Your message dated Wed, 29 Jul 2009 05:47:33 +0000 with message-id <e1mw20j-0003yj...@ries.debian.org> and subject line Bug#512532: fixed in classpath 2:0.98-1 has caused the Debian Bug report #512532, regarding CVE-2008-5659: The gnu.java.security.util.PRNG class in GNU Classpath 0.97.2 and ... to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 512532: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=512532 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: classpath Version: <= 0.97.2 Severity: grave Tags: security Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for classpath. CVE-2008-5659[0]: | The gnu.java.security.util.PRNG class in GNU Classpath 0.97.2 and | earlier uses a predictable seed based on the system time, which makes | it easier for context-dependent attackers to conduct brute force | attacks against cryptographic routines that use this class for | randomness, as demonstrated against DSA private keys. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For a better description of this bug please have a look at: http://gcc.gnu.org/bugzilla/show_bug.cgi?id=38417 The affected code you can find in classpath-0.97.2/gnu/java/security/util/PRNG.java on the lines where ``System.currentTimeMillis();'' is used. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5659 http://security-tracker.debian.net/tracker/CVE-2008-5659 Kind regards, Thomas.
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---Source: classpath Source-Version: 2:0.98-1 We believe that the bug you reported is fixed in the latest version of classpath, which is due to be installed in the Debian FTP archive: classpath-common-unzipped_0.98-1_all.deb to pool/main/c/classpath/classpath-common-unzipped_0.98-1_all.deb classpath-common_0.98-1_all.deb to pool/main/c/classpath/classpath-common_0.98-1_all.deb classpath-doc_0.98-1_all.deb to pool/main/c/classpath/classpath-doc_0.98-1_all.deb classpath-gtkpeer_0.98-1_amd64.deb to pool/main/c/classpath/classpath-gtkpeer_0.98-1_amd64.deb classpath-qtpeer_0.98-1_amd64.deb to pool/main/c/classpath/classpath-qtpeer_0.98-1_amd64.deb classpath_0.98-1.diff.gz to pool/main/c/classpath/classpath_0.98-1.diff.gz classpath_0.98-1.dsc to pool/main/c/classpath/classpath_0.98-1.dsc classpath_0.98-1_amd64.deb to pool/main/c/classpath/classpath_0.98-1_amd64.deb classpath_0.98.orig.tar.gz to pool/main/c/classpath/classpath_0.98.orig.tar.gz jikes-classpath_0.98-1_all.deb to pool/main/c/classpath/jikes-classpath_0.98-1_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 512...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Michael Koch <konque...@gmx.de> (supplier of updated classpath package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Tue, 28 Jul 2009 23:13:05 +0200 Source: classpath Binary: classpath classpath-gtkpeer classpath-qtpeer classpath-common classpath-common-unzipped classpath-doc jikes-classpath Architecture: source all amd64 Version: 2:0.98-1 Distribution: unstable Urgency: low Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Michael Koch <konque...@gmx.de> Description: classpath - clean room standard Java libraries classpath-common - clean room standard Java libraries - architecture independent fil classpath-common-unzipped - clean room standard Java libraries - architecture independent fil classpath-doc - clean room standard Java libraries - free Java API documentation classpath-gtkpeer - clean room standard Java libraries - GTK+ AWT peer classpath-qtpeer - clean room standard Java libraries - QT AWT peer jikes-classpath - clean room standard Java libraries - wrapper for jikes Closes: 512532 537290 Changes: classpath (2:0.98-1) unstable; urgency=low . * New upstream release. - fixes predictibility in PRNG.java (Closes: #512532). * debian/classpath-common.install: Don't install gappletviewer.1.gz. (Closes: #537290) * debian/control: - Build-Depend on debhelper (>= 5). - Updated Standards-Version to 3.8.2. * debian/rules: - Enable examples. Checksums-Sha1: c8a80b4d3d4839ea3866f9c45d991dfce12ef377 1790 classpath_0.98-1.dsc 1d6e8d1b3542a35bbd1013c61fab3cfae083decb 11021342 classpath_0.98.orig.tar.gz 590769f139b05325c25fc278ebda90f2f2783f35 15476 classpath_0.98-1.diff.gz 7b9e2c70d80c15181a2f4f1b5f841e47ebb77fdc 10092782 classpath-common_0.98-1_all.deb 06ec977886744a1cd65c69af9ce73f73c4561fad 6730828 classpath-common-unzipped_0.98-1_all.deb 1281c53567613d613aac2131e57126f3051c09d5 30999584 classpath-doc_0.98-1_all.deb 8a6056749c62ea1b2a1d47429092d41690af7b93 13646 jikes-classpath_0.98-1_all.deb 59d427e35f42ce76302c90755b54113d35cf44da 167080 classpath_0.98-1_amd64.deb cb9ba78be0a0f2e2ea567cb55d97bf6d61ebee3f 92778 classpath-gtkpeer_0.98-1_amd64.deb 81a8f1c571aab10035507bff7527dc3b57563da0 95232 classpath-qtpeer_0.98-1_amd64.deb Checksums-Sha256: 7babe6d30816713f1b892f2fb16f6cc387ed66317d88810fa97fbb777faf1f5a 1790 classpath_0.98-1.dsc 501b5acd4dff79b6100da22cef15080f31071821ce3cea6f1b739bc1b56fac3f 11021342 classpath_0.98.orig.tar.gz 0f61adcd6224f4e3fef4ec363086f1dabb04c240f63a599d747d9293b9869b36 15476 classpath_0.98-1.diff.gz 073ee1266b5ab071602c69dca6f377b2df615bd46063055c4029742198daecf7 10092782 classpath-common_0.98-1_all.deb bfa1085edf086fea7c5bf749994cbe2af38c2aa19524ba9a9f8b8d2685101791 6730828 classpath-common-unzipped_0.98-1_all.deb f4beb62d8db40014dd9d52bbb5b07c5400b4ffec9b371d78db7f263249d149f8 30999584 classpath-doc_0.98-1_all.deb 31029f94dc7b9351dc0b9aa471d5b69de5b28a82f398f93b226dc6916dbc43b5 13646 jikes-classpath_0.98-1_all.deb 791a938c74676e7c8a30b20ba101d695203bb5110242aab00193aa64571441e0 167080 classpath_0.98-1_amd64.deb 545f721d3ce46fc49200514cb99253a28aea5facc3da280df6b7e6f0f4c486aa 92778 classpath-gtkpeer_0.98-1_amd64.deb 0088a0d1d5f50a7768721459177f989506b4dadc07551f026ffb23af9f86fb85 95232 classpath-qtpeer_0.98-1_amd64.deb Files: e29891b602ca7414a37ebd8188b7cca6 1790 libs optional classpath_0.98-1.dsc 90c6571b8b0309e372faa0f9f6255ea9 11021342 libs optional classpath_0.98.orig.tar.gz 34db00a74d3d5240aa1e9f351eac5219 15476 libs optional classpath_0.98-1.diff.gz 292784ca0e74a96fbf16c6f8b8a21d52 10092782 libs optional classpath-common_0.98-1_all.deb 95aa90929d0abad6f41e34e2426b2f16 6730828 libs optional classpath-common-unzipped_0.98-1_all.deb 20ab8d18e3b4816c758d1085a7c8519b 30999584 doc optional classpath-doc_0.98-1_all.deb 4f46aaf80ffec4901e01fbebee6a9c14 13646 devel optional jikes-classpath_0.98-1_all.deb 8f1710b3c566162517ba7e686b083a43 167080 libs optional classpath_0.98-1_amd64.deb 035889084267305d6d5f0184e27aa667 92778 libs optional classpath-gtkpeer_0.98-1_amd64.deb e2dd741e80a27cf5740ec2ad34f49b5f 95232 libs optional classpath-qtpeer_0.98-1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkpv31IACgkQWSOgCCdjSDuatACeIqySKBGNBFLGnsvQjUE9OCZG ddgAn3WMmxM89X+/XH2+y0S+o+dUMtC6 =BUZf -----END PGP SIGNATURE-----
--- End Message ---
