Debian Bug report logs - #650542
pu: package mojarra/2.0.3-1

Package: release.debian.org; Maintainer for release.debian.org is Debian Release Team <debian-release@lists.debian.org>;

Reported by: Miguel Landaeta <miguel@miguel.cc>

Date: Wed, 30 Nov 2011 18:54:01 UTC

Severity: normal

Done: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#650542; Package release.debian.org. (Wed, 30 Nov 2011 18:54:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Miguel Landaeta <miguel@miguel.cc>:
New Bug report received and forwarded. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Wed, 30 Nov 2011 18:54:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Miguel Landaeta <miguel@miguel.cc>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: pu: package mojarra/2.0.3-1
Date: Wed, 30 Nov 2011 14:22:26 -0430
[Message part 1 (text/plain, inline)]
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

Hi folks,

I have prepared an upload to fix #650430 / CVE-2011-4358.

This bug affects mojarra 2.0.3-1 in stable.

I'm attaching the debdiff with the backported patch that fix
this issue and the updated package meant for squeeze.

I plan to do an urgent upload to unstable before the weekend.

A patch and a link to a PoC can be found in the body of #650430 report.

Are you OK with uploading a fix for this to s-p-u?

Cheers,

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (800, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-1-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-- 
Miguel Landaeta, miguel at miguel.cc
secure email with PGP 0x7D8967E9 available at http://keyserver.pgp.com/
"Faith means not wanting to know what is true." -- Nietzsche
[650430.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#650542; Package release.debian.org. (Wed, 30 Nov 2011 20:18:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Wed, 30 Nov 2011 20:18:11 GMT) Full text and rfc822 format available.

Message #10 received at 650542@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Miguel Landaeta <miguel@miguel.cc>, 650542@bugs.debian.org
Subject: Re: Bug#650542: pu: package mojarra/2.0.3-1
Date: Wed, 30 Nov 2011 20:15:31 +0000
On Wed, 2011-11-30 at 14:22 -0430, Miguel Landaeta wrote:
> I have prepared an upload to fix #650430 / CVE-2011-4358.
> 
> This bug affects mojarra 2.0.3-1 in stable.

Thanks for working on this.

> I'm attaching the debdiff with the backported patch that fix
> this issue and the updated package meant for squeeze.

It's not exactly a minimal patch - admittedly we've seen worse. :) I'm
guessing that the .properties changes and the pulling in of logging code
are part of the upstream patch, although I'm not really sure how they
contribute to fixing the bug.  Maybe I'm just getting cynical in my old
age. :)

> I plan to do an urgent upload to unstable before the weekend.

It might be obvious and predictable, but for the record - the unstable
upload needs to happen before stable.  Preferably unstable wants to be
fixed for a few days at least, in order to verify that no obvious
regressions occur.

> A patch and a link to a PoC can be found in the body of #650430 report.

Have the security team confirmed that they don't wish to handle this via
a DSA?  I couldn't see any thing in the bug report or the security
tracker which mentions not doing so.

Regards,

Adam





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#650542; Package release.debian.org. (Wed, 30 Nov 2011 21:00:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Wed, 30 Nov 2011 21:00:09 GMT) Full text and rfc822 format available.

Message #15 received at 650542@bugs.debian.org (full text, mbox):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: Miguel Landaeta <miguel@miguel.cc>, 650542@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#650542: pu: package mojarra/2.0.3-1
Date: Wed, 30 Nov 2011 21:59:54 +0100
On Wed, Nov 30, 2011 at 08:15:31PM +0000, Adam D. Barratt wrote:
> On Wed, 2011-11-30 at 14:22 -0430, Miguel Landaeta wrote:
> > I have prepared an upload to fix #650430 / CVE-2011-4358.
> > 
> > This bug affects mojarra 2.0.3-1 in stable.
> 
> Thanks for working on this.
> 
> > I'm attaching the debdiff with the backported patch that fix
> > this issue and the updated package meant for squeeze.
> 
> It's not exactly a minimal patch - admittedly we've seen worse. :) I'm
> guessing that the .properties changes and the pulling in of logging code
> are part of the upstream patch, although I'm not really sure how they
> contribute to fixing the bug.  Maybe I'm just getting cynical in my old
> age. :)
> 
> > I plan to do an urgent upload to unstable before the weekend.
> 
> It might be obvious and predictable, but for the record - the unstable
> upload needs to happen before stable.  Preferably unstable wants to be
> fixed for a few days at least, in order to verify that no obvious
> regressions occur.
> 
> > A patch and a link to a PoC can be found in the body of #650430 report.
> 
> Have the security team confirmed that they don't wish to handle this via
> a DSA?  I couldn't see any thing in the bug report or the security
> tracker which mentions not doing so.

No, this should be fixed through stable-security. 

Miguel, please upload to stable-security as outlined here:
http://www.debian.org/doc/manuals/developers-reference/pkgs.html#bug-security-building

You need to build with "-sa", since mojarra is new in stable-security.

Cheers,
        Moritz










Reply sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
You have taken responsibility. (Wed, 30 Nov 2011 21:15:04 GMT) Full text and rfc822 format available.

Notification sent to Miguel Landaeta <miguel@miguel.cc>:
Bug acknowledged by developer. (Wed, 30 Nov 2011 21:15:05 GMT) Full text and rfc822 format available.

Message #20 received at 650542-done@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Moritz Mühlenhoff <jmm@inutil.org>, 650542-done@bugs.debian.org
Cc: Miguel Landaeta <miguel@miguel.cc>
Subject: Re: Bug#650542: pu: package mojarra/2.0.3-1
Date: Wed, 30 Nov 2011 21:12:47 +0000
On Wed, 2011-11-30 at 21:59 +0100, Moritz Mühlenhoff wrote:
> On Wed, Nov 30, 2011 at 08:15:31PM +0000, Adam D. Barratt wrote:
> > On Wed, 2011-11-30 at 14:22 -0430, Miguel Landaeta wrote:
> > > I have prepared an upload to fix #650430 / CVE-2011-4358.
> > > 
> > > This bug affects mojarra 2.0.3-1 in stable.
[...]
> > Have the security team confirmed that they don't wish to handle this via
> > a DSA?  I couldn't see any thing in the bug report or the security
> > tracker which mentions not doing so.
> 
> No, this should be fixed through stable-security. 

Thanks for the quick follow-up, Moritz.  In that case, let's close the
p-u bug.

Regards,

Adam





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 29 Dec 2011 07:35:09 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 13:44:45 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.