Your message dated Fri, 21 Mar 2025 14:49:12 +0100 with message-id <[email protected]> and subject line Re: Bug#1007243: kotlin: CVE-2022-24329 - not possible to lock dependencies for Multiplatform Gradle Projects has caused the Debian Bug report #1007243, regarding kotlin: CVE-2022-24329 - not possible to lock dependencies for Multiplatform Gradle Projects to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 1007243: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007243 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Source: kotlin Version: 1.3.31+~1.0.1+~0.11.12-2 Severity: important Tags: security X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Hi, The following vulnerability was published for kotlin. CVE-2022-24329[0]: | In JetBrains Kotlin before 1.6.0, it was not possible to lock | dependencies for Multiplatform Gradle Projects. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-24329 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24329 Please adjust the affected versions in the BTS as needed. -- System Information: Debian Release: bookworm/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.16.0-4-amd64 (SMP w/16 CPU threads; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---Am Fri, Mar 21, 2025 at 09:42:41AM +0100 schrieb Julien Plissonneau Duquène: > Control: found -1 > > Hi, > > After some investigation it seems that the vulnerability described (tersely > and very approximatively) by this report appeared with a feature that was > first released with version 1.5.20. It was (as reported) fixed with release > 1.6.0, and was in fact already fixed when the corresponding mystery issue > was opened upstream. > > The version 1.3.31 that is currently packaged is not affected AFAICT. As the > planned upgrade will jump straight to 2.0.21 or above, no version of this > package is going to be affected by this CVE. Thanks for the analysis. I've updated the Debian Security Tracker, we can close the bug then. Cheers, Moritz
--- End Message ---
__ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
