Debian Bug report logs - #691900
gwt: CVE-2012-4563

Package: gwt; Maintainer for gwt is (unknown);

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Wed, 31 Oct 2012 06:51:02 UTC

Severity: grave

Tags: security

Fixed in version 2.4.0-1+rm

Done: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Eucalyptus Maintainers <pkg-eucalyptus-maintainers@lists.alioth.debian.org>:
Bug#691900; Package gwt. (Wed, 31 Oct 2012 06:51:05 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Eucalyptus Maintainers <pkg-eucalyptus-maintainers@lists.alioth.debian.org>. (Wed, 31 Oct 2012 06:51:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: gwt
Severity: grave
Tags: security
Justification: user security hole

Please see https://developers.google.com/web-toolkit/release-notes#Release_Notes_2_4_0
under "Security vulnerability in GWT 2.4".

This was assigned CVE-2012-4563

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Eucalyptus Maintainers <pkg-eucalyptus-maintainers@lists.alioth.debian.org>:
Bug#691900; Package gwt. (Thu, 01 Nov 2012 05:42:03 GMT) (full text, mbox, link).

Acknowledgement sent to Charles Plessy <plessy@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Eucalyptus Maintainers <pkg-eucalyptus-maintainers@lists.alioth.debian.org>. (Thu, 01 Nov 2012 05:42:03 GMT) (full text, mbox, link).

Message #10 received at 691900@bugs.debian.org (full text, mbox, reply):

Le Wed, Oct 31, 2012 at 07:47:07AM +0100, Moritz Muehlenhoff a écrit :
> Package: gwt
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Please see https://developers.google.com/web-toolkit/release-notes#Release_Notes_2_4_0
> under "Security vulnerability in GWT 2.4".

Hi all,

is there a volunteer to step in ?  Otherwise, can I try to solve that bug
by upgrading to 2.5.0 ?

Cheers,

-- 
Charles

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Eucalyptus Maintainers <pkg-eucalyptus-maintainers@lists.alioth.debian.org>:
Bug#691900; Package gwt. (Fri, 02 Nov 2012 01:09:05 GMT) (full text, mbox, link).

Acknowledgement sent to Charles Plessy <plessy@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Eucalyptus Maintainers <pkg-eucalyptus-maintainers@lists.alioth.debian.org>. (Fri, 02 Nov 2012 01:09:05 GMT) (full text, mbox, link).

Message #15 received at 691900@bugs.debian.org (full text, mbox, reply):

Le Wed, Oct 31, 2012 at 07:47:07AM +0100, Moritz Muehlenhoff a écrit :
> Package: gwt
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Please see https://developers.google.com/web-toolkit/release-notes#Release_Notes_2_4_0
> under "Security vulnerability in GWT 2.4".
> 
> This was assigned CVE-2012-4563

Dear Thomas and Java team

In http://bugs.debian.org/684453, you have suggested to transfer the gwt
package under the debian-java umbrella.  We agreed, and action was delayed by a
technical problem on the Dpkg side.

It is a bit embarassing to ping you with a grave bug, but if you would like to
take over the package, this is the good moment...

In particular I do not know if the best resolution for this bug is to upgrade
to 2.5.0 or to patch, so I am reluctant to take action by myself, worrying that
I might complicate your work on Gerrit.

Please let me know if I can help,

-- 
Charles Plessy
Tsurumi, Kanagawa, Japan

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Eucalyptus Maintainers <pkg-eucalyptus-maintainers@lists.alioth.debian.org>:
Bug#691900; Package gwt. (Fri, 02 Nov 2012 06:45:05 GMT) (full text, mbox, link).

Acknowledgement sent to thomas@koch.ro:
Extra info received and forwarded to list. Copy sent to Debian Eucalyptus Maintainers <pkg-eucalyptus-maintainers@lists.alioth.debian.org>. (Fri, 02 Nov 2012 06:45:05 GMT) (full text, mbox, link).

Message #20 received at 691900@bugs.debian.org (full text, mbox, reply):

Charles Plessy:
> Dear Thomas and Java team
> 
> In http://bugs.debian.org/684453, you have suggested to transfer the gwt
> package under the debian-java umbrella.  We agreed, and action was delayed
> by a technical problem on the Dpkg side.
> 
> It is a bit embarassing to ping you with a grave bug, but if you would like
> to take over the package, this is the good moment...
> 
> In particular I do not know if the best resolution for this bug is to
> upgrade to 2.5.0 or to patch, so I am reluctant to take action by myself,
> worrying that I might complicate your work on Gerrit.

Hi Charles,

thank you for pinging me. I've just spend three days on Debian work. Could you 
deal with it by updating to 2.5.0 and also set the maintainer to the java 
packaging team?

There's also a Git repo at 
http://anonscm.debian.org/gitweb/?p=pkg-java/gwt.git
The branch thkoch_patches contains commits to publish the maven artifacts.

I've also filled a bug at Gerrit and asked them to update to gwt 2.5

Regards,

Thomas Koch, http://www.koch.ro

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Eucalyptus Maintainers <pkg-eucalyptus-maintainers@lists.alioth.debian.org>:
Bug#691900; Package gwt. (Sat, 03 Nov 2012 13:27:03 GMT) (full text, mbox, link).

Acknowledgement sent to Charles Plessy <plessy@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Eucalyptus Maintainers <pkg-eucalyptus-maintainers@lists.alioth.debian.org>. (Sat, 03 Nov 2012 13:27:03 GMT) (full text, mbox, link).

Message #25 received at 691900@bugs.debian.org (full text, mbox, reply):

Le Fri, Nov 02, 2012 at 07:43:19AM +0100, Thomas Koch a écrit :
> Charles Plessy:
> > 
> > In particular I do not know if the best resolution for this bug is to
> > upgrade to 2.5.0 or to patch, so I am reluctant to take action by myself,
> > worrying that I might complicate your work on Gerrit.
> 
> Hi Charles,
> 
> thank you for pinging me. I've just spend three days on Debian work. Could you 
> deal with it by updating to 2.5.0 and also set the maintainer to the java 
> packaging team?

Hi Thomas,

I have updated the source package to 2.5.0 (checked copyrights, refreshed the
patches), but unfortunately it does not build.  I suppose that some ground work
is needed on the Java side, but I am not able to do it.

I committed all my changes to the Git repository.

Cheers,

-- 
Charles

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Eucalyptus Maintainers <pkg-eucalyptus-maintainers@lists.alioth.debian.org>:
Bug#691900; Package gwt. (Wed, 21 Nov 2012 09:15:04 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Eucalyptus Maintainers <pkg-eucalyptus-maintainers@lists.alioth.debian.org>. (Wed, 21 Nov 2012 09:15:04 GMT) (full text, mbox, link).

Message #30 received at 691900@bugs.debian.org (full text, mbox, reply):

On Sat, Nov 03, 2012 at 10:23:18PM +0900, Charles Plessy wrote:
> Le Fri, Nov 02, 2012 at 07:43:19AM +0100, Thomas Koch a écrit :
> > Charles Plessy:
> > > 
> > > In particular I do not know if the best resolution for this bug is to
> > > upgrade to 2.5.0 or to patch, so I am reluctant to take action by myself,
> > > worrying that I might complicate your work on Gerrit.
> > 
> > Hi Charles,
> > 
> > thank you for pinging me. I've just spend three days on Debian work. Could you 
> > deal with it by updating to 2.5.0 and also set the maintainer to the java 
> > packaging team?
> 
> Hi Thomas,
> 
> I have updated the source package to 2.5.0 (checked copyrights, refreshed the
> patches), but unfortunately it does not build.  I suppose that some ground work
> is needed on the Java side, but I am not able to do it.
> 
> I committed all my changes to the Git repository.

Please note that the initial fix was incomplete, CVE-2012-5920 was assigned for
that: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5920

Cheers,
        Moritz

Reply sent to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility. (Fri, 09 Aug 2013 06:54:30 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Fri, 09 Aug 2013 06:54:30 GMT) (full text, mbox, link).

Message #35 received at 691900-done@bugs.debian.org (full text, mbox, reply):

Version: 2.4.0-1+rm

Dear submitter,

as the package gwt has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see http://bugs.debian.org/718911

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Ansgar Burchardt (the ftpmaster behind the curtain)

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 06 Sep 2013 07:25:29 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Jul 1 13:56:47 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #691900 gwt: CVE-2012-4563

Debian Bug report logs - #691900
gwt: CVE-2012-4563