Your message dated Wed, 06 Feb 2019 19:19:49 +0000 with message-id <e1grsjd-000edm...@fasolo.debian.org> and subject line Bug#918736: fixed in libthrift-java 0.9.1-2.1 has caused the Debian Bug report #918736, regarding libthrift-java: CVE-2018-1320 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 918736: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918736 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libthrift-java Version: 0.9.1-2 Severity: important Tags: patch security upstream Forwarded: https://issues.apache.org/jira/browse/THRIFT-4506 Hi, The following vulnerability was published for libthrift-java. CVE-2018-1320[0]: | Apache Thrift Java client library versions 0.5.0 through 0.11.0 can | bypass SASL negotiation isComplete validation in the | org.apache.thrift.transport.TSaslTransport class. An assert used to | determine if the SASL handshake had successfully completed could be | disabled in production settings making the validation incomplete. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-1320 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1320 [1] https://issues.apache.org/jira/browse/THRIFT-4506 [2] https://github.com/apache/thrift/commit/d973409661f820d80d72c0034d06a12348c8705e Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libthrift-java Source-Version: 0.9.1-2.1 We believe that the bug you reported is fixed in the latest version of libthrift-java, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 918...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated libthrift-java package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 06 Feb 2019 19:04:12 +0100 Source: libthrift-java Architecture: source Version: 0.9.1-2.1 Distribution: unstable Urgency: high Maintainer: Laszlo Boszormenyi (GCS) <g...@debian.org> Changed-By: Markus Koschany <a...@debian.org> Closes: 918736 Changes: libthrift-java (0.9.1-2.1) unstable; urgency=high . * Non-maintainer upload. * Fix CVE-2018-1320: It was discovered that it was possible to bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete. (Closes: #918736) Checksums-Sha1: d1b8333774342a9b9dafa6661bb6264d9557d3eb 2301 libthrift-java_0.9.1-2.1.dsc 126eab3f003eae06e620e7964eb9b227926c2e11 3224 libthrift-java_0.9.1-2.1.debian.tar.xz 22a30bbc5be1f9e0a3145eba3a16edcd854bae2a 16747 libthrift-java_0.9.1-2.1_amd64.buildinfo Checksums-Sha256: 2dc5b734bbbeb6ef40a65f0c722f6e259201d9b9fa2de3476d5cc30e5a8b3778 2301 libthrift-java_0.9.1-2.1.dsc ec2bce943cde5acf766ca853ec9b5afc2b00ee73973aa2e047477b87e9f877b5 3224 libthrift-java_0.9.1-2.1.debian.tar.xz fbc6e0046c49f613200c918ab90fbbed944168d906a9f120d584594a8d0b7618 16747 libthrift-java_0.9.1-2.1_amd64.buildinfo Files: f2a6d2269e9e46f8baa1e272ea67bb59 2301 java extra libthrift-java_0.9.1-2.1.dsc 9cb7931277a664e2e7f045b552d949be 3224 java extra libthrift-java_0.9.1-2.1.debian.tar.xz 4bc2728fb4eacc7713e7991ae5173801 16747 java extra libthrift-java_0.9.1-2.1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlxbLNtfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkicIP+gOOyd9rUsSEHZawREnX5wpMV2gIBtkYxilL kyXgPx7CDCJQpdx62qR2YlGKhQx55OlXu5vg2SQQGMoGACaWnO1z5OvW2yTnoA+c Xh5/uSRE5eFqTJAh+WTU0HZ+6WMYh6kLfcuzkwiLclrAFV6mYkwqYxXTUZ6R/224 t16M+WzvuS2PK7VCuWL5bxxthsKugVkzMDMuPck16l53t1+HjoSK4kRPNv7YqBdc c66HB/B/n1N6/Cf6TPWnZx/Ku2Bm07PcrTJHI975oGbL3JeLndAekjOUODR65arO j5fLX9n7WbiiWIVYR+HMMeK5DzOlFcs+EmN91OjGTI4oY8mpx1TSyd91gHRCidII bFOF1Jj9XnUNHAA31zYGMYNn8S7ZXekOLliko+p20+QdffqAbUiU6Gmp2aUDBtOj 3chXi6j5wyatyd0cQ0gFBgxf1YLx+EHtt7+PTXURsbz8UY/1V8R/YSg2yf2vlwub 8+lYkvCcRg4gTiPhAJR4Dn1UeignIl8/Rd5va2Qce09VVnn2ABzYhrNI07IBHtdV qNNLUaErmmWGdrTw4le32Qr96Q118uMhnCgainEOy+o7vnho0m4v8fwABb8a8rJm 2y99DQBKA7wctT/KLYAmSUfu+RLvWyysH4wX0UEjnT4dj/2p0JUhsk8wCtSR0y1J 1OFB5NOM =GP+i -----END PGP SIGNATURE-----
--- End Message ---
