Your message dated Sat, 25 Jul 2020 16:32:09 +0000
with message-id <[email protected]>
and subject line Bug#954713: fixed in commons-configuration2 2.2-1+deb10u1
has caused the Debian Bug report #954713,
regarding commons-configuration2: CVE-2020-1953
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
954713: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954713
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: commons-configuration2
Version: 2.2-1
Severity: grave
Tags: security upstream
Hi,
The following vulnerability was published for commons-configuration2.
CVE-2020-1953[0]:
| Apache Commons Configuration uses a third-party library to parse YAML
| files which by default allows the instantiation of classes if the YAML
| includes special statements. Apache Commons Configuration versions
| 2.2, 2.3, 2.4, 2.5, 2.6 did not change the default settings of this
| library. So if a YAML file was loaded from an untrusted source, it
| could therefore load and execute code out of the control of the host
| application.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-1953
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1953
[1] https://www.openwall.com/lists/oss-security/2020/03/13/1
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: commons-configuration2
Source-Version: 2.2-1+deb10u1
Done: =?utf-8?q?Moritz_M=C3=BChlenhoff?= <[email protected]>
We believe that the bug you reported is fixed in the latest version of
commons-configuration2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Mühlenhoff <[email protected]> (supplier of updated commons-configuration2
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 13 Jul 2020 19:18:37 +0200
Source: commons-configuration2
Binary: libcommons-configuration2-java libcommons-configuration2-java-doc
Architecture: source all
Version: 2.2-1+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Moritz Mühlenhoff <[email protected]>
Description:
libcommons-configuration2-java - Java based library providing a generic
configuration interface
libcommons-configuration2-java-doc - API Documentation for
commons-configuration2
Closes: 954713
Changes:
commons-configuration2 (2.2-1+deb10u1) buster; urgency=medium
.
* CVE-2020-1953 (Closes: #954713)
Checksums-Sha1:
307c0d9d66b653220574c5ddc1ef3f04abb54ee9 2950
commons-configuration2_2.2-1+deb10u1.dsc
33e7d28f652e7a90cf822f3ad35517896ad1723e 6432
commons-configuration2_2.2-1+deb10u1.debian.tar.xz
ab23e1ec44a8aca62c0b26707ce9b62829d07e3b 16715
commons-configuration2_2.2-1+deb10u1_amd64.buildinfo
9edef47189efc0da92abee190e025a8a1a46c77e 727764
libcommons-configuration2-java-doc_2.2-1+deb10u1_all.deb
b037790310d7b0f36a4490a1063c5f6ffc4ca869 559652
libcommons-configuration2-java_2.2-1+deb10u1_all.deb
Checksums-Sha256:
349eb3968fa94fcc0cca88fc5e050f69a192813dfa6232cd0f271acd250aa8ba 2950
commons-configuration2_2.2-1+deb10u1.dsc
460e5a2d87ebabaf0ce6cb40b1eb779740ef791b28818caa0d969136fdbbc68d 6432
commons-configuration2_2.2-1+deb10u1.debian.tar.xz
3e936f42b8dc77d519b4970e2fde2620b2176d544db9f4e344e716e86b094c9c 16715
commons-configuration2_2.2-1+deb10u1_amd64.buildinfo
22ec4891c01135fbf798ae34a146710cd049cc3b0e30ab3f11ed07a4b350dc49 727764
libcommons-configuration2-java-doc_2.2-1+deb10u1_all.deb
b6229bde769fb7034404f6afadba761442298b09c719483af9c42cd68b429fc8 559652
libcommons-configuration2-java_2.2-1+deb10u1_all.deb
Files:
f71afab7f94c086b8c6752055afdc0c4 2950 java optional
commons-configuration2_2.2-1+deb10u1.dsc
b59932a752725f5d2faae4bfa146de91 6432 java optional
commons-configuration2_2.2-1+deb10u1.debian.tar.xz
5ecc12569e4ab40d62fd1c33a93bcf32 16715 java optional
commons-configuration2_2.2-1+deb10u1_amd64.buildinfo
0e58e3805eaa656efe84f1be85bcdf02 727764 doc optional
libcommons-configuration2-java-doc_2.2-1+deb10u1_all.deb
30bdc05fe11d9ad71d992d061dc33ffa 559652 java optional
libcommons-configuration2-java_2.2-1+deb10u1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl8cLsIACgkQEMKTtsN8
TjajlQ//QNiM+LbRW3V6Gc7vt3NmzuYKreb5xydPpthM6LbrUqDvnYsp/KH/9MGq
OHO5ALy2PIVG79pcgGQnNIXubLrwYP1rObKlqEpjeZosbXSAAQs++wS0cX8T2mbq
WL7x6QUhnRPlwcVdYZgr9wqVhegCkVfeMoo+l4iL0A8cvqii4n0Cel6VQV675Czx
JEPJiCd1kFTuvklBt354ZybDL+PcnheQkNxr03XaOsSWvrcR36MA4k2VHVy6PD5H
53iPuquY+IUKaTtIZx5Q37ePHi3GMl0JP4YWxoIPooBqwRy2vA7Q/3XFLGWIYg8R
ewWgd86IHXDyeLY3DphGsetlz+Wb4ooQgcy6Jjt/pjQ/+qowQf/55TQX7nM5KdSM
9+eCOsUFk/lw6ezyNM0vvwNGUcnYSL921DSIYlr5SCVKzWySXyinQrvzmVuwxW+f
C/kRcxMIOkTU5VXJqg+Mq3LvYtLArR2q7rPDQsQTwoaeFT7HgggqkAvQ8slDlSHg
IqA6tSsJEClpbqg9mBn3OTWpnU4LpPwrbuX9+r4Oo1MsCS+dIujmG7fbV0C6XUZB
nmm7kEZyDO9gC0uyUyzEq2Z8AmiAehxpZMAnpLUHzbEFyvr8a3T+xP7n2Bzx5iza
rT3g2nx5JksZ4EFs5kX+2j1OsuRwWFZvdDe8n+pIY/mNGSdU31Q=
=Txi+
-----END PGP SIGNATURE-----
--- End Message ---
