Your message dated Sat, 24 Sep 2022 12:50:55 +0000
with message-id <[email protected]>
and subject line Bug#1014982: fixed in apache-jena 4.5.0-1
has caused the Debian Bug report #1014982,
regarding apache-jena: CVE-2021-33192 CVE-2021-39239 CVE-2022-28890
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1014982: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014982
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: apache-jena
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for apache-jena.
Unfortunately the Apache security process is quite poor and limited
information gets made available, so it might be needed to reach out
to upstream to get more detailed information.
CVE-2021-33192[0]:
| A vulnerability in the HTML pages of Apache Jena Fuseki allows an
| attacker to execute arbitrary javascript on certain page views. This
| issue affects Apache Jena Fuseki from version 2.0.0 to version 4.0.0
| (inclusive).
https://lists.apache.org/thread/sq6q94q0prqwr9vdm2wptglcq1kv98k8
CVE-2021-39239[1]:
| A vulnerability in XML processing in Apache Jena, in versions up to
| 4.1.0, may allow an attacker to execute XML External Entities (XXE),
| including exposing the contents of local files to a remote server.
https://lists.apache.org/thread/qpbfrdty7jt3yfm39hx4p9dp151sd6gm
CVE-2022-28890[2]:
| A vulnerability in the RDF/XML parser of Apache Jena allows an
| attacker to cause an external DTD to be retrieved. This issue affects
| Apache Jena version 4.4.0 and prior versions. Apache Jena 4.2.x and
| 4.3.x do not allow external entities.
https://www.openwall.com/lists/oss-security/2022/05/04/1
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-33192
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33192
[1] https://security-tracker.debian.org/tracker/CVE-2021-39239
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39239
[2] https://security-tracker.debian.org/tracker/CVE-2022-28890
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28890
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: apache-jena
Source-Version: 4.5.0-1
Done: Markus Koschany <[email protected]>
We believe that the bug you reported is fixed in the latest version of
apache-jena, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <[email protected]> (supplier of updated apache-jena package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 24 Sep 2022 13:59:54 +0200
Source: apache-jena
Architecture: source
Version: 4.5.0-1
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Markus Koschany <[email protected]>
Closes: 1014982
Changes:
apache-jena (4.5.0-1) unstable; urgency=high
.
* New upstream version 4.5.0.
- Fix CVE-2021-33192, CVE-2021-39239 and CVE-2022-28890. Thanks to Moritz
Mühlenhoff for the report. (Closes: #1014982)
* Refresh the patches.
* Add libprotobuf-java, libtitanium-json-ld-java and libjsonp2-java to
Build-Depends.
* Tighten dependency on libthrift-java.
* Declare compliance with Debian Policy 4.6.1.
Checksums-Sha1:
72550c3240b9b043c533ed8a27f413ae8a279663 2551 apache-jena_4.5.0-1.dsc
83966a00776162e2fe2f2cba6bf00389235982ed 7814853 apache-jena_4.5.0.orig.tar.gz
d311cdec64d028a1fd2f4783715a9a22b235298a 20992
apache-jena_4.5.0-1.debian.tar.xz
ebe592155d44d8a845df0afdc3f24310bd98c5b4 14248
apache-jena_4.5.0-1_amd64.buildinfo
Checksums-Sha256:
15538875088d36899227764b9a2aca510a45ca70b8972f9828e824e34a3a8f47 2551
apache-jena_4.5.0-1.dsc
8aa33419153394598d90edcc339eef814f2f2e45bac384be3ba199fb62607b08 7814853
apache-jena_4.5.0.orig.tar.gz
06e786cbb5c68405ad65420ed32df0aef50cbd24d79d2d1454bc9e549f0837de 20992
apache-jena_4.5.0-1.debian.tar.xz
249439537c2a826d0d1441859400413eaf552c2d8b31ae539e77ed0f61db40ca 14248
apache-jena_4.5.0-1_amd64.buildinfo
Files:
ffda3f1b6113c836f6af94b670f218dd 2551 java optional apache-jena_4.5.0-1.dsc
18043a86f41f0f5f2bd5cf587e55b4b6 7814853 java optional
apache-jena_4.5.0.orig.tar.gz
f12dfcb4a074be0feef31580ee04df1e 20992 java optional
apache-jena_4.5.0-1.debian.tar.xz
72c0f360ba54c31a8399d1cd675b88da 14248 java optional
apache-jena_4.5.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmMu8mJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkkWkP/RDn5j++Zs5Byq0NJuICgrLFBhzj+0Qepg1R
S7n8z8QywRiAeL+ex/8EJIv4FuFXVVrokagRNxFuTzPJCb5+G/UWuFognS+3OqIo
oPErpuOlpPQaMY8DwaesxgITbSYwKcErkKM1NbrnwbzMmXS3skSEMST5MQ69OEco
NuhhcENUiS83Sj2WrT+fT79k9a101axZGvhldDD5VMClMbAhXdeaGEHOp9JLhpp3
V5fqb/V0BbBBFbOKN8WMp8Ntp1qjaT3n7Sb6GO+tIMecsZb1QzlofPLJnOsquSm8
QbVXaILgCNb6b0+JFt6gZ3sgjVgxLV8NOKMGCz1Ae+z2Sx7QCq1iG6JIO0SuYRnq
PQ0Mzvlzsf38upT6OE0G/ZM+eb3qr95jrbo04Wbyw9oyCIALC8Xe7CgT1AxbBSj3
7+NcgZKUQrUeWjK80ujWOVsHDVdMYfmnB/g7N43F+4TW5Dj0nH2dHiJGsJDHfG8j
9q/eN/XtPbc6lU1yjSj0uFEKeagAd59Az+EdQdCSWo01slH27cfUQZDz81ZK+bdZ
tTooiX0JbYbnrqf/3BC+D0UzQPER4q6GKnZZ0kKdXljAS3fi1XXT1oH2gPVG9CNZ
7iGIfVTUOEMPDsfLqrQKHvnjRiTSJQLHq6Zndjlvpy+qdgGwu4i6xOUD02NIIx7o
P/mcpsIk
=rtHe
-----END PGP SIGNATURE-----
--- End Message ---
