Your message dated Wed, 17 Mar 2021 05:19:00 +0000
with message-id <e1lmoac-0000ol...@fasolo.debian.org>
and subject line Bug#985220: fixed in velocity 1.7-6
has caused the Debian Bug report #985220,
regarding velocity: CVE-2020-13936
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
985220: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985220
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: velocity
Version: 1.7-5.1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 1.7-5
Hi,
The following vulnerability was published for velocity.
CVE-2020-13936[0]:
| An attacker that is able to modify Velocity templates may execute
| arbitrary Java code or run arbitrary system commands with the same
| privileges as the account running the Servlet container. This applies
| to applications that allow untrusted users to upload/modify velocity
| templates running Apache Velocity Engine versions up to 2.2.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-13936
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13936
[1] https://www.openwall.com/lists/oss-security/2021/03/10/1
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: velocity
Source-Version: 1.7-6
Done: tony mancill <tmanc...@debian.org>
We believe that the bug you reported is fixed in the latest version of
velocity, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 985...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
tony mancill <tmanc...@debian.org> (supplier of updated velocity package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 16 Mar 2021 21:07:58 -0700
Source: velocity
Architecture: source
Version: 1.7-6
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers
<pkg-java-maintain...@lists.alioth.debian.org>
Changed-By: tony mancill <tmanc...@debian.org>
Closes: 985220
Changes:
velocity (1.7-6) unstable; urgency=high
.
* Team upload.
* Update Vcs URLs to point to Salsa
* Patch for CVE-2020-13936 (Closes: #985220)
* Ship Apache NOTICE file with package
Checksums-Sha1:
ae20f4cde17a7aaeb84e8eb99bcf8c6ec3ab4f25 2439 velocity_1.7-6.dsc
5da8184fe68a8279aea511beedef8a6f4e752956 9580 velocity_1.7-6.debian.tar.xz
7665dcc76c845e7b351f0a16c9af43ff91897cf4 13384 velocity_1.7-6_amd64.buildinfo
Checksums-Sha256:
aaac45302118aa6804da420dd072afc481bbdfb8ef5f66001a60125d1d5c9106 2439
velocity_1.7-6.dsc
7fd49066a8cacad395204808315ee8bf658f470fa38e640436672f5a44901f40 9580
velocity_1.7-6.debian.tar.xz
58b79c775303bc3fb8c4c0821630289e288b2670342367bfd331988e061ceec8 13384
velocity_1.7-6_amd64.buildinfo
Files:
5dd6d11a65ad6b62a562ad716833e4ca 2439 java optional velocity_1.7-6.dsc
6b0ac1a31af547d5bf40ad1b6d3bb6cf 9580 java optional
velocity_1.7-6.debian.tar.xz
105ac48884389acc90ecad832a0cf683 13384 java optional
velocity_1.7-6_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAmBRizYUHHRtYW5jaWxs
QGRlYmlhbi5vcmcACgkQIdIFiZdLPpYhCBAAopjhDQOWuaRtzot77W6FHtStz/Kb
7caA1w6ax0vfP0opTc8PIOi2PodMy8m9rn76h97Xa7pEK4YsqV/aDpwi5lEVCiwf
9N2+LOKBTr7DdgXcvMZtA+hyCCV0IwB/FpsWjWkxMAN+eV6BCosEkNKLCORf5cOQ
LByyLCmrb0ERX75Ux44U7twsh4ltdf5vSsOoV6G3H8nNSbmHnqOqPEq/kYa+bVXu
n+i9cicJzQrtXg4XCZPn5RJF/odPm0UFs8hvon0JdHAk1U1Bc7N2jlp/Ov50xHFm
PcrbKiYCJBjXup6+EO5mhcJGzEtpjmo112KkItvKWvxUKKV5/9Z51/6RzMcZoD0T
gtmaf1jS84bMWVpkORfeCY6J9lHKBI7n8vT3UlIRcj0mAfmOEh3fqZVObkftPQmx
qYdkLGWaCir6yV6smn5Qm5fcG6zM4ewCP+VHyy91KXJFjeb1Cbd02AeRKgnYG8c4
z/lnZBvrJCZvH1kMJl9s1guRRquPgyYewOnG4dfF5IW5wN+gQ55xh58CHn0jJzXD
GeGxnuw/KTC3P0Zu1xTbskbQOpHF8vQcooDv3kdZU4mrBfis1/hKe8HkGsRJA86K
9ns0FMuWhPetlkcRy+A/GA9IzvvGLjWQVlsCZQ0i91g+KL2czZoNu182NRuFBz8H
jZpylRgR2wJrIG0=
=/wCG
-----END PGP SIGNATURE-----
--- End Message ---
