Your message dated Thu, 03 Apr 2025 02:36:20 +0000
with message-id <e1u0ari-00d2se...@fasolo.debian.org>
and subject line Bug#1101204: fixed in commons-vfs 2.1-5
has caused the Debian Bug report #1101204,
regarding commons-vfs: CVE-2025-27553
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1101204: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1101204
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: commons-vfs
Version: 2.1-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerabilities were published for commons-vfs.
CVE-2025-27553[0]:
| Relative Path Traversal vulnerability in Apache Commons VFS before
| 2.10.0. The FileObject API in Commons VFS has a 'resolveFile'
| method that takes a 'scope' parameter. Specifying
| 'NameScope.DESCENDENT' promises that "an exception is thrown if the
| resolved file is not a descendent of the base file". However, when
| the path contains encoded ".." characters (for example,
| "%2E%2E/bar.txt"), it might return file objects that are not a
| descendent of the base file, without throwing an exception. This
| issue affects Apache Commons VFS: before 2.10.0. Users are
| recommended to upgrade to version 2.10.0, which fixes the issue.
CVE-2025-30474[1]:
| Exposure of Sensitive Information to an Unauthorized Actor
| vulnerability in Apache Commons VFS. The FtpFileObject class can
| throw an exception when a file is not found, revealing the original
| URI in its message, which may include a password. The fix is to mask
| the password in the exception message This issue affects Apache
| Commons VFS: before 2.10.0. Users are recommended to upgrade to
| version 2.10.0, which fixes the issue.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-27553
https://www.cve.org/CVERecord?id=CVE-2025-27553
[1] https://security-tracker.debian.org/tracker/CVE-2025-30474
https://www.cve.org/CVERecord?id=CVE-2025-30474
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: commons-vfs
Source-Version: 2.1-5
Done: Markus Koschany <a...@debian.org>
We believe that the bug you reported is fixed in the latest version of
commons-vfs, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1101...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <a...@debian.org> (supplier of updated commons-vfs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 03 Apr 2025 03:38:38 +0200
Source: commons-vfs
Architecture: source
Version: 2.1-5
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<pkg-java-maintain...@lists.alioth.debian.org>
Changed-By: Markus Koschany <a...@debian.org>
Closes: 1101204
Changes:
commons-vfs (2.1-5) unstable; urgency=medium
.
* Team upload.
* Declare compliance with Debian Policy 4.7.2.
* Force at least a Java 8 build to fix CVE-2025-27553.
* Fix CVE-2025-27553: (Closes: #1101204)
Arnout Engelen discovered a Relative Path Traversal vulnerability in
Commons VFS, a Java library that provides a single API for accessing
various different file systems. A local or remote attacker may use this
flaw to access files and directories outside of a root folder.
Checksums-Sha1:
3fa8a2afebf9e14d4799b57dbd7a4b03eee7bf8b 2426 commons-vfs_2.1-5.dsc
d3b667a47925a5b80858ef1474032d037e579651 10992 commons-vfs_2.1-5.debian.tar.xz
1346dc9795a06a29b1b2733e7c5488fb92ea38f7 15647
commons-vfs_2.1-5_amd64.buildinfo
Checksums-Sha256:
039deba3b02f7c59b4a0c2d614f3ede4fb95d56fafb79f5acaa8efb0ff84556a 2426
commons-vfs_2.1-5.dsc
514e443ffd2b7db8828945b450a6cebf9d7789284969ae0334dccb69079dfad3 10992
commons-vfs_2.1-5.debian.tar.xz
052062defbab2cde4f896075e98875cb06c63ed4bb22def61c8bb0975ed4cf43 15647
commons-vfs_2.1-5_amd64.buildinfo
Files:
0d49ad9d2709fd9a59f83438055e46f8 2426 java optional commons-vfs_2.1-5.dsc
a0a9595802bb9663e50f89bf954a65f8 10992 java optional
commons-vfs_2.1-5.debian.tar.xz
15d91389c4b27bb41c09914492219590 15647 java optional
commons-vfs_2.1-5_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmft6UpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkU3cP/iyHZ2g/xffZCRUdS/rOVa6//H7McDVOsgfy
Ws2uQIihx8nrXw72f3k+NTRptVHxR0v0Hqu7DFi56amU4RdzNSpKBzfN7EgvCJH3
+wqzpUBQ05rCrRV0qHqjWqYR24unqhcVoJqUYdodZSoLPMFlZQU5N+SwmBJl7jXV
JdeDBjwQUTs2WHjtcjK4/qLeybKyISskXqJziufzALkUzxFdFaXNFfF19fkWVzWO
8I/XL4/1r2xbhe8NaV5nz6wSHCRDWcqlLuux3Ngqd8iQF380d0DfIABaMfOc3rK+
cFn8B7TsPtEg/eOe5mqjTNheA2egmpXfq5v4xrCUgDsh7m6ShFraePIYvAj1z4/f
synCkCTxvfeO6zAcVqokLBm4sCkHF/EhWAvSEfN8q5hH119Nrab29AUfhKsO8Dss
gsztR/Yd8+/r5it+5505q3uKVbxHwKPmv+XwbArwhH55eOZgRZnfxH5G3Sj2LZ/X
unP5YHAitZeLH2T+XZeWAb36O3oMCifL7S+7nrAFkkn2j2+Kb0y7kIDOzSMF3rl5
g3/eQfJnkO6KMZbSho74BvEeP7JNNc6LRAv2ppRQ0JnCpOTddURT2W1ANwC8s0Yy
db1U3FxIzoC+Ae4PSMSD//JtUEFAxG3D2wXo4j3zGm89Osi9VOw46VqkGckgFoCj
StjqoOdS
=Wdk+
-----END PGP SIGNATURE-----
pgpJ4oDXEZqIG.pgp
Description: PGP signature
--- End Message ---
