Processed: fixed 930872 in 9.0.22-1

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> fixed 930872 9.0.22-1
Bug #930872 {Done: Emmanuel Bourg } [src:tomcat9] tomcat9: 
CVE-2019-10072
Marked as fixed in versions tomcat9/9.0.22-1.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
930872: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930872
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

relaxngcc: status change on tests.reproducible-builds.org/debian

[Reproducible builds folks]

2020-02-24 18:59 
https://tests.reproducible-builds.org/debian/unstable/amd64/relaxngcc changed 
from reproducible -> FTBR

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#948553: marked as done (Tomcat9 startup script ignores CATALINA_PID)

[Debian Bug Tracking System]

Your message dated Tue, 25 Feb 2020 00:09:05 +
with message-id 
and subject line Bug#948553: fixed in tomcat9 9.0.31-1
has caused the Debian Bug report #948553,
regarding Tomcat9 startup script ignores CATALINA_PID
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
948553: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948553
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: tomcat9
Version: 9.0.16-4

In debian 10 (buster)

/usr/share/tomcat9/bin/catalina.sh is ignoring the CATALINA_PID
variable therefore does not generate a PID file accordingly.

example startup command :

set -a; JAVA_HOME="/usr/lib/jvm/java-11-openjdk-amd64"; source
"/etc/default/tomcat9"; CATALINA_HOME="/usr/share/tomcat9";
CATALINA_BASE="/var/lib/tomcat9"; JAVA_OPTS="-Djava.awt.headless=true
-server -Xmx1280M -Xms1280M -Xss2M -Dfile.encoding=EUC-JP
-XX:+PrintGCDetails -XX:+HeapDumpOnOutOfMemoryError
-XX:HeapDumpPath=/volatile/dump/db2-11-test2 -Dcom.atson.test=true
-Dcom.atson.local=false -Dcom.atson.webapp=true
-Dcom.atson.useDB2Type4=false -Dcom.atson.useDataSourceResource=true
-Dcom.atson.XLINK_VIA_GW=true"; \ CATALINA_PID="/var/run/tomcat9.pid";
CATALINA_TMPDIR="/tmp/tomcat9-tomcat9-tmp"; LANG="C.UTF-8";
JSSE_HOME=""; cd "/var/lib/tomcat9";
"/usr/share/tomcat9/bin/catalina.sh" start

The origin of the problem can be found in this line (actually 2 identical
lines) :

2\>\&1 \&\& echo \$! \>\"$catalina_pid_file\" \; \} $catalina_out_command "&"

with this change it works as expected :

-2\>\&1 \&\& echo \$! \>\"$catalina_pid_file\" \; \}
$catalina_out_command "&" +2\>\&1 \& echo \$! \>\"$catalina_pid_file\"
\; \} $catalina_out_command "&"
--- End Message ---
--- Begin Message ---
Source: tomcat9
Source-Version: 9.0.31-1
Done: Emmanuel Bourg 

We believe that the bug you reported is fixed in the latest version of
tomcat9, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 948...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg  (supplier of updated tomcat9 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Mon, 24 Feb 2020 23:37:00 +0100
Source: tomcat9
Architecture: source
Version: 9.0.31-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 

Changed-By: Emmanuel Bourg 
Closes: 930872 931997 942316 948553 952437
Changes:
 tomcat9 (9.0.31-1) unstable; urgency=medium
 .
   * New upstream release
 - Fixes CVE-2019-10072: Denial of Service (Closes: #930872)
 - Fixes CVE-2019-12418: Local Privilege Escalation
 - Fixes CVE-2019-17563: Session fixation attack
 - Fixes CVE-2019-17569: HTTP Request Smuggling
 - Fixes CVE-2020-1935: HTTP Request Smuggling
 - Fixes CVE-2020-1938: AJP Request Injection (Closes: #952437)
 - Fixes CATALINA_PID handling in catalina.sh (Closes: #948553)
 - Refreshed the patches
 - Fixed the compilation with Java 11
   * Moved the RequiresMountsFor directive in the service file
 to the Unit section (Closes: #942316)
   * Tightened the dependency on systemd (Closes: #931997)
   * Standards-Version updated to 4.5.0
Checksums-Sha1:
 3067a78fdc605df8ed8776bd5e7e25363fa78d78 2731 tomcat9_9.0.31-1.dsc
 6dce5750da0a116b733f87b29bd896809d3926c9 3853428 tomcat9_9.0.31.orig.tar.xz
 96e6d88a70bf95e00054891e42645f6b62a7e756 33316 tomcat9_9.0.31-1.debian.tar.xz
 42005f0789d4e749664ce523305efb1f1b680dbc 11806 
tomcat9_9.0.31-1_source.buildinfo
Checksums-Sha256:
 c548143763f41e70bacf050ead17fc95154c6f3995afa1133395212b148fb011 2731 
tomcat9_9.0.31-1.dsc
 d8d61755c7d670f44b58d5863a79b0f1e900c3a832d74d9b57d6bdc130bbd6c8 3853428 
tomcat9_9.0.31.orig.tar.xz
 e0764ae086c179f4740991ab2f5a7f429a04129aa4b60a1fd666402bfefba988 33316 
tomcat9_9.0.31-1.debian.tar.xz
 eaa234b6a85d9097f78d2036f90f1d0a5f22417011aabf1236365a9f0e6a6876 11806 
tomcat9_9.0.31-1_source.buildinfo
Files:
 bc9f3977c0418632f00b34b9e5544903 2731 java optional tomcat9_9.0.31-1.dsc
 c6f454e03cfa1b203cc8784c7df39885 3853428 java optional 
tomcat9_9.0.31.orig.tar.xz
 72ece3547b64b011a1aaf6aecf36bb4d 33316 java optional 
tomcat9_9.0.31-1.debian.tar.xz
 

Bug#931997: marked as done (tomcat9: [/usr/lib/sysusers.d/tomcat9.conf:7] Trailing garbage.)

[Debian Bug Tracking System]

Your message dated Tue, 25 Feb 2020 00:09:05 +
with message-id 
and subject line Bug#931997: fixed in tomcat9 9.0.31-1
has caused the Debian Bug report #931997,
regarding tomcat9: [/usr/lib/sysusers.d/tomcat9.conf:7] Trailing garbage.
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
931997: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931997
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: tomcat9
Version: 9.0.16-4~bpo9+1
Severity: important

The stretch backport of tomcat9 fails to install with the standard
stretch version of systemd (232-25+deb9u11). It does work with the
stretch backport of systemd (241-5~bpo9+1).

The errors look like this:

  Setting up tomcat9 (9.0.16-4~bpo9+1) ...
  [/usr/lib/sysusers.d/tomcat9.conf:7] Trailing garbage.

  Creating config file /etc/tomcat9/tomcat-users.xml with new version
  chown: invalid group: ‘root:tomcat’
  dpkg: error processing package tomcat9 (--configure):
   subprocess installed post-installation script returned error exit status 1


-- System Information:
Debian Release: 9.9
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-9-amd64 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages tomcat9 depends on:
ii  lsb-base9.20161125
ii  systemd 232-25+deb9u11
ii  tomcat9-common  9.0.16-4~bpo9+1
ii  ucf 3.0036

Versions of packages tomcat9 recommends:
ii  libtcnative-1  1.2.21-1~bpo9+1

Versions of packages tomcat9 suggests:
pn  tomcat9-admin 
pn  tomcat9-docs  
pn  tomcat9-examples  
pn  tomcat9-user  

-- no debconf information
--- End Message ---
--- Begin Message ---
Source: tomcat9
Source-Version: 9.0.31-1
Done: Emmanuel Bourg 

We believe that the bug you reported is fixed in the latest version of
tomcat9, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 931...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg  (supplier of updated tomcat9 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Mon, 24 Feb 2020 23:37:00 +0100
Source: tomcat9
Architecture: source
Version: 9.0.31-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 

Changed-By: Emmanuel Bourg 
Closes: 930872 931997 942316 948553 952437
Changes:
 tomcat9 (9.0.31-1) unstable; urgency=medium
 .
   * New upstream release
 - Fixes CVE-2019-10072: Denial of Service (Closes: #930872)
 - Fixes CVE-2019-12418: Local Privilege Escalation
 - Fixes CVE-2019-17563: Session fixation attack
 - Fixes CVE-2019-17569: HTTP Request Smuggling
 - Fixes CVE-2020-1935: HTTP Request Smuggling
 - Fixes CVE-2020-1938: AJP Request Injection (Closes: #952437)
 - Fixes CATALINA_PID handling in catalina.sh (Closes: #948553)
 - Refreshed the patches
 - Fixed the compilation with Java 11
   * Moved the RequiresMountsFor directive in the service file
 to the Unit section (Closes: #942316)
   * Tightened the dependency on systemd (Closes: #931997)
   * Standards-Version updated to 4.5.0
Checksums-Sha1:
 3067a78fdc605df8ed8776bd5e7e25363fa78d78 2731 tomcat9_9.0.31-1.dsc
 6dce5750da0a116b733f87b29bd896809d3926c9 3853428 tomcat9_9.0.31.orig.tar.xz
 96e6d88a70bf95e00054891e42645f6b62a7e756 33316 tomcat9_9.0.31-1.debian.tar.xz
 42005f0789d4e749664ce523305efb1f1b680dbc 11806 
tomcat9_9.0.31-1_source.buildinfo
Checksums-Sha256:
 c548143763f41e70bacf050ead17fc95154c6f3995afa1133395212b148fb011 2731 
tomcat9_9.0.31-1.dsc
 d8d61755c7d670f44b58d5863a79b0f1e900c3a832d74d9b57d6bdc130bbd6c8 3853428 
tomcat9_9.0.31.orig.tar.xz
 e0764ae086c179f4740991ab2f5a7f429a04129aa4b60a1fd666402bfefba988 33316 
tomcat9_9.0.31-1.debian.tar.xz
 eaa234b6a85d9097f78d2036f90f1d0a5f22417011aabf1236365a9f0e6a6876 11806 
tomcat9_9.0.31-1_source.buildinfo
Files:
 bc9f3977c0418632f00b34b9e5544903 2731 java optional tomcat9_9.0.31-1.dsc
 c6f454e03cfa1b203cc8784c7df39885 

Bug#952437: marked as done (tomcat9: CVE-2020-1938 AJP Request Injection and potential RCE)

[Debian Bug Tracking System]

Your message dated Tue, 25 Feb 2020 00:09:05 +
with message-id 
and subject line Bug#952437: fixed in tomcat9 9.0.31-1
has caused the Debian Bug report #952437,
regarding tomcat9: CVE-2020-1938 AJP Request Injection and potential RCE
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
952437: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952437
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: tomcat9
Version: 9.0.16-4
Severity: important

Hi,

tomcat9, as shipped with Debian buster/stable is vulnerable for "ghostcat",
see https://www.chaitin.cn/en/ghostcat .  PoC exploit code has been published.
Specifically, Apache Tomcat 9.x < 9.0.31 is vulnerable.  Upstream has published
9.0.31 to fix this vulnerability (and other issues, see
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html ).

Tomcat as shipped by Debian is likely not vulnerable from the network in the
default configuration, since by default Tomcat AJP Connector only listens on
localhost:8009, not on *:8009 .

See also:

https://security-tracker.debian.org/tracker/CVE-2020-1938
https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487
https://www.cnvd.org.cn/webinfo/show/5415 (in chinese)

Bye,

Joost
--- End Message ---
--- Begin Message ---
Source: tomcat9
Source-Version: 9.0.31-1
Done: Emmanuel Bourg 

We believe that the bug you reported is fixed in the latest version of
tomcat9, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 952...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg  (supplier of updated tomcat9 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Mon, 24 Feb 2020 23:37:00 +0100
Source: tomcat9
Architecture: source
Version: 9.0.31-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 

Changed-By: Emmanuel Bourg 
Closes: 930872 931997 942316 948553 952437
Changes:
 tomcat9 (9.0.31-1) unstable; urgency=medium
 .
   * New upstream release
 - Fixes CVE-2019-10072: Denial of Service (Closes: #930872)
 - Fixes CVE-2019-12418: Local Privilege Escalation
 - Fixes CVE-2019-17563: Session fixation attack
 - Fixes CVE-2019-17569: HTTP Request Smuggling
 - Fixes CVE-2020-1935: HTTP Request Smuggling
 - Fixes CVE-2020-1938: AJP Request Injection (Closes: #952437)
 - Fixes CATALINA_PID handling in catalina.sh (Closes: #948553)
 - Refreshed the patches
 - Fixed the compilation with Java 11
   * Moved the RequiresMountsFor directive in the service file
 to the Unit section (Closes: #942316)
   * Tightened the dependency on systemd (Closes: #931997)
   * Standards-Version updated to 4.5.0
Checksums-Sha1:
 3067a78fdc605df8ed8776bd5e7e25363fa78d78 2731 tomcat9_9.0.31-1.dsc
 6dce5750da0a116b733f87b29bd896809d3926c9 3853428 tomcat9_9.0.31.orig.tar.xz
 96e6d88a70bf95e00054891e42645f6b62a7e756 33316 tomcat9_9.0.31-1.debian.tar.xz
 42005f0789d4e749664ce523305efb1f1b680dbc 11806 
tomcat9_9.0.31-1_source.buildinfo
Checksums-Sha256:
 c548143763f41e70bacf050ead17fc95154c6f3995afa1133395212b148fb011 2731 
tomcat9_9.0.31-1.dsc
 d8d61755c7d670f44b58d5863a79b0f1e900c3a832d74d9b57d6bdc130bbd6c8 3853428 
tomcat9_9.0.31.orig.tar.xz
 e0764ae086c179f4740991ab2f5a7f429a04129aa4b60a1fd666402bfefba988 33316 
tomcat9_9.0.31-1.debian.tar.xz
 eaa234b6a85d9097f78d2036f90f1d0a5f22417011aabf1236365a9f0e6a6876 11806 
tomcat9_9.0.31-1_source.buildinfo
Files:
 bc9f3977c0418632f00b34b9e5544903 2731 java optional tomcat9_9.0.31-1.dsc
 c6f454e03cfa1b203cc8784c7df39885 3853428 java optional 
tomcat9_9.0.31.orig.tar.xz
 72ece3547b64b011a1aaf6aecf36bb4d 33316 java optional 
tomcat9_9.0.31-1.debian.tar.xz
 10cb401e761ce959b61ff0e3dc8d0e9f 11806 java optional 
tomcat9_9.0.31-1_source.buildinfo

-BEGIN PGP SIGNATURE-

iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAl5UX7MSHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCsWVYP/RtW+lbQqcK9pkUy2eIXBQEXlzi8zhrJ
CIjRUgE92vkgAmytqqm7eqfjHg/aEgcH/L0HqRT5F9GWUGgZxJElSuiJKEtyc6j3
BXY2kqzk8xpV4neLKJ3TBjbWN6TigNRswsir5ouG3KaKzy/wIRdUdrnzYb1b8q34

Bug#942316: marked as done (tomcat9: error in tomcat9.service?)

[Debian Bug Tracking System]

Your message dated Tue, 25 Feb 2020 00:09:05 +
with message-id 
and subject line Bug#942316: fixed in tomcat9 9.0.31-1
has caused the Debian Bug report #942316,
regarding tomcat9: error in tomcat9.service?
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
942316: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942316
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: tomcat9
Version: 9.0.16-4
Severity: normal

Dear Maintainer,

Regarding the following message in journalctl:
systemd[1]: /lib/systemd/system/tomcat9.service:27: Unknown lvalue 
'RequiresMountsFor' in section 'Service', ignoring

I suspect that the 'RequiresMountFor' directive should be in the [Unit] section 
and not in the [Service] one, isn't it?

Thanks,
Patrice

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?
   * What exactly did you do (or not do) that was effective (or
 ineffective)?
   * What was the outcome of this action?
   * What outcome did you expect instead?

*** End of the template - remove these template lines ***


-- System Information:
Debian Release: 10.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-5-amd64 (SMP w/16 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages tomcat9 depends on:
ii  lsb-base10.2019051400
ii  systemd 241-7~deb10u1
ii  tomcat9-common  9.0.16-4
ii  ucf 3.0038+nmu1

Versions of packages tomcat9 recommends:
ii  libtcnative-1  1.2.21-1

Versions of packages tomcat9 suggests:
ii  tomcat9-admin 9.0.16-4
pn  tomcat9-docs  
pn  tomcat9-examples  
pn  tomcat9-user  

-- Configuration Files:
/etc/tomcat9/policy.d/01system.policy [Errno 13] Permission non accordée: 
'/etc/tomcat9/policy.d/01system.policy'
/etc/tomcat9/policy.d/02debian.policy [Errno 13] Permission non accordée: 
'/etc/tomcat9/policy.d/02debian.policy'
/etc/tomcat9/policy.d/03catalina.policy [Errno 13] Permission non accordée: 
'/etc/tomcat9/policy.d/03catalina.policy'
/etc/tomcat9/policy.d/04webapps.policy [Errno 13] Permission non accordée: 
'/etc/tomcat9/policy.d/04webapps.policy'
/etc/tomcat9/policy.d/50local.policy [Errno 13] Permission non accordée: 
'/etc/tomcat9/policy.d/50local.policy'

-- no debconf information
--- End Message ---
--- Begin Message ---
Source: tomcat9
Source-Version: 9.0.31-1
Done: Emmanuel Bourg 

We believe that the bug you reported is fixed in the latest version of
tomcat9, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 942...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg  (supplier of updated tomcat9 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Mon, 24 Feb 2020 23:37:00 +0100
Source: tomcat9
Architecture: source
Version: 9.0.31-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 

Changed-By: Emmanuel Bourg 
Closes: 930872 931997 942316 948553 952437
Changes:
 tomcat9 (9.0.31-1) unstable; urgency=medium
 .
   * New upstream release
 - Fixes CVE-2019-10072: Denial of Service (Closes: #930872)
 - Fixes CVE-2019-12418: Local Privilege Escalation
 - Fixes CVE-2019-17563: Session fixation attack
 - Fixes CVE-2019-17569: HTTP Request Smuggling
 - Fixes CVE-2020-1935: HTTP Request Smuggling
 - Fixes CVE-2020-1938: AJP Request Injection (Closes: #952437)
 - Fixes CATALINA_PID handling in catalina.sh (Closes: #948553)
 - Refreshed the patches
 - Fixed the compilation with Java 11
   * Moved the RequiresMountsFor directive in the service file
 to the Unit section (Closes: #942316)
   * Tightened the dependency on systemd (Closes: #931997)
   * Standards-Version updated to 4.5.0
Checksums-Sha1:
 3067a78fdc605df8ed8776bd5e7e25363fa78d78 2731 tomcat9_9.0.31-1.dsc
 6dce5750da0a116b733f87b29bd896809d3926c9 3853428 tomcat9_9.0.31.orig.tar.xz
 

Bug#930872: marked as done (tomcat9: CVE-2019-10072)

[Debian Bug Tracking System]

Your message dated Tue, 25 Feb 2020 00:09:05 +
with message-id 
and subject line Bug#930872: fixed in tomcat9 9.0.31-1
has caused the Debian Bug report #930872,
regarding tomcat9: CVE-2019-10072
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
930872: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930872
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: tomcat9
Version: 9.0.16-4
Severity: important
Tags: security upstream
Control: clone -1 -2
Control: reassign -2 src:tomcat8 8.5.39-1
Control: retitle -2 tomcat8: CVE-2019-10072

Hi,

The following vulnerability was published for tomcat9.

CVE-2019-10072[0]:
| The fix for CVE-2019-0199 was incomplete and did not address HTTP/2
| connection window exhaustion on write in Apache Tomcat versions
| 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE
| messages for the connection window (stream 0) clients were able to
| cause server-side threads to block eventually leading to thread
| exhaustion and a DoS.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-10072
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10072
[1] 
https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a@%3Cannounce.tomcat.apache.org%3E

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: tomcat9
Source-Version: 9.0.31-1
Done: Emmanuel Bourg 

We believe that the bug you reported is fixed in the latest version of
tomcat9, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 930...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg  (supplier of updated tomcat9 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Mon, 24 Feb 2020 23:37:00 +0100
Source: tomcat9
Architecture: source
Version: 9.0.31-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 

Changed-By: Emmanuel Bourg 
Closes: 930872 931997 942316 948553 952437
Changes:
 tomcat9 (9.0.31-1) unstable; urgency=medium
 .
   * New upstream release
 - Fixes CVE-2019-10072: Denial of Service (Closes: #930872)
 - Fixes CVE-2019-12418: Local Privilege Escalation
 - Fixes CVE-2019-17563: Session fixation attack
 - Fixes CVE-2019-17569: HTTP Request Smuggling
 - Fixes CVE-2020-1935: HTTP Request Smuggling
 - Fixes CVE-2020-1938: AJP Request Injection (Closes: #952437)
 - Fixes CATALINA_PID handling in catalina.sh (Closes: #948553)
 - Refreshed the patches
 - Fixed the compilation with Java 11
   * Moved the RequiresMountsFor directive in the service file
 to the Unit section (Closes: #942316)
   * Tightened the dependency on systemd (Closes: #931997)
   * Standards-Version updated to 4.5.0
Checksums-Sha1:
 3067a78fdc605df8ed8776bd5e7e25363fa78d78 2731 tomcat9_9.0.31-1.dsc
 6dce5750da0a116b733f87b29bd896809d3926c9 3853428 tomcat9_9.0.31.orig.tar.xz
 96e6d88a70bf95e00054891e42645f6b62a7e756 33316 tomcat9_9.0.31-1.debian.tar.xz
 42005f0789d4e749664ce523305efb1f1b680dbc 11806 
tomcat9_9.0.31-1_source.buildinfo
Checksums-Sha256:
 c548143763f41e70bacf050ead17fc95154c6f3995afa1133395212b148fb011 2731 
tomcat9_9.0.31-1.dsc
 d8d61755c7d670f44b58d5863a79b0f1e900c3a832d74d9b57d6bdc130bbd6c8 3853428 
tomcat9_9.0.31.orig.tar.xz
 e0764ae086c179f4740991ab2f5a7f429a04129aa4b60a1fd666402bfefba988 33316 
tomcat9_9.0.31-1.debian.tar.xz
 eaa234b6a85d9097f78d2036f90f1d0a5f22417011aabf1236365a9f0e6a6876 11806 
tomcat9_9.0.31-1_source.buildinfo
Files:
 bc9f3977c0418632f00b34b9e5544903 2731 java optional tomcat9_9.0.31-1.dsc
 c6f454e03cfa1b203cc8784c7df39885 3853428 java optional 
tomcat9_9.0.31.orig.tar.xz
 72ece3547b64b011a1aaf6aecf36bb4d 33316 java optional 
tomcat9_9.0.31-1.debian.tar.xz
 10cb401e761ce959b61ff0e3dc8d0e9f 11806 java optional 
tomcat9_9.0.31-1_source.buildinfo

-BEGIN PGP SIGNATURE-

tomcat9_9.0.31-1_source.changes ACCEPTED into unstable

[Debian FTP Masters]

Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Mon, 24 Feb 2020 23:37:00 +0100
Source: tomcat9
Architecture: source
Version: 9.0.31-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 

Changed-By: Emmanuel Bourg 
Closes: 930872 931997 942316 948553 952437
Changes:
 tomcat9 (9.0.31-1) unstable; urgency=medium
 .
   * New upstream release
 - Fixes CVE-2019-10072: Denial of Service (Closes: #930872)
 - Fixes CVE-2019-12418: Local Privilege Escalation
 - Fixes CVE-2019-17563: Session fixation attack
 - Fixes CVE-2019-17569: HTTP Request Smuggling
 - Fixes CVE-2020-1935: HTTP Request Smuggling
 - Fixes CVE-2020-1938: AJP Request Injection (Closes: #952437)
 - Fixes CATALINA_PID handling in catalina.sh (Closes: #948553)
 - Refreshed the patches
 - Fixed the compilation with Java 11
   * Moved the RequiresMountsFor directive in the service file
 to the Unit section (Closes: #942316)
   * Tightened the dependency on systemd (Closes: #931997)
   * Standards-Version updated to 4.5.0
Checksums-Sha1:
 3067a78fdc605df8ed8776bd5e7e25363fa78d78 2731 tomcat9_9.0.31-1.dsc
 6dce5750da0a116b733f87b29bd896809d3926c9 3853428 tomcat9_9.0.31.orig.tar.xz
 96e6d88a70bf95e00054891e42645f6b62a7e756 33316 tomcat9_9.0.31-1.debian.tar.xz
 42005f0789d4e749664ce523305efb1f1b680dbc 11806 
tomcat9_9.0.31-1_source.buildinfo
Checksums-Sha256:
 c548143763f41e70bacf050ead17fc95154c6f3995afa1133395212b148fb011 2731 
tomcat9_9.0.31-1.dsc
 d8d61755c7d670f44b58d5863a79b0f1e900c3a832d74d9b57d6bdc130bbd6c8 3853428 
tomcat9_9.0.31.orig.tar.xz
 e0764ae086c179f4740991ab2f5a7f429a04129aa4b60a1fd666402bfefba988 33316 
tomcat9_9.0.31-1.debian.tar.xz
 eaa234b6a85d9097f78d2036f90f1d0a5f22417011aabf1236365a9f0e6a6876 11806 
tomcat9_9.0.31-1_source.buildinfo
Files:
 bc9f3977c0418632f00b34b9e5544903 2731 java optional tomcat9_9.0.31-1.dsc
 c6f454e03cfa1b203cc8784c7df39885 3853428 java optional 
tomcat9_9.0.31.orig.tar.xz
 72ece3547b64b011a1aaf6aecf36bb4d 33316 java optional 
tomcat9_9.0.31-1.debian.tar.xz
 10cb401e761ce959b61ff0e3dc8d0e9f 11806 java optional 
tomcat9_9.0.31-1_source.buildinfo

-BEGIN PGP SIGNATURE-

iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAl5UX7MSHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCsWVYP/RtW+lbQqcK9pkUy2eIXBQEXlzi8zhrJ
CIjRUgE92vkgAmytqqm7eqfjHg/aEgcH/L0HqRT5F9GWUGgZxJElSuiJKEtyc6j3
BXY2kqzk8xpV4neLKJ3TBjbWN6TigNRswsir5ouG3KaKzy/wIRdUdrnzYb1b8q34
yBE9TXS6z80aWL4UYxABvw+wuPjiu9A7tC3lFIqIZg6TTsVbHUv5Lb+zx/PN6M39
3zOstTL2d6UE8TVEnob+viWIXm6+SSrNYHJ9u0egdlrPVxKyGtZytqnnini0lqEQ
mHCLYJsuh0hjea2PvZmU5R6aC5UAVwXOYmdp8OuuFbGBwWHBirox8URv+gARGT3w
nqBwZzuX+0sbTWzmAWZDXZKM71qXoaY0FIkmt43Fi/MY3mcYTA4JI8989WJYLqEo
YiIugJ4l1PMUtrF63GcXpgeOEaTv0PZrKDTxlG3RYMsD6ilIKKq4iTfi4u/iMWHU
AaPKMcsXYWCgcmX1YiHtsZxuFwPa2l212SbNuGwuy8JCZPWsV/nRYZc0r171XoWH
fsHbQuZ5lV93qoCdAvpkvKkFXFUfK2J9YaFB1rcf+McRGODOqjKfQktnhGSpxksN
NNJmWUm2UaVRSlVpISLqnEpkAzjlxVmrXoRykSC63M8PNI/OGMRP5zfoCSLzotWH
KJLfskMTX0Vc
=VNMm
-END PGP SIGNATURE-


Thank you for your contribution to Debian.

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Processing of tomcat9_9.0.31-1_source.changes

[Debian FTP Masters]

tomcat9_9.0.31-1_source.changes uploaded successfully to localhost
along with the files:
  tomcat9_9.0.31-1.dsc
  tomcat9_9.0.31.orig.tar.xz
  tomcat9_9.0.31-1.debian.tar.xz
  tomcat9_9.0.31-1_source.buildinfo

Greetings,

Your Debian queue daemon (running on host usper.debian.org)

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Processed: Bug#942316 marked as pending in tomcat9

[Debian Bug Tracking System]

Processing control commands:

> tag -1 pending
Bug #942316 [tomcat9] tomcat9: error in tomcat9.service?
Added tag(s) pending.

-- 
942316: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942316
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Processed: Bug#931997 marked as pending in tomcat9

[Debian Bug Tracking System]

Processing control commands:

> tag -1 pending
Bug #931997 [tomcat9] tomcat9: [/usr/lib/sysusers.d/tomcat9.conf:7] Trailing 
garbage.
Added tag(s) pending.

-- 
931997: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931997
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Processed: your mail

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> retitle 952437 tomcat9: CVE-2020-1938 AJP Request Injection and potential RCE
Bug #952437 [tomcat9] tomcat9: vulnerable for "ghostcat", CVE-2020-1938 / 
CNVD-2020-10487
Changed Bug title to 'tomcat9: CVE-2020-1938 AJP Request Injection and 
potential RCE' from 'tomcat9: vulnerable for "ghostcat", CVE-2020-1938 / 
CNVD-2020-10487'.
> retitle 952438 tomcat8: CVE-2020-1938 AJP Request Injection and potential RCE
Bug #952438 [tomcat8] tomcat8: vulnerable for "ghostcat", CVE-2020-1938 / 
CNVD-2020-10487
Changed Bug title to 'tomcat8: CVE-2020-1938 AJP Request Injection and 
potential RCE' from 'tomcat8: vulnerable for "ghostcat", CVE-2020-1938 / 
CNVD-2020-10487'.
> retitle 952436 tomcat7: CVE-2020-1938 AJP Request Injection and potential RCE
Bug #952436 [tomcat7] tomcat7: vulnerable for "ghostcat", CVE-2020-1938 / 
CNVD-2020-10487
Changed Bug title to 'tomcat7: CVE-2020-1938 AJP Request Injection and 
potential RCE' from 'tomcat7: vulnerable for "ghostcat", CVE-2020-1938 / 
CNVD-2020-10487'.
>
End of message, stopping processing here.

Please contact me if you need assistance.
-- 
952436: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952436
952437: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952437
952438: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952438
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Processed: found 952436 in 7.0.75-1, tagging 952436, tagging 952438

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> found 952436 7.0.75-1
Bug #952436 [tomcat7] tomcat7: vulnerable for "ghostcat", CVE-2020-1938 / 
CNVD-2020-10487
There is no source info for the package 'tomcat7' at version '7.0.75-1' with 
architecture ''
Unable to make a source version for version '7.0.75-1'
Marked as found in versions 7.0.75-1.
> tags 952436 + security upstream
Bug #952436 [tomcat7] tomcat7: vulnerable for "ghostcat", CVE-2020-1938 / 
CNVD-2020-10487
Added tag(s) security and upstream.
> tags 952438 + security upstream
Bug #952438 [tomcat8] tomcat8: vulnerable for "ghostcat", CVE-2020-1938 / 
CNVD-2020-10487
Added tag(s) security and upstream.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
952436: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952436
952438: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952438
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#935203: tomcat9: systemd configuration fails to allow tomcat to write to it's own directory

[Emmanuel Bourg]

Hi Kit,

Thank you for the report. Does it work better if you install systemd
241-5~bpo9+1 from stretch-backports?

Emmanuel Bourg

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#948553: Tomcat9 startup script ignores CATALINA_PID

[Emmanuel Bourg]

It looks like this is fixed in Tomcat 9.0.17 (no packaged yet).

Emmanuel Bourg

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#950966: marked as done (netty: CVE-2019-20444)

[Debian Bug Tracking System]

Your message dated Mon, 24 Feb 2020 16:36:10 +
with message-id 
and subject line Bug#950966: fixed in netty 1:4.1.45-1
has caused the Debian Bug report #950966,
regarding netty: CVE-2019-20444
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
950966: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950966
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: netty
Version: 1:4.1.33-3
Severity: grave
Tags: security upstream
Forwarded: https://github.com/netty/netty/issues/9866

Hi,

The following vulnerability was published for netty.

CVE-2019-20444[0]:
| HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header
| that lacks a colon, which might be interpreted as a separate header
| with an incorrect syntax, or might be interpreted as an "invalid
| fold."


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-20444
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20444
[1] https://github.com/netty/netty/issues/9866
[2] 
https://github.com/netty/netty/commit/a7c18d44b46e02dadfe3da225a06e5091f5f328e

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: netty
Source-Version: 1:4.1.45-1
Done: Emmanuel Bourg 

We believe that the bug you reported is fixed in the latest version of
netty, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 950...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg  (supplier of updated netty package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Mon, 24 Feb 2020 17:10:37 +0100
Source: netty
Architecture: source
Version: 1:4.1.45-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 

Changed-By: Emmanuel Bourg 
Closes: 950966 950967
Changes:
 netty (1:4.1.45-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream release
 - Fixes CVE-2019-20444, CVE-2019-20445 and CVE-2020-7238
   (Closes: #950966, #950967)
 - Refreshed the patches
 - Updated the Maven rules
 - Depend on libnetty-tcnative-java (>= 2.0.28)
 - Disabled the native image support due to missing dependencies
 - Disabled the BlockHound integration
   * Standards-Version updated to 4.5.0
Checksums-Sha1:
 c9a8b5821a1200f5efb944ae5be1fa45c1e5b17e 2464 netty_4.1.45-1.dsc
 41b68b4a6070a1dc56d0d7e116f08ec2e4be0ca3 1653104 netty_4.1.45.orig.tar.xz
 ab699101ffc596f53d6663a4442489c82a775a85 14632 netty_4.1.45-1.debian.tar.xz
 0cb7aaa68058d7e582e06f4637e468b692f49d44 14126 netty_4.1.45-1_source.buildinfo
Checksums-Sha256:
 e97c4293fee763bbef84afb172c590cf2e96139743ffcc36eb59eb3496e7e0e9 2464 
netty_4.1.45-1.dsc
 5727926d042670c1ac7c19588bd2ca8bd87d3894336b93192d93a53363604a84 1653104 
netty_4.1.45.orig.tar.xz
 ea555a3d91eae86e00de7af00c0ce0eb8686c0c5a397cdabc4c8595f7f922430 14632 
netty_4.1.45-1.debian.tar.xz
 4ee5a73e055009bd39e34f0beeff24ffaf93e3d84aedf453940cd2ed3399978e 14126 
netty_4.1.45-1_source.buildinfo
Files:
 eeebf196519105b02d596e17fbdc1db1 2464 java optional netty_4.1.45-1.dsc
 96ba6b5ae4a042255fbdff11d865759c 1653104 java optional netty_4.1.45.orig.tar.xz
 29a5219df99af60ed0cf986c4731d2b7 14632 java optional 
netty_4.1.45-1.debian.tar.xz
 001f4ff697f9a852aacf2114a536c9f6 14126 java optional 
netty_4.1.45-1_source.buildinfo

-BEGIN PGP SIGNATURE-

iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAl5T93QSHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCsri4P/3zerX0Pqa8b3eJ3AGUA/2D/kc9gS7bA
lpnUPmtGjRU7aq3i7UJgw2qsdzRdRY+elmld1qseWl0PRAEmzYEEr1Bt1+G3mma+
Nk8ptCq1fZuz2TOc7u+L0pKJZQ6WawvL1dP0ohc9v8BNk8ED/E1To1LfwfxT8sXQ
5PgKnvqZkDmO1xuSrYIGVQaLcdeDNkhj5OUjXMj+MiTDdGQGhTNWJuqk4WSaZWl3
m9Cu4+64VbFA+jJr9HDfJuQbyBSKQkATmgJPQQxIB0jYqqhRmEQq+Nxw9QynZDJR
JW2iTujmxKKsbCbJWKiFPjBv82Suao1vqo16FBUfoOMGxMpNkNCFaziTMRJFkZIT
fvySAzsnlVu2XSfozK2832WMWaUSxMKsb7uGLnFfX4Xqur3NHbgrGBPanKVLXPK+
XkdlxODPLhWVhJQPlJ+lOvhYqGptJevlEUUuKl+QRoLFAEGuUDmt0pu0bmCR0YYG

Bug#950967: marked as done (netty: CVE-2019-20445 CVE-2020-7238)

[Debian Bug Tracking System]

Your message dated Mon, 24 Feb 2020 16:36:11 +
with message-id 
and subject line Bug#950967: fixed in netty 1:4.1.45-1
has caused the Debian Bug report #950967,
regarding netty: CVE-2019-20445 CVE-2020-7238
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
950967: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950967
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: netty
Version: 1:4.1.33-3
Severity: grave
Tags: security upstream
Forwarded: https://github.com/netty/netty/issues/9861

Hi,

The following vulnerabilities were published for netty.

CVE-2019-20445[0]:
| HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length
| header to be accompanied by a second Content-Length header, or by a
| Transfer-Encoding header.


CVE-2020-7238[1]:
| Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles
| Transfer-Encoding whitespace (such as a [space]Transfer-
| Encoding:chunked line) and a later Content-Length header. This issue
| exists because of an incomplete fix for CVE-2019-16869.

Both appears to be fixed with the same fix upstream, as per [2].

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-20445
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20445
[1] https://security-tracker.debian.org/tracker/CVE-2020-7238
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7238
[2] https://github.com/netty/netty/issues/9861

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: netty
Source-Version: 1:4.1.45-1
Done: Emmanuel Bourg 

We believe that the bug you reported is fixed in the latest version of
netty, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 950...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg  (supplier of updated netty package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Mon, 24 Feb 2020 17:10:37 +0100
Source: netty
Architecture: source
Version: 1:4.1.45-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 

Changed-By: Emmanuel Bourg 
Closes: 950966 950967
Changes:
 netty (1:4.1.45-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream release
 - Fixes CVE-2019-20444, CVE-2019-20445 and CVE-2020-7238
   (Closes: #950966, #950967)
 - Refreshed the patches
 - Updated the Maven rules
 - Depend on libnetty-tcnative-java (>= 2.0.28)
 - Disabled the native image support due to missing dependencies
 - Disabled the BlockHound integration
   * Standards-Version updated to 4.5.0
Checksums-Sha1:
 c9a8b5821a1200f5efb944ae5be1fa45c1e5b17e 2464 netty_4.1.45-1.dsc
 41b68b4a6070a1dc56d0d7e116f08ec2e4be0ca3 1653104 netty_4.1.45.orig.tar.xz
 ab699101ffc596f53d6663a4442489c82a775a85 14632 netty_4.1.45-1.debian.tar.xz
 0cb7aaa68058d7e582e06f4637e468b692f49d44 14126 netty_4.1.45-1_source.buildinfo
Checksums-Sha256:
 e97c4293fee763bbef84afb172c590cf2e96139743ffcc36eb59eb3496e7e0e9 2464 
netty_4.1.45-1.dsc
 5727926d042670c1ac7c19588bd2ca8bd87d3894336b93192d93a53363604a84 1653104 
netty_4.1.45.orig.tar.xz
 ea555a3d91eae86e00de7af00c0ce0eb8686c0c5a397cdabc4c8595f7f922430 14632 
netty_4.1.45-1.debian.tar.xz
 4ee5a73e055009bd39e34f0beeff24ffaf93e3d84aedf453940cd2ed3399978e 14126 
netty_4.1.45-1_source.buildinfo
Files:
 eeebf196519105b02d596e17fbdc1db1 2464 java optional netty_4.1.45-1.dsc
 96ba6b5ae4a042255fbdff11d865759c 1653104 java optional netty_4.1.45.orig.tar.xz
 29a5219df99af60ed0cf986c4731d2b7 14632 java optional 
netty_4.1.45-1.debian.tar.xz
 001f4ff697f9a852aacf2114a536c9f6 14126 java optional 
netty_4.1.45-1_source.buildinfo

-BEGIN PGP SIGNATURE-

iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAl5T93QSHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCsri4P/3zerX0Pqa8b3eJ3AGUA/2D/kc9gS7bA
lpnUPmtGjRU7aq3i7UJgw2qsdzRdRY+elmld1qseWl0PRAEmzYEEr1Bt1+G3mma+
Nk8ptCq1fZuz2TOc7u+L0pKJZQ6WawvL1dP0ohc9v8BNk8ED/E1To1LfwfxT8sXQ

netty_4.1.45-1_source.changes ACCEPTED into unstable

[Debian FTP Masters]

Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Mon, 24 Feb 2020 17:10:37 +0100
Source: netty
Architecture: source
Version: 1:4.1.45-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 

Changed-By: Emmanuel Bourg 
Closes: 950966 950967
Changes:
 netty (1:4.1.45-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream release
 - Fixes CVE-2019-20444, CVE-2019-20445 and CVE-2020-7238
   (Closes: #950966, #950967)
 - Refreshed the patches
 - Updated the Maven rules
 - Depend on libnetty-tcnative-java (>= 2.0.28)
 - Disabled the native image support due to missing dependencies
 - Disabled the BlockHound integration
   * Standards-Version updated to 4.5.0
Checksums-Sha1:
 c9a8b5821a1200f5efb944ae5be1fa45c1e5b17e 2464 netty_4.1.45-1.dsc
 41b68b4a6070a1dc56d0d7e116f08ec2e4be0ca3 1653104 netty_4.1.45.orig.tar.xz
 ab699101ffc596f53d6663a4442489c82a775a85 14632 netty_4.1.45-1.debian.tar.xz
 0cb7aaa68058d7e582e06f4637e468b692f49d44 14126 netty_4.1.45-1_source.buildinfo
Checksums-Sha256:
 e97c4293fee763bbef84afb172c590cf2e96139743ffcc36eb59eb3496e7e0e9 2464 
netty_4.1.45-1.dsc
 5727926d042670c1ac7c19588bd2ca8bd87d3894336b93192d93a53363604a84 1653104 
netty_4.1.45.orig.tar.xz
 ea555a3d91eae86e00de7af00c0ce0eb8686c0c5a397cdabc4c8595f7f922430 14632 
netty_4.1.45-1.debian.tar.xz
 4ee5a73e055009bd39e34f0beeff24ffaf93e3d84aedf453940cd2ed3399978e 14126 
netty_4.1.45-1_source.buildinfo
Files:
 eeebf196519105b02d596e17fbdc1db1 2464 java optional netty_4.1.45-1.dsc
 96ba6b5ae4a042255fbdff11d865759c 1653104 java optional netty_4.1.45.orig.tar.xz
 29a5219df99af60ed0cf986c4731d2b7 14632 java optional 
netty_4.1.45-1.debian.tar.xz
 001f4ff697f9a852aacf2114a536c9f6 14126 java optional 
netty_4.1.45-1_source.buildinfo

-BEGIN PGP SIGNATURE-

iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAl5T93QSHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCsri4P/3zerX0Pqa8b3eJ3AGUA/2D/kc9gS7bA
lpnUPmtGjRU7aq3i7UJgw2qsdzRdRY+elmld1qseWl0PRAEmzYEEr1Bt1+G3mma+
Nk8ptCq1fZuz2TOc7u+L0pKJZQ6WawvL1dP0ohc9v8BNk8ED/E1To1LfwfxT8sXQ
5PgKnvqZkDmO1xuSrYIGVQaLcdeDNkhj5OUjXMj+MiTDdGQGhTNWJuqk4WSaZWl3
m9Cu4+64VbFA+jJr9HDfJuQbyBSKQkATmgJPQQxIB0jYqqhRmEQq+Nxw9QynZDJR
JW2iTujmxKKsbCbJWKiFPjBv82Suao1vqo16FBUfoOMGxMpNkNCFaziTMRJFkZIT
fvySAzsnlVu2XSfozK2832WMWaUSxMKsb7uGLnFfX4Xqur3NHbgrGBPanKVLXPK+
XkdlxODPLhWVhJQPlJ+lOvhYqGptJevlEUUuKl+QRoLFAEGuUDmt0pu0bmCR0YYG
dcWvycvxDFmGzxFO8j1h3HP2q7OfVsUsQ+GPVO30gjtG+Fu53O7Hs+TR5GrLQOJ5
FjrVGMDYo638SRVSXYrk0j+JNeA/bGecRZvzU2hM7e1mSzCXOlBGJbRzKBJx/iwJ
0tVPJshrwnL0tmXToDG8iR6VpmL4/G2ptpHiULMfbEK9nK37pV+row/jKSjv/Tix
B0gIDrcO23de
=sabD
-END PGP SIGNATURE-


Thank you for your contribution to Debian.

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Processing of netty_4.1.45-1_source.changes

[Debian FTP Masters]

netty_4.1.45-1_source.changes uploaded successfully to localhost
along with the files:
  netty_4.1.45-1.dsc
  netty_4.1.45.orig.tar.xz
  netty_4.1.45-1.debian.tar.xz
  netty_4.1.45-1_source.buildinfo

Greetings,

Your Debian queue daemon (running on host usper.debian.org)

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

jruby-joni_2.1.31-1_source.changes ACCEPTED into unstable

[Debian FTP Masters]

Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Mon, 24 Feb 2020 22:50:58 +0900
Source: jruby-joni
Architecture: source
Version: 2.1.31-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 

Changed-By: Hideki Yamane 
Changes:
 jruby-joni (2.1.31-1) unstable; urgency=medium
 .
   * New upstream release
   * debian/control
 - update Build-Depends-Indeps: libjcodings-java (>= 1.0.46)
 - set Standards-Version: 4.5.0
Checksums-Sha1:
 ecb1282fc1dfb09bc87b4d17554aec104b73023c 2100 jruby-joni_2.1.31-1.dsc
 e2dbc38847ceb004344373c89a029b37ba3085d4 178122 jruby-joni_2.1.31.orig.tar.gz
 29ef11027d3ce9b7b174eaeccb81ffb1f781b944 5856 jruby-joni_2.1.31-1.debian.tar.xz
 e0e6c61b6b9445158f23e6d12a1c4fead85c4c9a 12362 
jruby-joni_2.1.31-1_amd64.buildinfo
Checksums-Sha256:
 3e54d2bb4ad36bc42aabded7877dfa6618157bab8e89ab412254cb2f56db3dea 2100 
jruby-joni_2.1.31-1.dsc
 29f4326dd2ed4832e22c84a4ccc45828b938056b85c46b8c1cc7962934f9bbc5 178122 
jruby-joni_2.1.31.orig.tar.gz
 a6e51ceebdbbd376bbf649b7f366501ea43ba5888e150a77c2d5dc549e1d14b7 5856 
jruby-joni_2.1.31-1.debian.tar.xz
 c53c5a90c5bbcff12362b35e5f3b3861e27d8b3d6a798624c9ce0ba08bff60b3 12362 
jruby-joni_2.1.31-1_amd64.buildinfo
Files:
 47eaf1de57a54a3d9dcc1a37f1636a98 2100 java optional jruby-joni_2.1.31-1.dsc
 3fd686f2d5aaf63367466c322eb8b1b6 178122 java optional 
jruby-joni_2.1.31.orig.tar.gz
 bca4a1905320ccfec40f4b7ebba8b116 5856 java optional 
jruby-joni_2.1.31-1.debian.tar.xz
 c80f1b957e20b53c481f7d518ce514e7 12362 java optional 
jruby-joni_2.1.31-1_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEWOEiL5aWyIWjzRBMXTKNCCqqsUAFAl5T55EACgkQXTKNCCqq
sUCuQg//cqRllJe1RN52jUURJwkjWYb1U23cLIt4A27rN/UYjMQnd55jqzBa+4WT
d8UvR4M8AVDwDfmw85qT8a43it2Lay4PpAu7ZukDVbC6PYHpDqEcyvOvBZ/ONR0s
8cJbvRm57NplrUbbBaVlasUGx3PDm+We26k13tWjWA4bo9BYkTs0PRZ9vL8cZXXd
Cky5rNisciE4l3Tn8bdmeartWMLadq4bB3x8LvdPoVfKEOIpN6g/jC5vx1PuJwIH
s6V0FQbXEB1RF4agaLKaHgFtuFBTrA+qtyn5cjhm+72cJDa89LA78Fuhp9xGc8gt
4PGCnYlHK5Qj7uxH0iClreJIu7nlqllwbvXT1Y8F89ezIkjwHT5KQgeDGFNbOPlT
GP1DYpnLCue/sttsUy72mJvlj7tsZq9DeXUiqueTObjiQnxXMjsyfTm7dWDbMZN6
TOfiSOjpBCnLmupRpqtPMxmYxnxoXZqzgNrLJ42ppqmFZx9A5vWEgI6So55KL+mL
jRA+ts66d4T5Mvd/m6Krj9lDE3e+jfcmFbaxPDkNuvrmMWbzCQZQcP1NrtZ/XVtp
PyQwqkYzyyy4NqHy8N+zXKmetf4Vgk1Q+Zu6QNBd+gKotI65R9ojivVHGPYAGPCS
5Zvkwp+xQinKo8WdPQYeggDEHZ4ZZN+xc0oZzvSrBqogVTEixSI=
=zGnM
-END PGP SIGNATURE-


Thank you for your contribution to Debian.

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Processed: found 952437 in 9.0.27-1

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> found 952437 9.0.27-1
Bug #952437 [tomcat9] tomcat9: vulnerable for "ghostcat", CVE-2020-1938 / 
CNVD-2020-10487
Marked as found in versions tomcat9/9.0.27-1.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
952437: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952437
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Processing of jruby-joni_2.1.31-1_source.changes

[Debian FTP Masters]

jruby-joni_2.1.31-1_source.changes uploaded successfully to localhost
along with the files:
  jruby-joni_2.1.31-1.dsc
  jruby-joni_2.1.31.orig.tar.gz
  jruby-joni_2.1.31-1.debian.tar.xz
  jruby-joni_2.1.31-1_amd64.buildinfo

Greetings,

Your Debian queue daemon (running on host usper.debian.org)

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#952436: Bug#952437: tomcat9: vulnerable for "ghostcat", CVE-2020-1938 / CNVD-2020-10487

[Emmanuel Bourg]

Le 24/02/2020 à 14:32, Joost van Baal-Ilić a écrit :

> Tomcat as shipped by Debian is likely not vulnerable from the network in the
> default configuration, since by default Tomcat AJP Connector only listens on
> localhost:8009, not on *:8009 .

I confirm the Tomcat packages shipped in Debian aren't vulnerable with
the default configuration, the AJP connector has been disabled by
default since 2008.

https://salsa.debian.org/java-team/tomcat9/blob/debian/9.0.16-4/debian/patches/0002-do-not-load-AJP13-connector-by-default.patch

https://salsa.debian.org/java-team/tomcat8/blob/debian/8.5.50-0+deb9u1/debian/patches/0002-do-not-load-AJP13-connector-by-default.patch

https://salsa.debian.org/java-team/tomcat7/blob/debian/7.0.56-3+really7.0.91-1/debian/patches/0002-do-not-load-AJP13-connector-by-default.patch

Emmanuel Bourg

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#952438: tomcat8: vulnerable for "ghostcat", CVE-2020-1938 / CNVD-2020-10487

[Joost van Baal-Ilić]

Package: tomcat8
Version: 8.5.50-0+deb9u1
Severity: important

Hi,

tomcat8, as shipped with Debian stretch/oldstable is vulnerable for "ghostcat",
see https://www.chaitin.cn/en/ghostcat .  PoC exploit code has been published.
Specifically, Apache Tomcat 8.x < 8.5.51 is vulnerable.  Upstream has published
8.5.51 to fix this vulnerability (and other issues, see
https://tomcat.apache.org/tomcat-8.5-doc/changelog.html).

Tomcat as shipped by Debian is likely not vulnerable from the network in the
default configuration, since by default Tomcat AJP Connector only listens on
localhost:8009, not on *:8009 .

See also:

https://security-tracker.debian.org/tracker/CVE-2020-1938
https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487
https://www.cnvd.org.cn/webinfo/show/5415 (in chinese)

Bye,

Joost

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#952437: tomcat9: vulnerable for "ghostcat", CVE-2020-1938 / CNVD-2020-10487

[Joost van Baal-Ilić]

Package: tomcat9
Version: 9.0.16-4
Severity: important

Hi,

tomcat9, as shipped with Debian buster/stable is vulnerable for "ghostcat",
see https://www.chaitin.cn/en/ghostcat .  PoC exploit code has been published.
Specifically, Apache Tomcat 9.x < 9.0.31 is vulnerable.  Upstream has published
9.0.31 to fix this vulnerability (and other issues, see
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html ).

Tomcat as shipped by Debian is likely not vulnerable from the network in the
default configuration, since by default Tomcat AJP Connector only listens on
localhost:8009, not on *:8009 .

See also:

https://security-tracker.debian.org/tracker/CVE-2020-1938
https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487
https://www.cnvd.org.cn/webinfo/show/5415 (in chinese)

Bye,

Joost

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#952436: tomcat7: vulnerable for "ghostcat", CVE-2020-1938 / CNVD-2020-10487

[Joost van Baal-Ilić]

Package: tomcat7
Version: 7.0.56-3+really7.0.99-1
Severity: important


Hi,

tomcat7, as shipped with Debian jessie/oldoldstable (and 8 and 9) are
vulnerable for "ghostcat",  see https://www.chaitin.cn/en/ghostcat .  PoC
exploit code has been published.  Specifically,

 Apache Tomcat 9.x < 9.0.31
 Apache Tomcat 8.x < 8.5.51
 Apache Tomcat 7.x < 7.0.100

are vulnerable.  Upstream has published 9.0.31, 8.5.51, and 7.0.100 to fix this
vulnerability (and other issues).

Tomcat as shipped by Debian is likely not vulnerable from the network in the
default configuration, since by default Tomcat AJP Connector only listens on
localhost:8009, not on *:8009 .

See also:

https://security-tracker.debian.org/tracker/CVE-2020-1938
https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487
https://www.cnvd.org.cn/webinfo/show/5415 (in chinese)

Bye,

Joost

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

netty-tcnative_2.0.28-1_source.changes ACCEPTED into unstable

[Debian FTP Masters]

Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Mon, 24 Feb 2020 13:30:06 +0100
Source: netty-tcnative
Architecture: source
Version: 2.0.28-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 

Changed-By: Emmanuel Bourg 
Changes:
 netty-tcnative (2.0.28-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream release
 - Refreshed the patches
 - Updated the Maven rules
   * Standards-Version updated to 4.5.0
Checksums-Sha1:
 a35d5be285e5ba4042f87e8bd4b72e729763f42a 2252 netty-tcnative_2.0.28-1.dsc
 372848bf3d578e9e9801b64b6fb98f828878fda9 86236 
netty-tcnative_2.0.28.orig.tar.xz
 eed64bd89deff8038e0c85bae858406827c6e4d0 6508 
netty-tcnative_2.0.28-1.debian.tar.xz
 c71674c75d1dd72243654090f2d9acb3b2ba3a4c 13750 
netty-tcnative_2.0.28-1_source.buildinfo
Checksums-Sha256:
 7f15cbdcdce73e710e57abe5704c1dbd520efad9a808158f039f65567784821b 2252 
netty-tcnative_2.0.28-1.dsc
 2af69b4b0736cd6290d16be69fbcb705db34f7253daf7c350660f9b4b133d44e 86236 
netty-tcnative_2.0.28.orig.tar.xz
 51321eb1e41a5ca274aacacbe9912fd2fe62e8d06daddc855d7ad8356a19e7e2 6508 
netty-tcnative_2.0.28-1.debian.tar.xz
 665f853158ea2c3d756018cae91a22e3b849fa0077aaf68919052475f3e89dc2 13750 
netty-tcnative_2.0.28-1_source.buildinfo
Files:
 5d611463ca219180b3b31da2022fd05b 2252 java optional netty-tcnative_2.0.28-1.dsc
 24164646ae1d8b5b78a819a89ba5d157 86236 java optional 
netty-tcnative_2.0.28.orig.tar.xz
 9078bc585c7e3a99f53251b629d7c97c 6508 java optional 
netty-tcnative_2.0.28-1.debian.tar.xz
 826c98b58b00ba7533fccdbaad834a69 13750 java optional 
netty-tcnative_2.0.28-1_source.buildinfo

-BEGIN PGP SIGNATURE-

iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAl5Twr0SHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCsGuwP/3khfMTwvSrkR94taVyq5P/IPwN+Mx0C
We84XYJprGSYzU5LyV3pDfOx17g0susnoN2FTEipNgW1x4o2OMEvWmyMOlz7Z04x
55Z6/TRgLPUTkT7b95tKnzXBHupPlMCuGaV98+iaDbDuk6UpjsKtd8JuQCBmg73c
TuFlAgUK6e4NTn8KNIRV2MNw5g+bXn6X7rvNFH7DHTzZX0yWh9pJEwWlo4muV6iJ
lI0TYqOZZGzV59KjGlasvygqCrmgFpvIFZadBaI+7Ytp2rylGsww9DvWz3gjWfu/
TrRd9BhyMmt93gEmj4dGr6CdCSjQW9+f9j7aC3mdB31a58fFa4QXru9CxIDbY154
V9q9eHXvJUYTObi8ngIORlibpfHPXhgjg+aL60H25XzS6NIo6rasLEebfcdbrlFc
zRqNLQHKyHNM2aK6uN7SuPk6vPhDrgk1sG/Omisq3obnA1ON8KArG1M22JeblEV4
OzG3Lrsq5IFJhIUYCNjR/gfRskX9RTnKsRpib9MWzOXfO5+4v4r0kFY9S1pHiyAl
Baq76HGM5ZedGytWzHwHY7tTfmVOnHppx9gUKKe+RTv77pFBZdDf5vFWKASSeuHA
u56+UmdItwendlubXEU974UIqiUS1d8LH4vqnOMn5rcR3/f2Y7hinV5uAPc3uN0J
S9B3lY2e1WjC
=1uUH
-END PGP SIGNATURE-


Thank you for your contribution to Debian.

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Processing of netty-tcnative_2.0.28-1_source.changes

[Debian FTP Masters]

netty-tcnative_2.0.28-1_source.changes uploaded successfully to localhost
along with the files:
  netty-tcnative_2.0.28-1.dsc
  netty-tcnative_2.0.28.orig.tar.xz
  netty-tcnative_2.0.28-1.debian.tar.xz
  netty-tcnative_2.0.28-1_source.buildinfo

Greetings,

Your Debian queue daemon (running on host usper.debian.org)

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#952351: marked as done (plexus-build-api: FTBFS: [ERROR] /<>/src/main/java/org/sonatype/plexus/build/incremental/EmptyScanner.java:[23, 8] org.sonatype.plexus.build.incremental.EmptyS

[Debian Bug Tracking System]

Your message dated Mon, 24 Feb 2020 11:51:50 +
with message-id 
and subject line Bug#952351: fixed in plexus-build-api 0.0.7-4
has caused the Debian Bug report #952351,
regarding plexus-build-api: FTBFS: [ERROR] 
/<>/src/main/java/org/sonatype/plexus/build/incremental/EmptyScanner.java:[23,8]
 org.sonatype.plexus.build.incremental.EmptyScanner is not abstract and does 
not override abstract method 
setFilenameComparator(java.util.Comparator) in 
org.codehaus.plexus.util.Scanner
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
952351: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952351
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: plexus-build-api
Version: 0.0.7-3
Severity: serious
Justification: FTBFS on amd64
Tags: bullseye sid ftbfs
Usertags: ftbfs-20200222 ftbfs-bullseye

Hi,

During a rebuild of all packages in sid, your package failed to build
on amd64.

Relevant part (hopefully):
>  debian/rules build
> dh build
>dh_update_autotools_config
>dh_autoreconf
>dh_auto_configure
>   mh_patchpoms -plibplexus-build-api-java --debian-build 
> --keep-pom-version --maven-repo=/<>/debian/maven-repo
>dh_auto_build
>   /usr/lib/jvm/default-java/bin/java -noverify -cp 
> /usr/share/maven/boot/plexus-classworlds-2.x.jar 
> -Dmaven.home=/usr/share/maven 
> -Dmaven.multiModuleProjectDirectory=/<> 
> -Dclassworlds.conf=/etc/maven/m2-debian.conf 
> -Dproperties.file.manual=/<>/debian/maven.properties 
> org.codehaus.plexus.classworlds.launcher.Launcher 
> -s/etc/maven/settings-debian.xml -Ddebian.dir=/<>/debian 
> -Dmaven.repo.local=/<>/debian/maven-repo --batch-mode package 
> -DskipTests -Dnotimestamp=true -Dlocale=en_US
> WARNING: An illegal reflective access operation has occurred
> WARNING: Illegal reflective access by 
> com.google.inject.internal.cglib.core.$ReflectUtils$1 
> (file:/usr/share/maven/lib/guice.jar) to method 
> java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain)
> WARNING: Please consider reporting this to the maintainers of 
> com.google.inject.internal.cglib.core.$ReflectUtils$1
> WARNING: Use --illegal-access=warn to enable warnings of further illegal 
> reflective access operations
> WARNING: All illegal access operations will be denied in a future release
> [INFO] Scanning for projects...
> [INFO] 
> [INFO] < org.sonatype.plexus:plexus-build-api 
> >
> [INFO] Building plexus-build-api 0.0.7
> [INFO] [ jar 
> ]-
> [WARNING] The artifact org.codehaus.plexus:plexus-container-default:jar:1.5.5 
> has been relocated to org.codehaus.plexus:plexus-container-default:jar:debian
> [INFO] 
> [INFO] --- maven-resources-plugin:3.1.0:resources (default-resources) @ 
> plexus-build-api ---
> [WARNING] File encoding has not been set, using platform encoding UTF-8, i.e. 
> build is platform dependent!
> [WARNING] Please take a look into the FAQ: 
> https://maven.apache.org/general.html#encoding-warning
> [WARNING] Using platform encoding (UTF-8 actually) to copy filtered 
> resources, i.e. build is platform dependent!
> [INFO] Copying 1 resource
> [INFO] 
> [INFO] --- maven-compiler-plugin:3.8.1:compile (default-compile) @ 
> plexus-build-api ---
> [INFO] Changes detected - recompiling the module!
> [WARNING] File encoding has not been set, using platform encoding UTF-8, i.e. 
> build is platform dependent!
> [INFO] Compiling 4 source files to /<>/target/classes
> Use of target 1.4 is no longer supported, switching to 1.7
> Use of source 1.4 is no longer supported, switching to 1.7
> [INFO] 
> /<>/src/main/java/org/sonatype/plexus/build/incremental/ThreadBuildContext.java:
>  
> /<>/src/main/java/org/sonatype/plexus/build/incremental/ThreadBuildContext.java
>  uses unchecked or unsafe operations.
> [INFO] 
> /<>/src/main/java/org/sonatype/plexus/build/incremental/ThreadBuildContext.java:
>  Recompile with -Xlint:unchecked for details.
> [INFO] -
> [ERROR] COMPILATION ERROR : 
> [INFO] -
> [ERROR] 
> /<>/src/main/java/org/sonatype/plexus/build/incremental/EmptyScanner.java:[23,8]
>  org.sonatype.plexus.build.incremental.EmptyScanner is not abstract and does 
> not override abstract method 
> setFilenameComparator(java.util.Comparator) in 
> org.codehaus.plexus.util.Scanner
> [INFO] 1 error
> [INFO] -
> [INFO] 
> 

plexus-build-api_0.0.7-4_source.changes ACCEPTED into unstable

[Debian FTP Masters]

Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Mon, 24 Feb 2020 12:35:21 +0100
Source: plexus-build-api
Architecture: source
Version: 0.0.7-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 

Changed-By: Emmanuel Bourg 
Closes: 952351
Changes:
 plexus-build-api (0.0.7-4) unstable; urgency=medium
 .
   * Team upload.
   * Fixed the compatibility with plexus-utils 3.3 (Closes: #952351)
   * Standards-Version updated to 4.5.0
Checksums-Sha1:
 c3bc32a509b09b041841576d5a751a9714b80655 2144 plexus-build-api_0.0.7-4.dsc
 6794b8ed429bf990b7e351be54e9679ed6671923 3916 
plexus-build-api_0.0.7-4.debian.tar.xz
 e71be7c5ba5444c8b0111951cffaf9184f26b47b 13018 
plexus-build-api_0.0.7-4_source.buildinfo
Checksums-Sha256:
 71010a8124841efd0bcc81c23578fae666136d4f8d0c788bdf330705501d73e2 2144 
plexus-build-api_0.0.7-4.dsc
 171f3e429f30f412a50c4f5275036995d107376ba9f4484536d8d0ba7dc7548f 3916 
plexus-build-api_0.0.7-4.debian.tar.xz
 06e057cc8697c2b9c70003ae7c28b4a4eb34eddb8757d04df1afa8dc0cefc1a4 13018 
plexus-build-api_0.0.7-4_source.buildinfo
Files:
 de446a82099b47e894f6d3d6ce2cdc29 2144 java optional 
plexus-build-api_0.0.7-4.dsc
 a7f83547af5b7057ca42b3e98e1e5363 3916 java optional 
plexus-build-api_0.0.7-4.debian.tar.xz
 786f21a11bdd5074beaec9b6addff3b6 13018 java optional 
plexus-build-api_0.0.7-4_source.buildinfo

-BEGIN PGP SIGNATURE-

iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAl5TtbwSHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCsaSsP/iwj9KKrgXg9OgivYGtC+3JPj9lYIHgr
fYTI9qC/kJVw31dgvD/7yhjtBrvJgWliWWX9MnwFDePLtXgcJlNRVpviLzsVbmWn
uzzSI93O8hvMEe36HqSK0qyMt5tgRZVVwDD0JGiT9Q47LuERAXuMq8QCLWcYScli
F1mTDaEogfWwhfc0ADTjcdGk9UoeK95A9N4O3VYv9nppZwQNqsyR/knHQm2JB6b8
ZBD8oxoDN6WDt/+FYrSy/6kDnUrbaII8KUAB9Yb/ymWRdMcR9eFnlZyUGcXLa6CE
2FtbG6JhYFvCswH3b5Y5yUnUZkotE4R2uQf/dCu8kjY93GFg2pY12GbMwn18Shbp
oc6OUSZylROQb/PkX75yiRsCHIlEAU1qhMfUQs6Mh/m+wBjhCRnygeiZfrdqGct/
vafLwUiGOvO8UkrxSYyzG5I+vcITNX4Cy4TfwDji0yVaQ0Wqd49epuKm+kLC86nZ
IuXWtnhLswCcIleVHyfUObQyhtWmaqIeaW6pGpiSAd7IManNaN/nNZfxxyMhZMBg
b/oSzlZQTAU3waUMchAuUcbp01/D6Y2qF1pmVs3imn2dtdN4sWFWqEJDayVbWd5J
UJAWVUtSM/EjOXKFvegg7nxGyMKHtZ4pftJtCOepRSYAE94VDYOM0rFtU77jcn53
pwOUQPQaQnVp
=N6pc
-END PGP SIGNATURE-


Thank you for your contribution to Debian.

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Processing of plexus-build-api_0.0.7-4_source.changes

[Debian FTP Masters]

plexus-build-api_0.0.7-4_source.changes uploaded successfully to localhost
along with the files:
  plexus-build-api_0.0.7-4.dsc
  plexus-build-api_0.0.7-4.debian.tar.xz
  plexus-build-api_0.0.7-4_source.buildinfo

Greetings,

Your Debian queue daemon (running on host usper.debian.org)

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Processed: Bug#952351 marked as pending in plexus-build-api

[Debian Bug Tracking System]

Processing control commands:

> tag -1 pending
Bug #952351 [src:plexus-build-api] plexus-build-api: FTBFS: [ERROR] 
/<>/src/main/java/org/sonatype/plexus/build/incremental/EmptyScanner.java:[23,8]
 org.sonatype.plexus.build.incremental.EmptyScanner is not abstract and does 
not override abstract method 
setFilenameComparator(java.util.Comparator) in 
org.codehaus.plexus.util.Scanner
Added tag(s) pending.

-- 
952351: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952351
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Processed: retitle 952220 to bcel: FTBFS caused by test failure in BCELifierTestCase.testJavapCompare

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> retitle 952220 bcel: FTBFS caused by test failure in 
> BCELifierTestCase.testJavapCompare
Bug #952220 {Done: Emmanuel Bourg } [src:bcel] bcel: FTBFS: 
dh_auto_test: error: /usr/lib/jvm/default-java/bin/java -noverify -cp 
/usr/share/maven/boot/plexus-classworlds-2.x.jar -Dmaven.home=/usr/share/maven 
-Dmaven.multiModuleProjectDirectory=/<> 
-Dclassworlds.conf=/etc/maven/m2-debian.conf 
org.codehaus.plexus.classworlds.launcher.Launcher 
-s/etc/maven/settings-debian.xml -Ddebian.dir=/<>/debian 
-Dmaven.repo.local=/<>/debian/maven-repo --batch-mode test 
returned exit code 1
Changed Bug title to 'bcel: FTBFS caused by test failure in 
BCELifierTestCase.testJavapCompare' from 'bcel: FTBFS: dh_auto_test: error: 
/usr/lib/jvm/default-java/bin/java -noverify -cp 
/usr/share/maven/boot/plexus-classworlds-2.x.jar -Dmaven.home=/usr/share/maven 
-Dmaven.multiModuleProjectDirectory=/<> 
-Dclassworlds.conf=/etc/maven/m2-debian.conf 
org.codehaus.plexus.classworlds.launcher.Launcher 
-s/etc/maven/settings-debian.xml -Ddebian.dir=/<>/debian 
-Dmaven.repo.local=/<>/debian/maven-repo --batch-mode test 
returned exit code 1'.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
952220: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952220
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#952220: marked as done (bcel: FTBFS: dh_auto_test: error: /usr/lib/jvm/default-java/bin/java -noverify -cp /usr/share/maven/boot/plexus-classworlds-2.x.jar -Dmaven.home=/usr/share/maven -Dmaven.mu

[Debian Bug Tracking System]

Your message dated Mon, 24 Feb 2020 11:19:19 +
with message-id 
and subject line Bug#952220: fixed in bcel 6.4.1-1
has caused the Debian Bug report #952220,
regarding bcel: FTBFS: dh_auto_test: error: /usr/lib/jvm/default-java/bin/java 
-noverify -cp /usr/share/maven/boot/plexus-classworlds-2.x.jar 
-Dmaven.home=/usr/share/maven 
-Dmaven.multiModuleProjectDirectory=/<> 
-Dclassworlds.conf=/etc/maven/m2-debian.conf 
org.codehaus.plexus.classworlds.launcher.Launcher 
-s/etc/maven/settings-debian.xml -Ddebian.dir=/<>/debian 
-Dmaven.repo.local=/<>/debian/maven-repo --batch-mode test 
returned exit code 1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
952220: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952220
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: bcel
Version: 6.3-1
Severity: serious
Justification: FTBFS on amd64
Tags: bullseye sid ftbfs
Usertags: ftbfs-20200222 ftbfs-bullseye

Hi,

During a rebuild of all packages in sid, your package failed to build
on amd64.

Relevant part (hopefully):
>  debian/rules build
> dh build
>dh_update_autotools_config
>dh_autoreconf
>dh_auto_configure
>   mh_patchpoms -plibbcel-java --debian-build --keep-pom-version 
> --maven-repo=/<>/debian/maven-repo
>dh_auto_build
>   /usr/lib/jvm/default-java/bin/java -noverify -cp 
> /usr/share/maven/boot/plexus-classworlds-2.x.jar 
> -Dmaven.home=/usr/share/maven 
> -Dmaven.multiModuleProjectDirectory=/<> 
> -Dclassworlds.conf=/etc/maven/m2-debian.conf 
> org.codehaus.plexus.classworlds.launcher.Launcher 
> -s/etc/maven/settings-debian.xml -Ddebian.dir=/<>/debian 
> -Dmaven.repo.local=/<>/debian/maven-repo --batch-mode package 
> javadoc:jar javadoc:aggregate -DskipTests -Dnotimestamp=true -Dlocale=en_US
> WARNING: An illegal reflective access operation has occurred
> WARNING: Illegal reflective access by 
> com.google.inject.internal.cglib.core.$ReflectUtils$1 
> (file:/usr/share/maven/lib/guice.jar) to method 
> java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain)
> WARNING: Please consider reporting this to the maintainers of 
> com.google.inject.internal.cglib.core.$ReflectUtils$1
> WARNING: Use --illegal-access=warn to enable warnings of further illegal 
> reflective access operations
> WARNING: All illegal access operations will be denied in a future release
> [INFO] Scanning for projects...
> [WARNING] 
> [WARNING] Some problems were encountered while building the effective model 
> for org.apache.bcel:bcel:jar:6.3
> [WARNING] 'build.plugins.plugin.version' for 
> org.apache.felix:maven-bundle-plugin is missing. @ 
> org.apache.commons:commons-parent:debian, 
> /<>/debian/maven-repo/org/apache/commons/commons-parent/debian/commons-parent-debian.pom,
>  line 310, column 12
> [WARNING] 
> [WARNING] It is highly recommended to fix these problems because they 
> threaten the stability of your build.
> [WARNING] 
> [WARNING] For this reason, future Maven versions might no longer support 
> building such malformed projects.
> [WARNING] 
> [WARNING] The POM for org.apache.maven.plugins:maven-site-plugin:jar:3.3 is 
> missing, no dependency information available
> [WARNING] Failed to retrieve plugin descriptor for 
> org.apache.maven.plugins:maven-site-plugin:3.3: Plugin 
> org.apache.maven.plugins:maven-site-plugin:3.3 or one of its dependencies 
> could not be resolved: Cannot access central 
> (https://repo.maven.apache.org/maven2) in offline mode and the artifact 
> org.apache.maven.plugins:maven-site-plugin:jar:3.3 has not been downloaded 
> from it before.
> [WARNING] The POM for org.apache.maven.plugins:maven-antrun-plugin:jar:1.3 is 
> missing, no dependency information available
> [WARNING] Failed to retrieve plugin descriptor for 
> org.apache.maven.plugins:maven-antrun-plugin:1.3: Plugin 
> org.apache.maven.plugins:maven-antrun-plugin:1.3 or one of its dependencies 
> could not be resolved: Cannot access central 
> (https://repo.maven.apache.org/maven2) in offline mode and the artifact 
> org.apache.maven.plugins:maven-antrun-plugin:jar:1.3 has not been downloaded 
> from it before.
> [WARNING] The POM for 
> org.apache.maven.plugins:maven-assembly-plugin:jar:2.2-beta-5 is missing, no 
> dependency information available
> [WARNING] Failed to retrieve plugin descriptor for 
> org.apache.maven.plugins:maven-assembly-plugin:2.2-beta-5: Plugin 
> org.apache.maven.plugins:maven-assembly-plugin:2.2-beta-5 or one of its 
> dependencies could not be resolved: Cannot access central 
> 

bcel_6.4.1-1_source.changes ACCEPTED into unstable

[Debian FTP Masters]

Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Mon, 24 Feb 2020 12:07:44 +0100
Source: bcel
Architecture: source
Version: 6.4.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 

Changed-By: Emmanuel Bourg 
Closes: 952220
Changes:
 bcel (6.4.1-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream release
 - Updated the Maven rules
 - Fixes a test failure likely caused by a recent OpenJDK 11 update
   (Closes: #952220)
   * Updated the watch file
   * Standards-Version updated to 4.5.0
Checksums-Sha1:
 3246aa6b37f43b57ec4f6b68ed3409836b447900 2190 bcel_6.4.1-1.dsc
 41e0fab8f91a5f4592bb99b9e92e2bed0b8e14e4 706032 bcel_6.4.1.orig.tar.xz
 95e57decd1a1e52c367f6c415ff2af516f8660de 5844 bcel_6.4.1-1.debian.tar.xz
 eed947e5b41b9829c5d845ae8b40428c1abbf0ba 13653 bcel_6.4.1-1_source.buildinfo
Checksums-Sha256:
 aa6ce8a72e9d5334a7b44e9393e2cc7ee98d993acfc601b61c4f7230d613865b 2190 
bcel_6.4.1-1.dsc
 1532b09e90124df0ddee0af692555f4e70913088d9764ddf1afc8b0088ca835a 706032 
bcel_6.4.1.orig.tar.xz
 a90b50fd3cac4f492e8800e61013fa7640f01d0983a86b0bbb0ec2331a638626 5844 
bcel_6.4.1-1.debian.tar.xz
 d6311d97e0e4d1b35af043c2c87dfb5e2fa833b5e2249e33664b20d4bd52ccf1 13653 
bcel_6.4.1-1_source.buildinfo
Files:
 8a3189282b10f33d1a3ac6afd66c15d0 2190 java optional bcel_6.4.1-1.dsc
 9908a3b78a43fd515657ae1be705a11d 706032 java optional bcel_6.4.1.orig.tar.xz
 a4833cfa14f7968c582150a9283a3ff4 5844 java optional bcel_6.4.1-1.debian.tar.xz
 15f766ef906df365513a59115c93ac0a 13653 java optional 
bcel_6.4.1-1_source.buildinfo

-BEGIN PGP SIGNATURE-

iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAl5TrugSHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCsMg8P/0oUFZ2BTb6N1xz33j5ZxGUz8DbSyHft
sKPVby4z3UDMiaagVd25zWyyRF+AMPzaiEJDVr9UEe//tjBW/pO2nyb19lbsKPTw
ckrrBY3Ba6gLBK+cD644cVIe3uFw4B+1IOBqJF9OdymAgzgfzdnbuB1h3gPubIod
fLDiHYbia/rzUiHCFF5/SZkWDfDDddU3WulZ8KRC8Z7UCrWpVdEPcOJ9bVxiphmX
0Tnbq7zyqT+XjAqp8+afJiMVWlaVSA+6TKanvTNSVpIC6x9BjtEhlFO42l0nukAe
8cjrUY5FfER7aBfr9ez3Wi+cf7uiBPUEL3yrWEuolpYdA9VMw48DAJqd1DuLklGu
i7Yih9HtXXkncR0NDlGbmOD1YmZEyCLdkiYDJ277VRjdU1BtXrXonXCbWSYfX0uY
JNI+MVMfQsB48ItO640xjqhr1GBceYDDNwAuCh1OzaMR2qxN9DroNoPg02JwwUFW
2TDPek0+IwHZ8ASOXVHPFfC/J4c2+FLusuBgB0y6GpRAWQQT2m48QKFtkehtKSyX
Plu8qrrwxh8ayvhYyQu9to0Jrl1XUZyo8yeKvH2QRlH2m+e2BgPDjrY372vF/+pN
M2jk0hH6gq/5RwEMbQToCRv34Zeu6vyanFh1fmERUNkrPl1y1OvvgDfcdYPdf4wd
cVibh1yqpuAa
=az1i
-END PGP SIGNATURE-


Thank you for your contribution to Debian.

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Processing of bcel_6.4.1-1_source.changes

[Debian FTP Masters]

bcel_6.4.1-1_source.changes uploaded successfully to localhost
along with the files:
  bcel_6.4.1-1.dsc
  bcel_6.4.1.orig.tar.xz
  bcel_6.4.1-1.debian.tar.xz
  bcel_6.4.1-1_source.buildinfo

Greetings,

Your Debian queue daemon (running on host usper.debian.org)

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.