Your message dated Sat, 16 Jul 2022 17:48:53 +0000
with message-id <[email protected]>
and subject line Bug#1014960: fixed in commons-configuration2 2.8.0-1
has caused the Debian Bug report #1014960,
regarding commons-configuration2: CVE-2022-33980
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1014960: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014960
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: commons-configuration2
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for commons-configuration2.
CVE-2022-33980[0]:
| Apache Commons Configuration performs variable interpolation, allowing
| properties to be dynamically evaluated and expanded. The standard
| format for interpolation is "${prefix:name}", where "prefix" is used
| to locate an instance of
| org.apache.commons.configuration2.interpol.Lookup that performs the
| interpolation. Starting with version 2.4 and continuing through 2.7,
| the set of default Lookup instances included interpolators that could
| result in arbitrary code execution or contact with remote servers.
| These lookups are: - "script" - execute expressions using the JVM
| script execution engine (javax.script) - "dns" - resolve dns records -
| "url" - load values from urls, including from remote servers
| Applications using the interpolation defaults in the affected versions
| may be vulnerable to remote code execution or unintentional contact
| with remote servers if untrusted configuration values are used. Users
| are recommended to upgrade to Apache Commons Configuration 2.8.0,
| which disables the problematic interpolators by default.
https://www.openwall.com/lists/oss-security/2022/07/06/5
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-33980
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33980
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: commons-configuration2
Source-Version: 2.8.0-1
Done: tony mancill <[email protected]>
We believe that the bug you reported is fixed in the latest version of
commons-configuration2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
tony mancill <[email protected]> (supplier of updated commons-configuration2
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 16 Jul 2022 09:53:15 -0700
Source: commons-configuration2
Architecture: source
Version: 2.8.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: tony mancill <[email protected]>
Closes: 1014960
Changes:
commons-configuration2 (2.8.0-1) unstable; urgency=medium
.
* Team upload.
* New upstream version 2.8.0 (Closes: #1014960)
Addresses CVE-2022-33980
* Bump Standards-Version to 4.6.1
* Use debhelper-compat 13
* Freshen years in debian/copyright
* Update javax.servlet dependency to libservlet-api-java
* Add build-dep on libhamcrest-java
Checksums-Sha1:
dd6a571053d060a3ca6e82c02d21cd269ada1e9f 2993
commons-configuration2_2.8.0-1.dsc
c03103d376cdd50db521b0d5a327705bfad6e48a 674444
commons-configuration2_2.8.0.orig.tar.xz
6d89f01a3de19cc18f29c0003214e6ae1f9d6987 5120
commons-configuration2_2.8.0-1.debian.tar.xz
1bd9101c547f13c02fa6d773a943be9f8edf4d56 17063
commons-configuration2_2.8.0-1_amd64.buildinfo
Checksums-Sha256:
8980c53f687825be62beada89ef8969875491c6bfd91b3ebd2b69948b2ff4282 2993
commons-configuration2_2.8.0-1.dsc
ac1a055140e91ef8937420552512b7e8cd8bbf8899d10e753f01d6cc3dbe0f1b 674444
commons-configuration2_2.8.0.orig.tar.xz
d97dc7c0cbd60d03b5cff5d6433fdbf2cb0d17bfb348b95649e03ba3c4b68a69 5120
commons-configuration2_2.8.0-1.debian.tar.xz
36212012815aaaff9f65a9c2f8da3715b0528ff5a6b66313da77a9815fab5524 17063
commons-configuration2_2.8.0-1_amd64.buildinfo
Files:
af221344e38c837acc05b4e891d171ac 2993 java optional
commons-configuration2_2.8.0-1.dsc
fc1361d211825df0a92dc5d4d604f11a 674444 java optional
commons-configuration2_2.8.0.orig.tar.xz
06208f4b8f46e0984d5e7ac47195cee6 5120 java optional
commons-configuration2_2.8.0-1.debian.tar.xz
956ad7df9634315a3d2ce04954f89be7 17063 java optional
commons-configuration2_2.8.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAmLS9HwUHHRtYW5jaWxs
QGRlYmlhbi5vcmcACgkQIdIFiZdLPpbMAg//f2mMLlFE4VU6aKblMbZwR7Ddmj6t
6YFlyzlbLjNuY3ZDCisWgxAi0Vx6Vza41RssBclvHX4SwJJC1pMoIjxFNIVbC9Rt
7ALVtL382VAL8U+NnMyLrw6/msLSAC6/P2tpyWorG3oFkFYt9qxnxPV02bs2Wi2b
pxObtoH0jXv9XKTXypW/5STf+pQWQKdcLmLzRywvqyxMpK1sCoCL7vrhHwE3TjNR
X0MzVhGVF4+h5Ns4mP8ssoGqIDjydy35HWWoJWrPThEhLZpgAEaztXgc/ot3pEdo
vi4N5hX3JRps7rTE/LnaOq596e/BF7308Ds+onh6fBZYqjEKkJOhvn0/dTNHrekh
v9o6F1fNkSKusYiJ2k2Dvl5Ctjt3IdJz1mNsm9MdlQDACcFRnQPqK12e7HC1ReLq
NFJBKhdZBbULDlT6uP4RtUGtcwVpzdwuJEChXFM2yqu5Cu3K18nJukTdhzjbRFqs
6cNcjfxWeVitLPB0IjTPbmR+lwTbXA321Z9VlfRoHghvItY6RzdSNV5UY+Qsh1Uv
GGlX5i0+Q+tXs2/Pv/S1A2/Bpx5sQr4+q9vVfqJxGN5NEFofDmDUyjpNdLJy4nbn
MrEp3IWPUVl0OQKfhEUGUTi/6nit20UoJAuMwvwUJzwyYB2tvUlrsRjEfWYGLg5+
d7C+ZCVDuHpxaxQ=
=Oze1
-----END PGP SIGNATURE-----
--- End Message ---
