Your message dated Fri, 21 May 2021 14:47:09 +0000 with message-id <e1lk6qf-000ilg...@fasolo.debian.org> and subject line Bug#985220: fixed in velocity 1.7-5+deb10u1 has caused the Debian Bug report #985220, regarding velocity: CVE-2020-13936 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 985220: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985220 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: velocity Version: 1.7-5.1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 1.7-5 Hi, The following vulnerability was published for velocity. CVE-2020-13936[0]: | An attacker that is able to modify Velocity templates may execute | arbitrary Java code or run arbitrary system commands with the same | privileges as the account running the Servlet container. This applies | to applications that allow untrusted users to upload/modify velocity | templates running Apache Velocity Engine versions up to 2.2. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-13936 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13936 [1] https://www.openwall.com/lists/oss-security/2021/03/10/1 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: velocity Source-Version: 1.7-5+deb10u1 Done: Chris Lamb <la...@debian.org> We believe that the bug you reported is fixed in the latest version of velocity, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 985...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Chris Lamb <la...@debian.org> (supplier of updated velocity package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 13 May 2021 11:11:57 +0100 Source: velocity Binary: velocity velocity-doc Architecture: source all Version: 1.7-5+deb10u1 Distribution: buster Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Chris Lamb <la...@debian.org> Description: velocity - Java-based template engine for web application velocity-doc - Documentation for velocity Closes: 985220 Changes: velocity (1.7-5+deb10u1) buster; urgency=medium . * CVE-2020-13936: Prevent a potential arbitrary code execution vulnerability that can be exploited by applications that allow untrusted users to upload/modify Velocity templates. (Closes: #985220) Checksums-Sha1: 92dbb67afb71643f1125ec4be71fcf65a69a1613 2457 velocity_1.7-5+deb10u1.dsc e518672d725a8e2ecde62390ceaf5aec01a75a6e 9588 velocity_1.7-5+deb10u1.debian.tar.xz 905afe15eeb329da0a56b3c90139d390f8c30a37 616616 velocity-doc_1.7-5+deb10u1_all.deb 62851057b22dd3281d27b2116ecb38c5a722c575 429228 velocity_1.7-5+deb10u1_all.deb 0e5c78daf44fbca1de98a66c22776af0b57d49ac 13196 velocity_1.7-5+deb10u1_amd64.buildinfo Checksums-Sha256: 333427ad94554953f1714b104a08fc54af93629248b75b3122e67dcf69106da1 2457 velocity_1.7-5+deb10u1.dsc c2d1ed52f73d14db895681846aeabd7fa79a6f57be2a6e8457f28c27f40a19d0 9588 velocity_1.7-5+deb10u1.debian.tar.xz 5cfbba3a36d6af84b239cf4f5e3b7bbd04e8501af18bb00f5bfb670443ec1dbb 616616 velocity-doc_1.7-5+deb10u1_all.deb 092a598e67e9d0b96654933a3f92a5c346ada486a42a26d01b6c2b3ade987ae1 429228 velocity_1.7-5+deb10u1_all.deb 63f558e0e17ec6bd80d3de837ace193e1791cad07c78e276294432b3302e1c35 13196 velocity_1.7-5+deb10u1_amd64.buildinfo Files: c5c5ea4054a336065c8c467194c85666 2457 java optional velocity_1.7-5+deb10u1.dsc d05b3a2b9faed3347efaf18dee6d435d 9588 java optional velocity_1.7-5+deb10u1.debian.tar.xz 0106e4b4da62708be59eccc5627d71d8 616616 doc optional velocity-doc_1.7-5+deb10u1_all.deb 912ab4f564be33ee49d809c25f9d6a6a 429228 java optional velocity_1.7-5+deb10u1_all.deb a72e5a27730d9f0fa62798c8ece4e929 13196 java optional velocity_1.7-5+deb10u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmCg850ACgkQHpU+J9Qx HlhxOBAAw01jAm1oaVU2JToVk+GKwg3taeH8yESWtqE/3OEsjGJU2MBYNzM1l9zs GQuqAvQtvN57iYRUF3jkYhLxZH+Hk40oZwuCaytfTlhU2mirPlWZNW1W2FQHRvmR Y5cifj2xMCF2/qyXYdennlYxcnUwEPRWF5iZG8LZvufAj3xyZRL3MYk1M9cJtt+6 YwRbEO7oOe/NYKb9HhZ8nHJFu/KAdjM5fT5Uedh2xakQFu3GcRc1AMPHtpdswafn Yx910KTOAhqQP+sqcPesgELVs4h4/J5bClsKVqnMjOt0+ty8FO/fjclhz6uRrxw0 dosaBOe5nFL9hIxsLQIdvMnTxHVFQmnDrdlJYtCd6z5frTas5w80nORnxk48y7Ie TFkKyKwCo9vGS/+0TLS5Pz08ldsJo3Dnbxxrijd3/DPA+EFi/zMPuI5sz/NlZCFj LDvOA5zN8qlpoJp3ce640GRdpz/YPUndVXWAThEDq3MOGDs4z8rGJxIbKVqMb7Df lQ6OiRejrIXm1iqf4C6hVsQPM8ba1qhwhM3tmXQfgZ8b4Q7p+8YJ3Udp4v7rp2t3 oKUubgsI8pv8JfUCB87OJ6kfvjEGOCZ1J/Bhx+rzgkVPxdKgFFmeOBs9jZZDSR4I VBnAB7ifoJK6W56Q4bjKnGR1qkDwkwl4Tgs8lCeWdBDOIyDLrbo= =CO3Q -----END PGP SIGNATURE-----
--- End Message ---
