Your message dated Thu, 01 Dec 2011 23:43:00 +0000 with message-id <e1rwghm-00051n...@franck.debian.org> and subject line Bug#650430: fixed in mojarra 2.0.3-2 has caused the Debian Bug report #650430, regarding Mojarra: CVE-2011-4358 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 650430: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=650430 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: mojarra Severity: grave Tags: security patch Hi there, A vulnerability against mojarra have been reported. http://www.openwall.com/lists/oss-security/2011/11/29/1 Please, check the reference to a get a patch and a PoC. Best Regards, /luciano
--- End Message ---
--- Begin Message ---Source: mojarra Source-Version: 2.0.3-2 We believe that the bug you reported is fixed in the latest version of mojarra, which is due to be installed in the Debian FTP archive: libjsf-api-java_2.0.3-2_all.deb to main/m/mojarra/libjsf-api-java_2.0.3-2_all.deb libjsf-impl-java_2.0.3-2_all.deb to main/m/mojarra/libjsf-impl-java_2.0.3-2_all.deb libjsf-java-doc_2.0.3-2_all.deb to main/m/mojarra/libjsf-java-doc_2.0.3-2_all.deb mojarra_2.0.3-2.debian.tar.gz to main/m/mojarra/mojarra_2.0.3-2.debian.tar.gz mojarra_2.0.3-2.dsc to main/m/mojarra/mojarra_2.0.3-2.dsc A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 650...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Miguel Landaeta <mig...@miguel.cc> (supplier of updated mojarra package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Tue, 29 Nov 2011 19:45:48 -0430 Source: mojarra Binary: libjsf-api-java libjsf-impl-java libjsf-java-doc Architecture: source all Version: 2.0.3-2 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Miguel Landaeta <mig...@miguel.cc> Description: libjsf-api-java - JavaServer Faces 2.0 Java EE web framework - API libjsf-impl-java - JavaServer Faces 2.0 Java EE web framework - Implementation libjsf-java-doc - Documentation for libjsf-api-java Closes: 650430 Changes: mojarra (2.0.3-2) unstable; urgency=high . * Fixed critical bug by not allowing the value of UIViewParam to be an EL Expression: CVE-2011-4358. (Closes: #650430). * Bump Standards-Version to 3.9.2. No changes were required. * Update watch file. Checksums-Sha1: ce56fcbb64c67729e7ff3a31e691e76bd6fc3306 2331 mojarra_2.0.3-2.dsc 826ca6abf3840fc0841f71fae1ef0413dafc414f 17594 mojarra_2.0.3-2.debian.tar.gz aae9f9e374bfa1d8e877eccf068fbf10360c386f 432724 libjsf-api-java_2.0.3-2_all.deb fd70099031d06f5ef44b5b0de2a7ceb644efab28 1410550 libjsf-impl-java_2.0.3-2_all.deb 1381dbe8ddce21d402fde91a497880eac8e6ddf2 970818 libjsf-java-doc_2.0.3-2_all.deb Checksums-Sha256: 0598a2e7026124ce8a8d00d4b12568beefa0471ad74263542437c9dc6971bc45 2331 mojarra_2.0.3-2.dsc d8fa06fcd7a4e95deb5a28d15a80ef56ae23a5cd705c4e87ed2b37ecb5b8be1a 17594 mojarra_2.0.3-2.debian.tar.gz d4d6079866672c0edff6bf3bbfffbdd5529a76692b350b142264d44899bf3144 432724 libjsf-api-java_2.0.3-2_all.deb be6e806f697f148fbe9797841f7e439ebe9863b65d6dde53146db04f5f397313 1410550 libjsf-impl-java_2.0.3-2_all.deb d1fa01f34bb0475793db4ead6e20ac1860af77df75776438b0c1321782d11152 970818 libjsf-java-doc_2.0.3-2_all.deb Files: 00694b57a42fad7c9f47797fd11a2577 2331 java optional mojarra_2.0.3-2.dsc 3f5c0fad4bb639eff62103ee02c83262 17594 java optional mojarra_2.0.3-2.debian.tar.gz 6d2bc43f44f3f581b11ae929fdaea356 432724 java optional libjsf-api-java_2.0.3-2_all.deb 403247ad5a275f353209ac1f3b5d9556 1410550 java optional libjsf-impl-java_2.0.3-2_all.deb 33315f95a2b2fc862ea110c055d975ed 970818 doc optional libjsf-java-doc_2.0.3-2_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJO18MRAAoJECHSBYmXSz6WaJ4P/3Snk8ymPBiSM2FCeJJ166k7 x6ZI60qiuS4JxAUcxliQCp3AUgzPjz2JNECVbzY6H+ilfbP0k3VLYXj/9ERVYihh hPzgF6+73xTdqXAVN+X1BYIBQ1T/V4Uk/pgDmkT6e8/16XVvZT6y110LQ3iK3w0U NTrUkx9XbJw3j6ib3cDD3vqrb6prn1DB4pg29d7aUllU8qs8NsMDnEQnUiZHfoyO kMDrVB7HX2ITnSpnOYOctUOtaYJHud1qFZJlHbIZMCwIeWAwlRu5Sgv32ukhbhyp HRZk+4s22XrbtAVaAlqm/7e6Hpi6MMuc5sZHHXVqMR0LH1yXyapugEDxIIqpggK9 fa0aOojgoZemGhDhUvSgICvAlx2LSc6MOOSaRAXd0OvJvPQNTLyEBI6GcJR4Q6IK dtA1s62GqSR/hEZd01+SfIMnb9L8vJNUQKPFszyPE80zhFZaxUan5rU6KAWkguPk CzjAryrCRg8T3d3PogzfOqXGPjbVhiqQwlD7V6kaLJPglO/qWA9BMZPqWXLvPmbq ld8phqRt9tuf+D61ClpV5uPxuw/G1TGDsffSMUhhn1VXu5csCRSMnr+gVd3j9Kze 6LzFvVQNpPnwGyY5kKGf2/s4Sha1V+1jwhWauN58uIozePY4KKOYZrNzyCIX5fSW +vRj7J7IRAw6NIk0nzg8 =ttlp -----END PGP SIGNATURE-----
--- End Message ---
