Debian Bug report logs - #650430
Mojarra: CVE-2011-4358

version graph

Package: mojarra; Maintainer for mojarra is Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>;

Reported by: Luciano Bello <luciano@debian.org>

Date: Tue, 29 Nov 2011 18:27:02 UTC

Severity: grave

Tags: patch, security

Fixed in versions mojarra/2.0.3-2, mojarra/2.0.3-1+squeeze1

Done: Miguel Landaeta <miguel@miguel.cc>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#650430; Package mojarra. (Tue, 29 Nov 2011 18:27:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Luciano Bello <luciano@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Tue, 29 Nov 2011 18:27:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Luciano Bello <luciano@debian.org>
To: submit@bugs.debian.org
Subject: Mojarra: CVE-2011-4358
Date: Tue, 29 Nov 2011 19:13:28 +0100
Package: mojarra
Severity: grave
Tags: security patch

Hi there,
	A vulnerability against mojarra have been reported.
http://www.openwall.com/lists/oss-security/2011/11/29/1

Please, check the reference to a get a patch and a PoC.

Best Regards,

/luciano




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#650430; Package mojarra. (Tue, 29 Nov 2011 23:09:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Miguel Landaeta <miguel@miguel.cc>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Tue, 29 Nov 2011 23:09:03 GMT) Full text and rfc822 format available.

Message #10 received at 650430@bugs.debian.org (full text, mbox):

From: Miguel Landaeta <miguel@miguel.cc>
To: 650430@bugs.debian.org
Subject: Re: Mojarra: CVE-2011-4358
Date: Tue, 29 Nov 2011 18:38:29 -0430
[Message part 1 (text/plain, inline)]
On Tue, Nov 29, 2011 at 07:13:28PM +0100, Luciano Bello wrote:
> 	A vulnerability against mojarra have been reported.
> http://www.openwall.com/lists/oss-security/2011/11/29/1

I'm on it.

-- 
Miguel Landaeta, miguel at miguel.cc
secure email with PGP 0x7D8967E9 available at http://keyserver.pgp.com/
"Faith means not wanting to know what is true." -- Nietzsche
[signature.asc (application/pgp-signature, inline)]

Reply sent to Miguel Landaeta <miguel@miguel.cc>:
You have taken responsibility. (Thu, 01 Dec 2011 23:45:06 GMT) Full text and rfc822 format available.

Notification sent to Luciano Bello <luciano@debian.org>:
Bug acknowledged by developer. (Thu, 01 Dec 2011 23:45:06 GMT) Full text and rfc822 format available.

Message #15 received at 650430-close@bugs.debian.org (full text, mbox):

From: Miguel Landaeta <miguel@miguel.cc>
To: 650430-close@bugs.debian.org
Subject: Bug#650430: fixed in mojarra 2.0.3-2
Date: Thu, 01 Dec 2011 23:43:00 +0000
Source: mojarra
Source-Version: 2.0.3-2

We believe that the bug you reported is fixed in the latest version of
mojarra, which is due to be installed in the Debian FTP archive:

libjsf-api-java_2.0.3-2_all.deb
  to main/m/mojarra/libjsf-api-java_2.0.3-2_all.deb
libjsf-impl-java_2.0.3-2_all.deb
  to main/m/mojarra/libjsf-impl-java_2.0.3-2_all.deb
libjsf-java-doc_2.0.3-2_all.deb
  to main/m/mojarra/libjsf-java-doc_2.0.3-2_all.deb
mojarra_2.0.3-2.debian.tar.gz
  to main/m/mojarra/mojarra_2.0.3-2.debian.tar.gz
mojarra_2.0.3-2.dsc
  to main/m/mojarra/mojarra_2.0.3-2.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 650430@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Miguel Landaeta <miguel@miguel.cc> (supplier of updated mojarra package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 29 Nov 2011 19:45:48 -0430
Source: mojarra
Binary: libjsf-api-java libjsf-impl-java libjsf-java-doc
Architecture: source all
Version: 2.0.3-2
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Miguel Landaeta <miguel@miguel.cc>
Description: 
 libjsf-api-java - JavaServer Faces 2.0 Java EE web framework - API
 libjsf-impl-java - JavaServer Faces 2.0 Java EE web framework - Implementation
 libjsf-java-doc - Documentation for libjsf-api-java
Closes: 650430
Changes: 
 mojarra (2.0.3-2) unstable; urgency=high
 .
   * Fixed critical bug by not allowing the value of UIViewParam to be an
     EL Expression: CVE-2011-4358. (Closes: #650430).
   * Bump Standards-Version to 3.9.2. No changes were required.
   * Update watch file.
Checksums-Sha1: 
 ce56fcbb64c67729e7ff3a31e691e76bd6fc3306 2331 mojarra_2.0.3-2.dsc
 826ca6abf3840fc0841f71fae1ef0413dafc414f 17594 mojarra_2.0.3-2.debian.tar.gz
 aae9f9e374bfa1d8e877eccf068fbf10360c386f 432724 libjsf-api-java_2.0.3-2_all.deb
 fd70099031d06f5ef44b5b0de2a7ceb644efab28 1410550 libjsf-impl-java_2.0.3-2_all.deb
 1381dbe8ddce21d402fde91a497880eac8e6ddf2 970818 libjsf-java-doc_2.0.3-2_all.deb
Checksums-Sha256: 
 0598a2e7026124ce8a8d00d4b12568beefa0471ad74263542437c9dc6971bc45 2331 mojarra_2.0.3-2.dsc
 d8fa06fcd7a4e95deb5a28d15a80ef56ae23a5cd705c4e87ed2b37ecb5b8be1a 17594 mojarra_2.0.3-2.debian.tar.gz
 d4d6079866672c0edff6bf3bbfffbdd5529a76692b350b142264d44899bf3144 432724 libjsf-api-java_2.0.3-2_all.deb
 be6e806f697f148fbe9797841f7e439ebe9863b65d6dde53146db04f5f397313 1410550 libjsf-impl-java_2.0.3-2_all.deb
 d1fa01f34bb0475793db4ead6e20ac1860af77df75776438b0c1321782d11152 970818 libjsf-java-doc_2.0.3-2_all.deb
Files: 
 00694b57a42fad7c9f47797fd11a2577 2331 java optional mojarra_2.0.3-2.dsc
 3f5c0fad4bb639eff62103ee02c83262 17594 java optional mojarra_2.0.3-2.debian.tar.gz
 6d2bc43f44f3f581b11ae929fdaea356 432724 java optional libjsf-api-java_2.0.3-2_all.deb
 403247ad5a275f353209ac1f3b5d9556 1410550 java optional libjsf-impl-java_2.0.3-2_all.deb
 33315f95a2b2fc862ea110c055d975ed 970818 doc optional libjsf-java-doc_2.0.3-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJO18MRAAoJECHSBYmXSz6WaJ4P/3Snk8ymPBiSM2FCeJJ166k7
x6ZI60qiuS4JxAUcxliQCp3AUgzPjz2JNECVbzY6H+ilfbP0k3VLYXj/9ERVYihh
hPzgF6+73xTdqXAVN+X1BYIBQ1T/V4Uk/pgDmkT6e8/16XVvZT6y110LQ3iK3w0U
NTrUkx9XbJw3j6ib3cDD3vqrb6prn1DB4pg29d7aUllU8qs8NsMDnEQnUiZHfoyO
kMDrVB7HX2ITnSpnOYOctUOtaYJHud1qFZJlHbIZMCwIeWAwlRu5Sgv32ukhbhyp
HRZk+4s22XrbtAVaAlqm/7e6Hpi6MMuc5sZHHXVqMR0LH1yXyapugEDxIIqpggK9
fa0aOojgoZemGhDhUvSgICvAlx2LSc6MOOSaRAXd0OvJvPQNTLyEBI6GcJR4Q6IK
dtA1s62GqSR/hEZd01+SfIMnb9L8vJNUQKPFszyPE80zhFZaxUan5rU6KAWkguPk
CzjAryrCRg8T3d3PogzfOqXGPjbVhiqQwlD7V6kaLJPglO/qWA9BMZPqWXLvPmbq
ld8phqRt9tuf+D61ClpV5uPxuw/G1TGDsffSMUhhn1VXu5csCRSMnr+gVd3j9Kze
6LzFvVQNpPnwGyY5kKGf2/s4Sha1V+1jwhWauN58uIozePY4KKOYZrNzyCIX5fSW
+vRj7J7IRAw6NIk0nzg8
=ttlp
-----END PGP SIGNATURE-----





Reply sent to Miguel Landaeta <miguel@miguel.cc>:
You have taken responsibility. (Mon, 20 Feb 2012 22:51:11 GMT) Full text and rfc822 format available.

Notification sent to Luciano Bello <luciano@debian.org>:
Bug acknowledged by developer. (Mon, 20 Feb 2012 22:51:11 GMT) Full text and rfc822 format available.

Message #20 received at 650430-close@bugs.debian.org (full text, mbox):

From: Miguel Landaeta <miguel@miguel.cc>
To: 650430-close@bugs.debian.org
Subject: Bug#650430: fixed in mojarra 2.0.3-1+squeeze1
Date: Mon, 20 Feb 2012 22:49:11 +0000
Source: mojarra
Source-Version: 2.0.3-1+squeeze1

We believe that the bug you reported is fixed in the latest version of
mojarra, which is due to be installed in the Debian FTP archive:

libjsf-api-java_2.0.3-1+squeeze1_all.deb
  to main/m/mojarra/libjsf-api-java_2.0.3-1+squeeze1_all.deb
libjsf-impl-java_2.0.3-1+squeeze1_all.deb
  to main/m/mojarra/libjsf-impl-java_2.0.3-1+squeeze1_all.deb
libjsf-java-doc_2.0.3-1+squeeze1_all.deb
  to main/m/mojarra/libjsf-java-doc_2.0.3-1+squeeze1_all.deb
mojarra_2.0.3-1+squeeze1.debian.tar.gz
  to main/m/mojarra/mojarra_2.0.3-1+squeeze1.debian.tar.gz
mojarra_2.0.3-1+squeeze1.dsc
  to main/m/mojarra/mojarra_2.0.3-1+squeeze1.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 650430@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Miguel Landaeta <miguel@miguel.cc> (supplier of updated mojarra package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 29 Nov 2011 19:45:48 -0430
Source: mojarra
Binary: libjsf-api-java libjsf-impl-java libjsf-java-doc
Architecture: source all
Version: 2.0.3-1+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Miguel Landaeta <miguel@miguel.cc>
Description: 
 libjsf-api-java - JavaServer Faces 2.0 Java EE web framework - API
 libjsf-impl-java - JavaServer Faces 2.0 Java EE web framework - Implementation
 libjsf-java-doc - Documentation for libjsf-api-java
Closes: 650430
Changes: 
 mojarra (2.0.3-1+squeeze1) stable-security; urgency=high
 .
   * Fixed critical bug by not allowing the value of UIViewParam to be an
     EL Expression: CVE-2011-4358. (Closes: #650430).
Checksums-Sha1: 
 80af96980131d17992e4b513e4261bf0c10fb198 1901 mojarra_2.0.3-1+squeeze1.dsc
 ce1cfc55dcbf12ddb56d4f7302c8aaef9514cfd4 3297582 mojarra_2.0.3.orig.tar.gz
 bf07bf5c7dec6c8796aee7a46aa8ab7609a97531 17690 mojarra_2.0.3-1+squeeze1.debian.tar.gz
 59990e28dfa7e38194d4d44b8feb1b7d2aab2fc4 432880 libjsf-api-java_2.0.3-1+squeeze1_all.deb
 624d10dc0757f55ea7357132ea8cb387151a7662 1410476 libjsf-impl-java_2.0.3-1+squeeze1_all.deb
 b378bb22961c1623215425e245239d1d48dbc5fc 970868 libjsf-java-doc_2.0.3-1+squeeze1_all.deb
Checksums-Sha256: 
 1cf2d6ae5e6b19e89cd0a9da59198d60f139513c82b4375f2798ce8bdf421179 1901 mojarra_2.0.3-1+squeeze1.dsc
 c5a15ddc0307b39acdd0b75877c85dd755dbaec9deb37578ed2d3de8f65816d5 3297582 mojarra_2.0.3.orig.tar.gz
 f8d8d08700f741cff7ca1525e5675162d4c58ee88fdebd2a5a1077a4d3566a4b 17690 mojarra_2.0.3-1+squeeze1.debian.tar.gz
 eb91031cb0aca2e651b962f00b8a5ea2a544811d5eee8fee1f9b438aa88b4745 432880 libjsf-api-java_2.0.3-1+squeeze1_all.deb
 b60c46ec99c2ab71faf0cb445aeccbd999eff80f1d5bcefe614311ce70d0107c 1410476 libjsf-impl-java_2.0.3-1+squeeze1_all.deb
 e79608daccabbd22cdbee0b8cb765fa6011f6f658e7480fed65b94b662424a13 970868 libjsf-java-doc_2.0.3-1+squeeze1_all.deb
Files: 
 622e7ea9f1dbf018f6818d4555f0778d 1901 java optional mojarra_2.0.3-1+squeeze1.dsc
 6d9b588e56dabbb4b4d684a4730c8f03 3297582 java optional mojarra_2.0.3.orig.tar.gz
 03b441a5e9f69266670ed2f05d7a0044 17690 java optional mojarra_2.0.3-1+squeeze1.debian.tar.gz
 ea73cc3ea8dd5165279fe718c01c8ff6 432880 java optional libjsf-api-java_2.0.3-1+squeeze1_all.deb
 2ed366d8176100d01a79a8308b824f79 1410476 java optional libjsf-impl-java_2.0.3-1+squeeze1_all.deb
 c3e1e043dfa3527fcfb9b1c6a299b21c 970868 doc optional libjsf-java-doc_2.0.3-1+squeeze1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJPQsaPAAoJEOxfUAG2iX57mBgIALWxCJZi43G+4AxlHpg2nDit
NniWM+8kMlaVamSy8dJTMqhkI7HkQ/JCUfaolHubytd6NvrIu2UxtvwbgUdB0KV1
4qVqFBkLPW7W+86EpwFM5wgRhb7Ryft5GSkM2actqIOoUTHnY64kM7P72vBgCRhD
R2IJx1DVxT3eayn+setjy8k712Et32IyokhrODWPmvLW/r6bGWPijDH9AkHvDs07
/OZjeIW+dD5ui8oYdAYer8J6soM3rnwm4EDtv/nKEDGd5aomBZEF0lc6QjwD/vg0
w4Rg+asbZlw6cIsZfxTrVBF0xaViL3J/qqemWcA2Ye3d5UdgVtCaNyiV28v2Kf8=
=a6qo
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 13 May 2012 07:38:19 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 22:07:01 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.