Your message dated Thu, 17 Oct 2019 10:19:08 +0000 with message-id <e1il2s8-00030y...@fasolo.debian.org> and subject line Bug#942463: fixed in jss 4.6.2-1 has caused the Debian Bug report #942463, regarding jss: CVE-2019-14823 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 942463: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942463 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: jss Version: 4.6.1-3 Severity: grave Tags: security upstream Forwarded: https://github.com/dogtagpki/jss/pull/284 Hi, The following vulnerability was published for jss. CVE-2019-14823[0]: | A flaw was found in the "Leaf and Chain" OCSP policy implementation in | JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it | implicitly trusted the root certificate of a certificate chain. | Applications using this policy may not properly verify the chain and | could be vulnerable to attacks such as Man in the Middle. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-14823 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14823 [1] https://github.com/dogtagpki/jss/pull/284 [2] https://github.com/dogtagpki/jss/commit/be37ff4738b4696d529a13b6ed33c7ac56d97ba4 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: jss Source-Version: 4.6.2-1 We believe that the bug you reported is fixed in the latest version of jss, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 942...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Timo Aaltonen <tjaal...@debian.org> (supplier of updated jss package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 17 Oct 2019 12:55:52 +0300 Source: jss Architecture: source Version: 4.6.2-1 Distribution: unstable Urgency: medium Maintainer: Debian FreeIPA Team <pkg-freeipa-de...@alioth-lists.debian.net> Changed-By: Timo Aaltonen <tjaal...@debian.org> Closes: 942463 Changes: jss (4.6.2-1) unstable; urgency=medium . * New upstream release. - fix CVE-2019-14823 (Closes: #942463) * fix-bufferprfd.diff: Dropped, upstream. Checksums-Sha1: c8d210f919ccca1ad021d6cfc0c532e98e6f4f49 2032 jss_4.6.2-1.dsc 4fea1d770e0882aa9c1c6c493bce9eb579b5c085 862003 jss_4.6.2.orig.tar.gz 231d67e501e31b8ce09d75aeb7bb17286bad19e2 12708 jss_4.6.2-1.debian.tar.xz 6c4a2ec44d7c011ef83ab0301bcd3baef341da73 6400 jss_4.6.2-1_source.buildinfo Checksums-Sha256: 6b673c13d0e81f0ced59bf9116aaca59e445bf2a4f291854bd9f0b415ebc41c6 2032 jss_4.6.2-1.dsc 92fdc212fe94dde8c16c9bb044342819ad1811fbefc651c7523e7ca81d7791a0 862003 jss_4.6.2.orig.tar.gz b5be715db6eed67e35d40e56b0863c4cd4111a11744e662bc2709dedca48637b 12708 jss_4.6.2-1.debian.tar.xz a6035157b83825d8462ba9dc044e2c7857d002f3aecac10d48b80ae86bf0a564 6400 jss_4.6.2-1_source.buildinfo Files: 03cc509a279b5ba86d8d9f301b8f650e 2032 java optional jss_4.6.2-1.dsc b128b2f9032575f141ad94ad24cc0152 862003 java optional jss_4.6.2.orig.tar.gz 04a902ee087c54b745f8b1cad94171ac 12708 java optional jss_4.6.2-1.debian.tar.xz 8065a42ecc088b319059e1fcd767d720 6400 java optional jss_4.6.2-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEdS3ifE3rFwGbS2Yjy3AxZaiJhNwFAl2oOrIACgkQy3AxZaiJ hNx8+g/8DqJkoxDYeRZ3WlBPHZOgY276eHKxOApVvMGQGAnbKcm9EFSGdr40wiC3 QhqwrvQgiMe5dY0samloxDW72ISLnWK2O1SsYstNO/ImVHmBt4xz/4+ewslZs4wN 43KIAglMURnu0D33jl4OdfX4UXlJ+CwSDH3QlW8a/S/onh6QoNJO4sk0PXOQMYEt wiApsqSmBkU/R5CXaQE82njh+yw+9E3tUFCvdEvjyrN75/GurnJkrGAYUlbrqmCd gFCJhP+Ul3q9vEMjX3Fcjoj/eXsl5nul1GseTEPUJgMf87rXvM00RR57lIWzyyVH Qr49GZqy2j6+ZfPIQNeDdMvZqCLaam3vSiH77j8bUvpGaLtzop34qMge0HMweeKc OXmsUrf6JQgx5WujqJV0IxdU1Dlgc2mwUGLyuIyPJXJmhx+w3XJK7tTuOvxoJjOx Y2KkUoN9wfPSB5admzAL6dUlxD5/re6xS7AGlagyr7NdvTi1R5hg32gSc7VCPjSC X+eJopOH2uZ7f1YXUIq+c28lkPEMUctoNQp4wz9Kk6tFQxdQNk+4vz1uabr7OK5x C+6xG7cvNmgnKqikCHVJpRgAMKjArVHLJcQaOQ1OEbWBSDpM09F1ratK6vSvlusH EB2+w9OzJufhX5WgtiZLpN/C6rW38SastLx4Nc9hYZUp92hdmhs= =1yUu -----END PGP SIGNATURE-----
--- End Message ---
