95be3c8d70e867f0f1bd 14528 
batik_1.8-4+deb9u1.debian.tar.xz
 abc0b0d9855953078e70e2cdee82d635669e0c9a2fa5b388ce24a1c736d44a9a 11593 
batik_1.8-4+deb9u1_amd64.buildinfo
 7a6a1c13462c834c3bba4c8a7d589b89f92bea44c9ea43306d098b82eb86cfc9 2891780 
libbatik-java_1.8-4+deb9u1_all.deb
Files:
 7597d60c294a4199b5a24f735fdb3577 2373 java optional batik_1.8-4+deb9u1.dsc
 8999291b3cfc8cda4673243d67d697e0 7504664 java optional batik_1.8.orig.tar.gz
 0379ade4865b5690ecfdd2a55b5a1c44 14528 java optional 
batik_1.8-4+deb9u1.debian.tar.xz
 56031a1d2d80207cf4813a1763bbfbcc 11593 java optional 
batik_1.8-4+deb9u1_amd64.buildinfo
 c1d08aeacd6b7581d47aae3bac948d38 2891780 java optional 
libbatik-java_1.8-4+deb9u1_all.deb

-BEGIN PGP SIGNATURE-

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlsP4hJfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkMr0P+gLGHZnrCcPBKx7sdL6jsKIi+IeIITu8uBK+
JrT78DEVznf8YZOw3mw41GaFo/bLHoC2epxgoXERSgBEYxEVA4EXmAv4ENtOhlJ8
pH0umSeW+XtCmgayPgw9sh5AsGj2O+xBT5UMstJJrJ9phrsNpQlEcpMNy86E0vib
jibsBNL72qt3pu79lqmYSFioTcJQUxXB4q5f+bTYYVk6CEv61UXwyScirtV1kPtm
h8ErSZaR/jy+/0KX1X32j+ad4Bl3D0cgp/x4uY7w4CQA74pbFQDDCRJpS/K43dGX
EFdpXR2eiPvRURdt7F4Ysfs1HkmUCWyw/UHwPWf6U4qprAb0d9Xx/rvTaZz6MThb
/6ZhCABqIR03TUxJMUpMcXQzpEr/7KeLA4rSYjPj39Zm1eGVyHlqnXb2q7mOzDPA
pd8yt+P+/shZzx+Bg9rMvqbQYelb1tldT5PpPhriEKGJrknHxvlEm16nYX/PXUjX
jXE9YGsLwMWlMHKul9XUhnicUN7IWlXWgX6TEqzzC18UE+X+1Ag4mfjHLXnHSutj
cBOcgNEzsvysIVfcazzAoX9jqiF64O1F46RoD/SfYqueLe3oVCA817wRoz7Il2+5
7wkLgHk2v2iZ/n3/XgYluwJmGD3yNl3xDVgraL6ULOaOjHbUGt6ixYuPcC5GJzMV
tzjvLAtw
=KOGi
-END PGP SIGNATURE-


Thank you for your contribution to Debian.

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.