eclipse-subclipse_1.8.16-2_amd64.changes ACCEPTED into experimental, experimental
Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Thu, 15 Nov 2012 16:33:59 +0100 Source: eclipse-subclipse Binary: eclipse-subclipse eclipse-subclipse-graph eclipse-subclipse-mylyn Architecture: source all Version: 1.8.16-2 Distribution: experimental Urgency: low Maintainer: Debian Java Maintainers pkg-java-maintainers@lists.alioth.debian.org Changed-By: Jakub Adam jakub.a...@ktknet.cz Description: eclipse-subclipse - Subversion client plugin for Eclipse eclipse-subclipse-graph - Subversion Revision Graph Eclipse plugin eclipse-subclipse-mylyn - Subclipse Mylyn integration Changes: eclipse-subclipse (1.8.16-2) experimental; urgency=low . * d/copyright: fix licenses for org.tigris.subversion.subclipse.tests. Checksums-Sha1: 3ee4f75a5896f9e253b87901b280978edce0e0fd 2305 eclipse-subclipse_1.8.16-2.dsc e09f99b013fad9479fae17f71c8700580d93689c 3232839 eclipse-subclipse_1.8.16.orig.tar.gz 5f090c61716f8934691556a9fca2357e43145472 9027 eclipse-subclipse_1.8.16-2.debian.tar.gz 6ca296c1612b29a1734a5fc5c2a4fd92042a3ebe 4494418 eclipse-subclipse_1.8.16-2_all.deb 1726ac6f281a378d8b8b99896c05e9cd27383cf5 122264 eclipse-subclipse-graph_1.8.16-2_all.deb ae2550764c365d719556dca947eed89b992ed0f9 27192 eclipse-subclipse-mylyn_1.8.16-2_all.deb Checksums-Sha256: 8a22a6204af0c5107af2b7c762f72dd8b501d1e765c156cc586cdbfb60d17f2c 2305 eclipse-subclipse_1.8.16-2.dsc 6182ece6e275afb39553f4f60b876741513cb95bf86ead4e09242bb5fb00585c 3232839 eclipse-subclipse_1.8.16.orig.tar.gz b535d04ff6e9f69e3175c1cd274b4d806644dad821d6f3bff1e9e98fb6196aa2 9027 eclipse-subclipse_1.8.16-2.debian.tar.gz b3277810041b30e3dfdf8234186e86e857f13cbf11960a563c3a786e6c39778a 4494418 eclipse-subclipse_1.8.16-2_all.deb 2ee613bfe978d387c79d00cfc4d63d96661c1227fe44e91924656fd3bc877275 122264 eclipse-subclipse-graph_1.8.16-2_all.deb 70aff7f3cf6960cb15a70015838e601bdf4a2dc97545d7465185cf2fa8d20c55 27192 eclipse-subclipse-mylyn_1.8.16-2_all.deb Files: dfdcd858885fce850cfc01199c0952d5 2305 devel optional eclipse-subclipse_1.8.16-2.dsc e474cfb1902d53de09c3e43280a289c8 3232839 devel optional eclipse-subclipse_1.8.16.orig.tar.gz 6285c57e2b5056222fcaa428ff7d31e2 9027 devel optional eclipse-subclipse_1.8.16-2.debian.tar.gz bb6fbb858acb1d0f028923c04f0df883 4494418 devel optional eclipse-subclipse_1.8.16-2_all.deb 73ce0a9dff604e24c44aa14cb4c21b35 122264 devel optional eclipse-subclipse-graph_1.8.16-2_all.deb 9c1dc43e6f75f29a2adf9a17c8ac033a 27192 devel optional eclipse-subclipse-mylyn_1.8.16-2_all.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQpTv1AAoJECHSBYmXSz6WqHoP/3aNHoJXs48yaOE7YIopv8+7 my9/rNCAME5pZxthxun0pJbPeNUMhdFpB39iKwb6VhZIFXjQf55EC+65o8jw0aMe RXzNeP8qKSTTEn5wE7M+R2M/7qTDjQkQ1QSmqhNHV9RkkAcNV2oRKk1ivPoLX/Oq qJGg6nS+voLyOgyyyTZ6+042+FOdLtLGsiIbuiDZhc24ogFSIhknagwcY8Y8D7ob AS5y3s9Gtqc330U3CVIMKrP4dRczdyxOHWtNYgtNEqHOvYMdUdCLM24n3kMW+Km9 ha0uoxoPq25a6DCtBOhNlNGk9jMxQkaEH+7nHMGr4UKlbAFk9ijKOqbUtUKRozU6 pWXPM5+LxXCaqyS8d+xzcyECihU6or2iqWlEl4WPjzt92s+K/uVoUdVdmpMtioso LjCme8SJMGEU6Eh0dgqnogAF7PeC0nZhlLBkEobNHc0IkcRRNBDMwO4hIchsBW44 T4l967e00MPfX2RGXVoM2QjALUOst7khtuYhxLt9eZHNS1pu67G2high6mGs9+9j yVqSWk2JVjT4xVnzV21VNn+1EDpFZF9N9mo9b8adbEEhJj0hAoFHsVEhJ9mA5tAP bA6OZIwCoGnk/7yhBV3Pnm7J+zyL9G0kBU9Coaq7ncNEe93aEZW23l3gFQsCu9Br iCIJkvZ1xA3eAWSiKfy8 =rpwx -END PGP SIGNATURE- Thank you for your contribution to Debian. __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
sweethome3d-textures-editor_1.0-1_amd64.changes ACCEPTED into unstable, unstable
Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Fri, 28 Sep 2012 23:00:05 +0200 Source: sweethome3d-textures-editor Binary: sweethome3d-textures-editor Architecture: source all Version: 1.0-1 Distribution: unstable Urgency: low Maintainer: Debian Java Maintainers pkg-java-maintainers@lists.alioth.debian.org Changed-By: Gabriele Giacone 1o5g4...@gmail.com Description: sweethome3d-textures-editor - Sweet Home 3D Textures Library Editor Closes: 691695 Changes: sweethome3d-textures-editor (1.0-1) unstable; urgency=low . * Initial release (Closes: #691695). Checksums-Sha1: 66eca16be9f133d5834d5962038b9ac9bebe1ff1 2148 sweethome3d-textures-editor_1.0-1.dsc 098116428e8f04b899a72dafc45b97280075b82b 85956 sweethome3d-textures-editor_1.0.orig.tar.xz ace5f4a66c3df0b3a9bf1c71f469f119dbd111fa 4296 sweethome3d-textures-editor_1.0-1.debian.tar.xz 55486b49cb7f7da673a241949185fb11e61eed4e 615558 sweethome3d-textures-editor_1.0-1_all.deb Checksums-Sha256: 900cc2df047f3896205488470c4a055a12f95cc2f7ecde04ec4261ef01d5f52b 2148 sweethome3d-textures-editor_1.0-1.dsc 8d37b7915e4d3444abc6d7ba68aaa50dc857827b806053a85627419d41021c86 85956 sweethome3d-textures-editor_1.0.orig.tar.xz 91db1d413f1f8cea6963c364477e1f0d3b4c3d645d894ba3b11531466a553a87 4296 sweethome3d-textures-editor_1.0-1.debian.tar.xz 312d79a9723a1e005245f025c37b1a1722d3007fc5b5c4261e14f48052ee8ac8 615558 sweethome3d-textures-editor_1.0-1_all.deb Files: 50d786a9ee916655101af8a5d90e5459 2148 java optional sweethome3d-textures-editor_1.0-1.dsc f1958c071289bb0e2d0ae69d80bb6e0d 85956 java optional sweethome3d-textures-editor_1.0.orig.tar.xz 10ca4cd3ac4b4f04afaeb194d606b71e 4296 java optional sweethome3d-textures-editor_1.0-1.debian.tar.xz 098b1b5c00b5ef246d859fb05dfb4a19 615558 java optional sweethome3d-textures-editor_1.0-1_all.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQoVpzAAoJECHSBYmXSz6WkxwP/Rk2CpAzVVvIrt4NBZLuv/Um rVEIvUaF75npqOl8KfOxcsmoWWa9t8rOuoVxU+naNLn7ydbWt3FKSOVKUi7EypDl wfU72TxF4y3HiqlC9MnS6IKTkk1GmM9eqV4D8natpp8NU9s9V6Ry+IiD03OcxWTj qprqXfSichGI3oyNFtpAuDAxOYyojjTC4CS40R1Y/Sx5s5bOnWLQZBgRMspuylNP ByJbE7cw9Y5h72PRuDdbK0QdfrVw3MLTehftjnL9OgkiOK+wYsMU3QKSt3zuGghW pJTYyZPxP4U53U0iMY/K8fKiAhOUMy/PRm8TY8+56WzQCEK/yYpJLfkt+WBMGd5r 4N5Kr9xgJc283+2mVwGgr7yPetFvm/iQ6twJKD/QefOYymhdps/7qyn0jCssCG45 eRI0nRUFT+IlPobD3dHdAdU+Xk+QN8UdLhk4QoUegNHD2StzHRiZbYP36v/rltvO oAKXBI5gkOE0xOd2y2oHR4D9ueve5FYK5B4KbIvszX9ELSBqAFK/+/D9VqBUS/OE 2fny3B50+MrQQUcRyky3Cgfq3m0Eo63bu1+tfE5PQRjUjyGUvyytGVHrV1Q4N6sm CGF+VcN2QiG3gRXHWLLi+psiFihuwvfW6zCBuVUwlHlRd8pgHqE3CHvt3rLuJ2+l 32l21bZ4k7yfqj5hcIzq =WohZ -END PGP SIGNATURE- Thank you for your contribution to Debian. __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#693524: junit4: Broken watchfile
Package: junit4 Version: 4.10-3 Severity: normal Tags: patch Hi, Github have changed their website which breaks debian/watch. I have attached a patch which fixes this issue. Jon -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (650, 'testing'), (600, 'unstable'), (450, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_IE.utf8, LC_CTYPE=en_IE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages junit4 depends on: ii default-jre-headless [java5-runtime-headless]1:1.6-47 ii gcj-4.6-jre-headless [java5-runtime-headless]4.6.3-1 ii gcj-4.7-jre-headless [java5-runtime-headless]4.7.2-2 ii gcj-jre-headless [java5-runtime-headless]4:4.7.2-1 ii libhamcrest-java 1.2-2 ii openjdk-6-jre-headless [java5-runtime-headless] 6b24-1.11.5-1 ii openjdk-7-jre-headless [java5-runtime-headless] 7u3-2.1.3-1 junit4 recommends no packages. junit4 suggests no packages. -- no debconf information From ec34fcf3e9b2b8a6977c2b0409a64c6d2995ac8b Mon Sep 17 00:00:00 2001 From: Jonathan McCrohan jmccro...@gmail.com Date: Sat, 17 Nov 2012 14:24:32 + Subject: [PATCH] Update watchfile to fix Github breakage --- debian/changelog |8 debian/orig-tar.sh |2 +- debian/watch |2 +- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index c83b83c..fc0f4bc 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +junit4 (4.10-3.1) UNRELEASED; urgency=low + + * Non-maintainer upload. + * Update watchfile to fix Github breakage. +- Update unused debug line in orig-tar.sh too. + + -- Jonathan McCrohan jmccro...@gmail.com Sat, 17 Nov 2012 14:16:28 + + junit4 (4.10-3) unstable; urgency=low * Team upload. diff --git a/debian/orig-tar.sh b/debian/orig-tar.sh index edcd54c..7bca62b 100755 --- a/debian/orig-tar.sh +++ b/debian/orig-tar.sh @@ -7,7 +7,7 @@ TAR=../junit4_$VERSION.orig.tar.gz ORIG_TAR=$3 #rm -f $3 -#wget -O $TAR http://github.com/KentBeck/junit/tarball/r$VERSION +#wget -O $TAR http://github.com/KentBeck/junit/archive/r$VERSION # clean up the upstream tarball mkdir $DIR diff --git a/debian/watch b/debian/watch index 0a88374..6d49965 100644 --- a/debian/watch +++ b/debian/watch @@ -1,3 +1,3 @@ version=3 -http://github.com/KentBeck/junit/tags/ /KentBeck/junit/tarball/r([\d\.]*) debian debian/orig-tar.sh +http://github.com/KentBeck/junit/tags/ .*/r(\d[\d\.]+)\.tar\.gz debian debian/orig-tar.sh -- 1.7.10.4 __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#692442: patch
Hi I've backported the routine to validate certificate name, and I've made a patch (attached). I'm not sure it's a good idea apply the patch, it can break programs that connect with bad hostnames (ips, host in /etc/hostname, etc) Description: Validates the hostname requested is the same in the certificate in ssl-connections Fixes CVE-2012-5783, validates hostname certificate in SSL connections. Backported from http-client 4, and from Apache Synapse (plus some bugfixes). Author: Alberto Fernandez inf...@gmail.com Bug-Debian: http://bugs.debian.org/692442 Forwarded: no --- commons-httpclient-3.1.orig/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java +++ commons-httpclient-3.1/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java @@ -31,11 +31,23 @@ package org.apache.commons.httpclient.protocol; import java.io.IOException; +import java.io.InputStream; import java.net.InetAddress; import java.net.Socket; import java.net.UnknownHostException; +import javax.net.ssl.SSLException; +import javax.net.ssl.SSLSession; +import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; +import java.security.cert.Certificate; +import java.security.cert.CertificateParsingException; +import java.security.cert.X509Certificate; +import java.util.Arrays; +import java.util.Collection; +import java.util.Iterator; +import java.util.LinkedList; +import java.util.List; import org.apache.commons.httpclient.ConnectTimeoutException; import org.apache.commons.httpclient.params.HttpConnectionParams; @@ -55,6 +67,11 @@ public class SSLProtocolSocketFactory im */ private static final SSLProtocolSocketFactory factory = new SSLProtocolSocketFactory(); +// This is a a sorted list, if you insert new elements do it orderdered. +private final static String[] BAD_COUNTRY_2LDS = +{ac, co, com, ed, edu, go, gouv, gov, info, +lg, ne, net, or, org}; + /** * Gets an singleton instance of the SSLProtocolSocketFactory. * @return a SSLProtocolSocketFactory @@ -79,12 +96,14 @@ public class SSLProtocolSocketFactory im InetAddress clientHost, int clientPort) throws IOException, UnknownHostException { -return SSLSocketFactory.getDefault().createSocket( +Socket sslSocket = SSLSocketFactory.getDefault().createSocket( host, port, clientHost, clientPort ); +verifyHostName(host, (SSLSocket) sslSocket); +return sslSocket; } /** @@ -124,16 +143,19 @@ public class SSLProtocolSocketFactory im } int timeout = params.getConnectionTimeout(); if (timeout == 0) { -return createSocket(host, port, localAddress, localPort); +Socket sslSocket = createSocket(host, port, localAddress, localPort); +verifyHostName(host, (SSLSocket) sslSocket); +return sslSocket; } else { // To be eventually deprecated when migrated to Java 1.4 or above -Socket socket = ReflectionSocketFactory.createSocket( +Socket sslSocket = ReflectionSocketFactory.createSocket( javax.net.ssl.SSLSocketFactory, host, port, localAddress, localPort, timeout); -if (socket == null) { -socket = ControllerThreadSocketFactory.createSocket( +if (sslSocket == null) { + sslSocket = ControllerThreadSocketFactory.createSocket( this, host, port, localAddress, localPort, timeout); } -return socket; +verifyHostName(host, (SSLSocket) sslSocket); +return sslSocket; } } @@ -142,10 +164,12 @@ public class SSLProtocolSocketFactory im */ public Socket createSocket(String host, int port) throws IOException, UnknownHostException { -return SSLSocketFactory.getDefault().createSocket( +Socket sslSocket = SSLSocketFactory.getDefault().createSocket( host, port ); +verifyHostName(host, (SSLSocket) sslSocket); +return sslSocket; } /** @@ -157,14 +181,267 @@ public class SSLProtocolSocketFactory im int port, boolean autoClose) throws IOException, UnknownHostException { -return ((SSLSocketFactory) SSLSocketFactory.getDefault()).createSocket( +Socket sslSocket = ((SSLSocketFactory) SSLSocketFactory.getDefault()).createSocket( socket, host, port, autoClose ); +verifyHostName(host, (SSLSocket) sslSocket); +return sslSocket; +} + + + + +/** + * Verifies that the given hostname in certicifate is the hostname we are trying to connect to + * http://www.cvedetails.com/cve/CVE-2012-5783/ + * @param host + * @param ssl + * @throws IOException + */
Bug#692650: patch
Hi I've made a patch (attached) It's basically the same patch i've submitted to commons-httpclient (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692442 ), This patch is tested in commons-httpclient but untested in axis (sorry) Description: Validates the hostname requested is the same in the certificate in ssl-connections Fixes CVE-2012-5784, validates hostname certificate in SSL connections. Backported from http-client 4, and from Apache Synapse (plus some bugfixes). Author: Alberto Fernandez inf...@gmail.com Bug-Debian: http://bugs.debian.org/692650 Forwarded: no --- axis-1.4.orig/src/org/apache/axis/components/net/JSSESocketFactory.java +++ axis-1.4/src/org/apache/axis/components/net/JSSESocketFactory.java @@ -19,6 +19,8 @@ import org.apache.axis.utils.Messages; import org.apache.axis.utils.XMLUtils; import org.apache.axis.utils.StringUtils; +import javax.net.ssl.SSLException; +import javax.net.ssl.SSLSession; import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; import java.io.BufferedWriter; @@ -28,7 +30,15 @@ import java.io.OutputStream; import java.io.OutputStreamWriter; import java.io.PrintWriter; import java.net.Socket; +import java.security.cert.Certificate; +import java.security.cert.CertificateParsingException; +import java.security.cert.X509Certificate; +import java.util.Arrays; +import java.util.Collection; import java.util.Hashtable; +import java.util.Iterator; +import java.util.LinkedList; +import java.util.List; /** @@ -41,6 +51,10 @@ import java.util.Hashtable; */ public class JSSESocketFactory extends DefaultSocketFactory implements SecureSocketFactory { +// This is a a sorted list, if you insert new elements do it orderdered. +private final static String[] BAD_COUNTRY_2LDS = +{ac, co, com, ed, edu, go, gouv, gov, info, +lg, ne, net, or, org}; /** Field sslFactory */ protected SSLSocketFactory sslFactory = null; @@ -187,6 +201,255 @@ public class JSSESocketFactory extends D if (log.isDebugEnabled()) { log.debug(Messages.getMessage(createdSSL00)); } +verifyHostName(host, (SSLSocket) sslSocket); return sslSocket; } +/** + * Verifies that the given hostname in certicifate is the hostname we are trying to connect to + * http://www.cvedetails.com/cve/CVE-2012-5783/ + * @param host + * @param ssl + * @throws IOException + */ + + private static void verifyHostName(String host, SSLSocket ssl) + throws IOException { + if (host == null) { + throw new IllegalArgumentException(host to verify was null); + } + + SSLSession session = ssl.getSession(); + if (session == null) { +// In our experience this only happens under IBM 1.4.x when +// spurious (unrelated) certificates show up in the server's chain. +// Hopefully this will unearth the real problem: + InputStream in = ssl.getInputStream(); + in.available(); +/* + If you're looking at the 2 lines of code above because you're + running into a problem, you probably have two options: + +#1. Clean up the certificate chain that your server + is presenting (e.g. edit /etc/apache2/server.crt or + wherever it is your server's certificate chain is + defined). + + OR + +#2. Upgrade to an IBM 1.5.x or greater JVM, or switch to a + non-IBM JVM. + */ + +// If ssl.getInputStream().available() didn't cause an exception, +// maybe at least now the session is available? + session = ssl.getSession(); + if (session == null) { +// If it's still null, probably a startHandshake() will +// unearth the real problem. +ssl.startHandshake(); + +// Okay, if we still haven't managed to cause an exception, +// might as well go for the NPE. Or maybe we're okay now? +session = ssl.getSession(); + } + } + + Certificate[] certs = session.getPeerCertificates(); + verifyHostName(host.trim().toLowerCase(), (X509Certificate) certs[0]); + } + /** + * Extract the names from the certificate and tests host matches one of them + * @param host + * @param cert + * @throws SSLException + */ + + private static void verifyHostName(final String host, X509Certificate cert) + throws SSLException { +// I'm okay with being case-insensitive when comparing the host we used +// to establish the socket to the hostname in the certificate. +// Don't trim the CN, though. + + String cn = getCN(cert); + String[] subjectAlts = getDNSSubjectAlts(cert); + verifyHostName(host, cn.toLowerCase(), subjectAlts); + + } + + /** + * Extract all alternative names from a certificate. + * @param cert + *
Processed: tagging 693524
Processing commands for cont...@bugs.debian.org: tags 693524 + pending Bug #693524 [junit4] junit4: Broken watchfile Added tag(s) pending. thanks Stopping processing here. Please contact me if you need assistance. -- 693524: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693524 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#693524: junit4: Broken watchfile
On 11/17/2012 06:26 AM, Jonathan McCrohan wrote: Package: junit4 Version: 4.10-3 Severity: normal Tags: patch Hi, Github have changed their website which breaks debian/watch. I have attached a patch which fixes this issue. Jon Hi Jon, I have applied your patch to the source package packaging repository for junit4 and marked the bug as pending for the next upload. Thank you for the update. tony signature.asc Description: OpenPGP digital signature __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Processing of tomcat6_6.0.35-5+nmu1_amd64.changes
tomcat6_6.0.35-5+nmu1_amd64.changes uploaded successfully to localhost along with the files: tomcat6_6.0.35-5+nmu1.dsc tomcat6_6.0.35-5+nmu1.debian.tar.gz tomcat6-common_6.0.35-5+nmu1_all.deb tomcat6_6.0.35-5+nmu1_all.deb tomcat6-user_6.0.35-5+nmu1_all.deb libtomcat6-java_6.0.35-5+nmu1_all.deb libservlet2.4-java_6.0.35-5+nmu1_all.deb libservlet2.5-java_6.0.35-5+nmu1_all.deb libservlet2.5-java-doc_6.0.35-5+nmu1_all.deb tomcat6-admin_6.0.35-5+nmu1_all.deb tomcat6-examples_6.0.35-5+nmu1_all.deb tomcat6-docs_6.0.35-5+nmu1_all.deb tomcat6-extras_6.0.35-5+nmu1_all.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
tomcat6_6.0.35-5+nmu1_amd64.changes ACCEPTED into unstable
Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Sat, 17 Nov 2012 23:15:03 + Source: tomcat6 Binary: tomcat6-common tomcat6 tomcat6-user libtomcat6-java libservlet2.4-java libservlet2.5-java libservlet2.5-java-doc tomcat6-admin tomcat6-examples tomcat6-docs tomcat6-extras Architecture: source all Version: 6.0.35-5+nmu1 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers pkg-java-maintainers@lists.alioth.debian.org Changed-By: Michael Gilbert mgilb...@debian.org Description: libservlet2.4-java - Transitional package for libservlet2.5-java libservlet2.5-java - Servlet 2.5 and JSP 2.1 Java API classes libservlet2.5-java-doc - Servlet 2.5 and JSP 2.1 Java API documentation libtomcat6-java - Servlet and JSP engine -- core libraries tomcat6- Servlet and JSP engine tomcat6-admin - Servlet and JSP engine -- admin web applications tomcat6-common - Servlet and JSP engine -- common files tomcat6-docs - Servlet and JSP engine -- documentation tomcat6-examples - Servlet and JSP engine -- example web applications tomcat6-extras - Servlet and JSP engine -- additional components tomcat6-user - Servlet and JSP engine -- tools to create user instances Closes: 692440 Changes: tomcat6 (6.0.35-5+nmu1) unstable; urgency=high . * Non-maintainer upload. * Fix multiple security issues (closes: #692440) - cve-2012-2733: denial-of-service by triggering out of memory error. - cve-2012-3439: multiple replay attack issues in digest authentication. Checksums-Sha1: c999b2258397afd7c614668339287c3a742baa52 3408 tomcat6_6.0.35-5+nmu1.dsc 64b5618333d0f4e9d2982e28e690763f939ac2d1 49600 tomcat6_6.0.35-5+nmu1.debian.tar.gz 4db2e261a91e6eb69e8676c459ae034702191e28 51662 tomcat6-common_6.0.35-5+nmu1_all.deb 485a0e045d201885a075f49c44529c7330971348 41584 tomcat6_6.0.35-5+nmu1_all.deb 182615095a13162902a9e4a0d52dd7be73a41c7d 31506 tomcat6-user_6.0.35-5+nmu1_all.deb 6f9f9bed0f60f070e3507ce43ca6f05e6b810530 3100996 libtomcat6-java_6.0.35-5+nmu1_all.deb 7f2ce99af1021eb01aa191d98c449f4e517897b3 13344 libservlet2.4-java_6.0.35-5+nmu1_all.deb 118f6e8f3eab3e5d32190430845adcd62697cb28 195594 libservlet2.5-java_6.0.35-5+nmu1_all.deb aa7e0850d70a6a9986b1ac12c4336a91528af621 256386 libservlet2.5-java-doc_6.0.35-5+nmu1_all.deb cd36119293b669a8117e195fa8e72b9f280fa767 49606 tomcat6-admin_6.0.35-5+nmu1_all.deb b8d2103aefa8ab20b84876429c244069caa98f7c 164146 tomcat6-examples_6.0.35-5+nmu1_all.deb 08c6c38331e171365e324956afba25fff9209f9f 566316 tomcat6-docs_6.0.35-5+nmu1_all.deb b2d0ad7a01b38ce2ffe98729b05d0cb10bf752f5 13552 tomcat6-extras_6.0.35-5+nmu1_all.deb Checksums-Sha256: 5ea817c206bf824e84d891a9b8469b287463b62fefbb6f906dfb4bae9ca58c23 3408 tomcat6_6.0.35-5+nmu1.dsc ea2305f6b5876af898593452b3bd7f1edbe1784b52d29bfba80ed1542c32e4a2 49600 tomcat6_6.0.35-5+nmu1.debian.tar.gz 0cd25c1b48c0d7823483dfdb21eaba5a764b00a6540f5b4ea2d37af3ae430c1d 51662 tomcat6-common_6.0.35-5+nmu1_all.deb 19e6d659777b0ddfbb1f1ad2adfe42b064bbdbde465176892f7d1e8eb8e49ce6 41584 tomcat6_6.0.35-5+nmu1_all.deb ef8ab8abf520b9dac23705a56b6e31414ef5024d60c8f0fd3b92003269bc7ba5 31506 tomcat6-user_6.0.35-5+nmu1_all.deb 941b3c862dc80482c34fbbe7d4b94fb26014b11c4f9639f1918fb6c18f80e623 3100996 libtomcat6-java_6.0.35-5+nmu1_all.deb e0e44102325552c072b94588232aac961a5c086586a43021941c646d43e011fa 13344 libservlet2.4-java_6.0.35-5+nmu1_all.deb 59913fe059c5ff9d6e088548d3ef27c50c837df4cf5ab6d85dbd3cc5d3902d11 195594 libservlet2.5-java_6.0.35-5+nmu1_all.deb 6dc3dec28b468d701d7918cd927dff6dd94d420af64e0ba8c33e33349b814a75 256386 libservlet2.5-java-doc_6.0.35-5+nmu1_all.deb 459ffdedb8db00808886c8450dbc7a444aaca5e15d9e2083902dd8b1dd4c6bbc 49606 tomcat6-admin_6.0.35-5+nmu1_all.deb 47d20e4c3fe2b66d0c1134ba0a98b9e3617de1fe8aa680c686d9d4080020f92f 164146 tomcat6-examples_6.0.35-5+nmu1_all.deb 8983ef987c2b2f0515f8953fb03b39777c3647032d1941194997212b0a99a1e3 566316 tomcat6-docs_6.0.35-5+nmu1_all.deb a430264fdc53228af6485ac318c8fa044266eb91f76e42d52ff061fd92ed888a 13552 tomcat6-extras_6.0.35-5+nmu1_all.deb Files: 53ba62b64f783e1698e36fcffc9bd20d 3408 java optional tomcat6_6.0.35-5+nmu1.dsc 0ab9a062810a3ec8df469befd986b88c 49600 java optional tomcat6_6.0.35-5+nmu1.debian.tar.gz 2e0e5769627aadf0928f0bc985dc9829 51662 java optional tomcat6-common_6.0.35-5+nmu1_all.deb 3726e9a6f88b2d3d6e59330d46c6964f 41584 java optional tomcat6_6.0.35-5+nmu1_all.deb 61034f3c81026a61fe20e4cc9827d39f 31506 java optional tomcat6-user_6.0.35-5+nmu1_all.deb 82afb975a2b26a6f7d48eebc1058a733 3100996 java optional libtomcat6-java_6.0.35-5+nmu1_all.deb 5b8540f1bcc5814dc5eccaf33c9b237b 13344 oldlibs extra libservlet2.4-java_6.0.35-5+nmu1_all.deb b0fb27ef960099090e77d4e6ab2d6920 195594 java optional libservlet2.5-java_6.0.35-5+nmu1_all.deb 49ca1df6f7c8023ae3d2f64f919e9a4d 256386 doc optional libservlet2.5-java-doc_6.0.35-5+nmu1_all.deb e334b77a771aec7a3db995bedd954608 49606 java
Bug#692440: marked as done (tomcat7: CVE-2012-2733 CVE-2012-3439)
Your message dated Sat, 17 Nov 2012 23:32:46 + with message-id e1tzrsu-00069x...@franck.debian.org and subject line Bug#692440: fixed in tomcat6 6.0.35-5+nmu1 has caused the Debian Bug report #692440, regarding tomcat7: CVE-2012-2733 CVE-2012-3439 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 692440: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692440 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: tomcat7 Severity: grave Tags: security Justification: user security hole Please see http://tomcat.apache.org/security-7.html Since Wheezy is frozen, please apply isolated security fixes instead of updating to a new upstream release. Cheers, Moritz ---End Message--- ---BeginMessage--- Source: tomcat6 Source-Version: 6.0.35-5+nmu1 We believe that the bug you reported is fixed in the latest version of tomcat6, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 692...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Michael Gilbert mgilb...@debian.org (supplier of updated tomcat6 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Sat, 17 Nov 2012 23:15:03 + Source: tomcat6 Binary: tomcat6-common tomcat6 tomcat6-user libtomcat6-java libservlet2.4-java libservlet2.5-java libservlet2.5-java-doc tomcat6-admin tomcat6-examples tomcat6-docs tomcat6-extras Architecture: source all Version: 6.0.35-5+nmu1 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers pkg-java-maintainers@lists.alioth.debian.org Changed-By: Michael Gilbert mgilb...@debian.org Description: libservlet2.4-java - Transitional package for libservlet2.5-java libservlet2.5-java - Servlet 2.5 and JSP 2.1 Java API classes libservlet2.5-java-doc - Servlet 2.5 and JSP 2.1 Java API documentation libtomcat6-java - Servlet and JSP engine -- core libraries tomcat6- Servlet and JSP engine tomcat6-admin - Servlet and JSP engine -- admin web applications tomcat6-common - Servlet and JSP engine -- common files tomcat6-docs - Servlet and JSP engine -- documentation tomcat6-examples - Servlet and JSP engine -- example web applications tomcat6-extras - Servlet and JSP engine -- additional components tomcat6-user - Servlet and JSP engine -- tools to create user instances Closes: 692440 Changes: tomcat6 (6.0.35-5+nmu1) unstable; urgency=high . * Non-maintainer upload. * Fix multiple security issues (closes: #692440) - cve-2012-2733: denial-of-service by triggering out of memory error. - cve-2012-3439: multiple replay attack issues in digest authentication. Checksums-Sha1: c999b2258397afd7c614668339287c3a742baa52 3408 tomcat6_6.0.35-5+nmu1.dsc 64b5618333d0f4e9d2982e28e690763f939ac2d1 49600 tomcat6_6.0.35-5+nmu1.debian.tar.gz 4db2e261a91e6eb69e8676c459ae034702191e28 51662 tomcat6-common_6.0.35-5+nmu1_all.deb 485a0e045d201885a075f49c44529c7330971348 41584 tomcat6_6.0.35-5+nmu1_all.deb 182615095a13162902a9e4a0d52dd7be73a41c7d 31506 tomcat6-user_6.0.35-5+nmu1_all.deb 6f9f9bed0f60f070e3507ce43ca6f05e6b810530 3100996 libtomcat6-java_6.0.35-5+nmu1_all.deb 7f2ce99af1021eb01aa191d98c449f4e517897b3 13344 libservlet2.4-java_6.0.35-5+nmu1_all.deb 118f6e8f3eab3e5d32190430845adcd62697cb28 195594 libservlet2.5-java_6.0.35-5+nmu1_all.deb aa7e0850d70a6a9986b1ac12c4336a91528af621 256386 libservlet2.5-java-doc_6.0.35-5+nmu1_all.deb cd36119293b669a8117e195fa8e72b9f280fa767 49606 tomcat6-admin_6.0.35-5+nmu1_all.deb b8d2103aefa8ab20b84876429c244069caa98f7c 164146 tomcat6-examples_6.0.35-5+nmu1_all.deb 08c6c38331e171365e324956afba25fff9209f9f 566316 tomcat6-docs_6.0.35-5+nmu1_all.deb b2d0ad7a01b38ce2ffe98729b05d0cb10bf752f5 13552 tomcat6-extras_6.0.35-5+nmu1_all.deb Checksums-Sha256: 5ea817c206bf824e84d891a9b8469b287463b62fefbb6f906dfb4bae9ca58c23 3408 tomcat6_6.0.35-5+nmu1.dsc ea2305f6b5876af898593452b3bd7f1edbe1784b52d29bfba80ed1542c32e4a2 49600 tomcat6_6.0.35-5+nmu1.debian.tar.gz 0cd25c1b48c0d7823483dfdb21eaba5a764b00a6540f5b4ea2d37af3ae430c1d 51662 tomcat6-common_6.0.35-5+nmu1_all.deb 19e6d659777b0ddfbb1f1ad2adfe42b064bbdbde465176892f7d1e8eb8e49ce6 41584
Bug#692439: marked as done (tomcat6: CVE-2012-2733 CVE-2012-3439)
Your message dated Sat, 17 Nov 2012 20:48:41 -0500 with message-id CANTw=MMTdWnFvD6vgQ2tN8bDByvg979e5ZZ-nUOi4RfepF=m...@mail.gmail.com and subject line re: tomcat6: CVE-2012-2733 CVE-2012-3439 has caused the Debian Bug report #692439, regarding tomcat6: CVE-2012-2733 CVE-2012-3439 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 692439: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692439 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: tomcat6 Severity: grave Tags: security Justification: user security hole Please see http://tomcat.apache.org/security-6.html Since Wheezy is frozen, please apply isolated security fixes and do not update to a new upstream release. BTW, is it really necessary to have both tomcat6 and tomcat7 in Wheezy? Shouldn't tomcat6 be dropped in favour of tomcat7? Cheers, Moritz ---End Message--- ---BeginMessage--- version: 6.0.35+nmu1 Hi, I've uploaded an nmu fixing this issue. Please see attached patch. Note I incorrectly entered the tomcat7 bug in the changelog, which should be corrected in the next upload. Best wishes, Mike tomcat6.patch Description: Binary data ---End Message--- __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Processing of tomcat7_7.0.28-3+nmu1_amd64.changes
tomcat7_7.0.28-3+nmu1_amd64.changes uploaded successfully to localhost along with the files: tomcat7_7.0.28-3+nmu1.dsc tomcat7_7.0.28-3+nmu1.debian.tar.gz tomcat7-common_7.0.28-3+nmu1_all.deb tomcat7_7.0.28-3+nmu1_all.deb tomcat7-user_7.0.28-3+nmu1_all.deb libtomcat7-java_7.0.28-3+nmu1_all.deb libservlet3.0-java_7.0.28-3+nmu1_all.deb libservlet3.0-java-doc_7.0.28-3+nmu1_all.deb tomcat7-admin_7.0.28-3+nmu1_all.deb tomcat7-examples_7.0.28-3+nmu1_all.deb tomcat7-docs_7.0.28-3+nmu1_all.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
tomcat7_7.0.28-3+nmu1_amd64.changes ACCEPTED into unstable
Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Sun, 18 Nov 2012 01:40:30 + Source: tomcat7 Binary: tomcat7-common tomcat7 tomcat7-user libtomcat7-java libservlet3.0-java libservlet3.0-java-doc tomcat7-admin tomcat7-examples tomcat7-docs Architecture: source all Version: 7.0.28-3+nmu1 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers pkg-java-maintainers@lists.alioth.debian.org Changed-By: Michael Gilbert mgilb...@debian.org Description: libservlet3.0-java - Servlet 3.0 and JSP 2.2 Java API classes libservlet3.0-java-doc - Servlet 3.0 and JSP 2.2 Java API documentation libtomcat7-java - Servlet and JSP engine -- core libraries tomcat7- Servlet and JSP engine tomcat7-admin - Servlet and JSP engine -- admin web applications tomcat7-common - Servlet and JSP engine -- common files tomcat7-docs - Servlet and JSP engine -- documentation tomcat7-examples - Servlet and JSP engine -- example web applications tomcat7-user - Servlet and JSP engine -- tools to create user instances Closes: 692440 Changes: tomcat7 (7.0.28-3+nmu1) unstable; urgency=high . * Non-maintainer upload. * Fix cve-2012-3439: multiple replay attack issues in digest authentication. (closes: #692440) Checksums-Sha1: e6c4534bafc8e50dbff9e0e9bcac4a5b4a3a5692 3330 tomcat7_7.0.28-3+nmu1.dsc 3791505c61cd6f357cd3e99b2f87c1d619d76e20 50118 tomcat7_7.0.28-3+nmu1.debian.tar.gz 071d2cddbfbb71ca49fbdd0d859704e420e62ac5 61906 tomcat7-common_7.0.28-3+nmu1_all.deb 81804f7d087eec44f2e40fa96db04fdda9b164c1 49206 tomcat7_7.0.28-3+nmu1_all.deb c65e95a8581caed3a0a079bdd9f8629675db2a61 37348 tomcat7-user_7.0.28-3+nmu1_all.deb d330e247a33486c0a79462cbef81672f157c40a8 3502208 libtomcat7-java_7.0.28-3+nmu1_all.deb fb070975386e93cf841dab3c84fcb44324bfe46a 303420 libservlet3.0-java_7.0.28-3+nmu1_all.deb 38b345eba0dfa770bd5f3810ec442235306d5e06 299764 libservlet3.0-java-doc_7.0.28-3+nmu1_all.deb deb8b9025f4a21014bda8ef6c5c9390774f0fd7c 50094 tomcat7-admin_7.0.28-3+nmu1_all.deb 834bbaec8b2766e5ff4168eab1adcf4389b91921 201220 tomcat7-examples_7.0.28-3+nmu1_all.deb 6ad12e37a8c0e55b0c4012e47333e0bc01132643 649026 tomcat7-docs_7.0.28-3+nmu1_all.deb Checksums-Sha256: 624c832bfa698cd315f88b89053ced82e3c88d709d89beb1a85f52564b3457fb 3330 tomcat7_7.0.28-3+nmu1.dsc 4b4cb803b3cff3b65ba4fca965f8fe4df8db2fe50ae18d2d47fa8fe8e48a04d5 50118 tomcat7_7.0.28-3+nmu1.debian.tar.gz 054751719d2c8da631c3cb5a78f64cf1c31e139160a309c1a9e13b13c0eb9aa9 61906 tomcat7-common_7.0.28-3+nmu1_all.deb a8a20a62c00ab4bb80e320b4365895dedfd958d4e51079c353f068c645939a47 49206 tomcat7_7.0.28-3+nmu1_all.deb 9382e29065378fd6d35aab28cc827fe3282bc921aa5764b7e01991a540f85da2 37348 tomcat7-user_7.0.28-3+nmu1_all.deb 8830844109b0995d36c4cc96ecefa42169cf234cd345af2b4b1b4a3cbed38497 3502208 libtomcat7-java_7.0.28-3+nmu1_all.deb 24d81a69b592ef34399498c023c25c1edc571f8cdf68e3baa6d6579d871c4722 303420 libservlet3.0-java_7.0.28-3+nmu1_all.deb 079a7d37e3edb7ea78e13937305ba5ccee7188687bef87a07294dc93408c2574 299764 libservlet3.0-java-doc_7.0.28-3+nmu1_all.deb 9b86a3154b2723232f69c374fc1de8537eaab862781ce8cccd0890ae8e056a1a 50094 tomcat7-admin_7.0.28-3+nmu1_all.deb d5049ef988da5790c70284fa7bffc71c8c31d3b25940b043176e5bb4f669c8e8 201220 tomcat7-examples_7.0.28-3+nmu1_all.deb d39b3fa56b69b6df7e4afb91f77263d63c0b298d36c58be9f1b7f318063f1039 649026 tomcat7-docs_7.0.28-3+nmu1_all.deb Files: dd544b4852230fc8f9b773325b48952e 3330 java optional tomcat7_7.0.28-3+nmu1.dsc 8d2fe397a1cf831e353ae99227ec4275 50118 java optional tomcat7_7.0.28-3+nmu1.debian.tar.gz 524ef3fb9e3a4bb2459bd0f94ad2fdf7 61906 java optional tomcat7-common_7.0.28-3+nmu1_all.deb a800f7562dd5d06c0ff75c830b745faf 49206 java optional tomcat7_7.0.28-3+nmu1_all.deb 3a19304a888ddb37c976546228a8b985 37348 java optional tomcat7-user_7.0.28-3+nmu1_all.deb 4ca51c896f95dd6cd7751598ba52 3502208 java optional libtomcat7-java_7.0.28-3+nmu1_all.deb c53e2ac31d9f0b0dd1914e7032e962ca 303420 java optional libservlet3.0-java_7.0.28-3+nmu1_all.deb 52fc5e1b9d85c6cd7782f9aa0d58f8f3 299764 doc optional libservlet3.0-java-doc_7.0.28-3+nmu1_all.deb d845a35619527818fa6e3e1b1c5fbef1 50094 java optional tomcat7-admin_7.0.28-3+nmu1_all.deb eed814f4a21fbb5e2d74278f45d7ccfb 201220 java optional tomcat7-examples_7.0.28-3+nmu1_all.deb 9599ce001306e8646e9c11e194bf783a 649026 doc optional tomcat7-docs_7.0.28-3+nmu1_all.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQQcBAEBCAAGBQJQqHfxAAoJELjWss0C1vRzAr0f/1HUj1Yy3nMuwYBsCmOGSjfp A34D/WvsZbjFtaYG3vJwy76rHR+bAIWE9YXQ3aWTcq1ic0kxxGiHMsctMgxqzVsR oqkcCsffYfNo9ckYbPgyhqf8RaQLvLI5DoMxuTBHR/J4eQYKVKue097idBTiSYGY +IOsUW4DScreFixpCFus+bMNTGO6bv7EFP7WYOIZOrBDBSucSxwKHNuabLXMdKlw 4V/nkvO3l8dg6q+wzPlij6s0gYwvhYO/H9yZyQhtqfwBlRXTd4BIbtx0EwGCXZJ7 itsvwiIU4h6QAOxMnX2HMvCIuU2twFIMLAdoauIrI6ALTTIhFLZbXY43Ra9QooUe s2erHaniQTHEYSjXuVFg44r+YG4LssGgGoBghHA8LRMLK5pYK7uFn/iVG753+4za
Bug#692440: tomcat7: CVE-2012-2733 CVE-2012-3439
Hi, I've uploaded an nmu fixing this issue. Please see attached patch. Best wishes, Mike tomcat7.patch Description: Binary data __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#692440: marked as done (tomcat7: CVE-2012-2733 CVE-2012-3439)
Your message dated Sun, 18 Nov 2012 06:02:46 + with message-id e1tzxxu-0004he...@franck.debian.org and subject line Bug#692440: fixed in tomcat7 7.0.28-3+nmu1 has caused the Debian Bug report #692440, regarding tomcat7: CVE-2012-2733 CVE-2012-3439 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 692440: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692440 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: tomcat7 Severity: grave Tags: security Justification: user security hole Please see http://tomcat.apache.org/security-7.html Since Wheezy is frozen, please apply isolated security fixes instead of updating to a new upstream release. Cheers, Moritz ---End Message--- ---BeginMessage--- Source: tomcat7 Source-Version: 7.0.28-3+nmu1 We believe that the bug you reported is fixed in the latest version of tomcat7, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 692...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Michael Gilbert mgilb...@debian.org (supplier of updated tomcat7 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Sun, 18 Nov 2012 01:40:30 + Source: tomcat7 Binary: tomcat7-common tomcat7 tomcat7-user libtomcat7-java libservlet3.0-java libservlet3.0-java-doc tomcat7-admin tomcat7-examples tomcat7-docs Architecture: source all Version: 7.0.28-3+nmu1 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers pkg-java-maintainers@lists.alioth.debian.org Changed-By: Michael Gilbert mgilb...@debian.org Description: libservlet3.0-java - Servlet 3.0 and JSP 2.2 Java API classes libservlet3.0-java-doc - Servlet 3.0 and JSP 2.2 Java API documentation libtomcat7-java - Servlet and JSP engine -- core libraries tomcat7- Servlet and JSP engine tomcat7-admin - Servlet and JSP engine -- admin web applications tomcat7-common - Servlet and JSP engine -- common files tomcat7-docs - Servlet and JSP engine -- documentation tomcat7-examples - Servlet and JSP engine -- example web applications tomcat7-user - Servlet and JSP engine -- tools to create user instances Closes: 692440 Changes: tomcat7 (7.0.28-3+nmu1) unstable; urgency=high . * Non-maintainer upload. * Fix cve-2012-3439: multiple replay attack issues in digest authentication. (closes: #692440) Checksums-Sha1: e6c4534bafc8e50dbff9e0e9bcac4a5b4a3a5692 3330 tomcat7_7.0.28-3+nmu1.dsc 3791505c61cd6f357cd3e99b2f87c1d619d76e20 50118 tomcat7_7.0.28-3+nmu1.debian.tar.gz 071d2cddbfbb71ca49fbdd0d859704e420e62ac5 61906 tomcat7-common_7.0.28-3+nmu1_all.deb 81804f7d087eec44f2e40fa96db04fdda9b164c1 49206 tomcat7_7.0.28-3+nmu1_all.deb c65e95a8581caed3a0a079bdd9f8629675db2a61 37348 tomcat7-user_7.0.28-3+nmu1_all.deb d330e247a33486c0a79462cbef81672f157c40a8 3502208 libtomcat7-java_7.0.28-3+nmu1_all.deb fb070975386e93cf841dab3c84fcb44324bfe46a 303420 libservlet3.0-java_7.0.28-3+nmu1_all.deb 38b345eba0dfa770bd5f3810ec442235306d5e06 299764 libservlet3.0-java-doc_7.0.28-3+nmu1_all.deb deb8b9025f4a21014bda8ef6c5c9390774f0fd7c 50094 tomcat7-admin_7.0.28-3+nmu1_all.deb 834bbaec8b2766e5ff4168eab1adcf4389b91921 201220 tomcat7-examples_7.0.28-3+nmu1_all.deb 6ad12e37a8c0e55b0c4012e47333e0bc01132643 649026 tomcat7-docs_7.0.28-3+nmu1_all.deb Checksums-Sha256: 624c832bfa698cd315f88b89053ced82e3c88d709d89beb1a85f52564b3457fb 3330 tomcat7_7.0.28-3+nmu1.dsc 4b4cb803b3cff3b65ba4fca965f8fe4df8db2fe50ae18d2d47fa8fe8e48a04d5 50118 tomcat7_7.0.28-3+nmu1.debian.tar.gz 054751719d2c8da631c3cb5a78f64cf1c31e139160a309c1a9e13b13c0eb9aa9 61906 tomcat7-common_7.0.28-3+nmu1_all.deb a8a20a62c00ab4bb80e320b4365895dedfd958d4e51079c353f068c645939a47 49206 tomcat7_7.0.28-3+nmu1_all.deb 9382e29065378fd6d35aab28cc827fe3282bc921aa5764b7e01991a540f85da2 37348 tomcat7-user_7.0.28-3+nmu1_all.deb 8830844109b0995d36c4cc96ecefa42169cf234cd345af2b4b1b4a3cbed38497 3502208 libtomcat7-java_7.0.28-3+nmu1_all.deb 24d81a69b592ef34399498c023c25c1edc571f8cdf68e3baa6d6579d871c4722 303420 libservlet3.0-java_7.0.28-3+nmu1_all.deb 079a7d37e3edb7ea78e13937305ba5ccee7188687bef87a07294dc93408c2574 299764
Processed: your mail
Processing commands for cont...@bugs.debian.org: notfixed 692440 6.0.35+nmu1 Bug #692440 {Done: Michael Gilbert mgilb...@debian.org} [tomcat7] tomcat7: CVE-2012-2733 CVE-2012-3439 There is no source info for the package 'tomcat7' at version '6.0.35+nmu1' with architecture '' Unable to make a source version for version '6.0.35+nmu1' Ignoring request to alter fixed versions of bug #692440 to the same values previously set thanks Stopping processing here. Please contact me if you need assistance. -- 692440: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692440 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Processed: your mail
Processing commands for cont...@bugs.debian.org: notfixed 692440 6.0.35-5+nmu1 Bug #692440 {Done: Michael Gilbert mgilb...@debian.org} [tomcat7] tomcat7: CVE-2012-2733 CVE-2012-3439 There is no source info for the package 'tomcat7' at version '6.0.35-5+nmu1' with architecture '' Unable to make a source version for version '6.0.35-5+nmu1' No longer marked as fixed in versions tomcat6/6.0.35-5+nmu1. thanks Stopping processing here. Please contact me if you need assistance. -- 692440: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692440 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.