1. Forum
  2. Usenet
  3. LINUX.DEBIAN.CHANGES

  • Accepted commons-configuration2 2.8.0-1~deb11u1 (source) into proposed-

    From Debian FTP Masters@21:1/5 to All on Sat Dec 3 21:30:01 2022
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    Format: 1.8
    Date: Mon, 28 Nov 2022 11:00:21 CET
    Source: commons-configuration2
    Architecture: source
    Version: 2.8.0-1~deb11u1
    Distribution: bullseye-security
    Urgency: high
    Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
    Changed-By: Markus Koschany <apo@debian.org>
    Checksums-Sha1:
    4a6b341cc007f5f471e2dc5ac188646a9d6871ca 3147 commons-configuration2_2.8.0-1~deb11u1.dsc
    c03103d376cdd50db521b0d5a327705bfad6e48a 674444 commons-configuration2_2.8.0.orig.tar.xz
    a8af81b5e8b6ea69a007656074b7ac0e38693cf3 5500 commons-configuration2_2.8.0-1~deb11u1.debian.tar.xz
    f7cf409535a07dfe691f72ac6aa9e2d4e4087395 17765 commons-configuration2_2.8.0-1~deb11u1_amd64.buildinfo
    Checksums-Sha256:
    c1538a574a3c86b57b03e53e176f3c560d8cb04e34bdad24a1ec7ab7ff62bc12 3147 commons-configuration2_2.8.0-1~deb11u1.dsc
    ac1a055140e91ef8937420552512b7e8cd8bbf8899d10e753f01d6cc3dbe0f1b 674444 commons-configuration2_2.8.0.orig.tar.xz
    60255b7b4d91ae24370cad85b72408f562ec6f61450e6ee64fb8550fa7c4e6d8 5500 commons-configuration2_2.8.0-1~deb11u1.debian.tar.xz
    86acb86b71369da8dda8dfc370d11effe6820556c665b67ad6fc1b17e6f1471d 17765 commons-configuration2_2.8.0-1~deb11u1_amd64.buildinfo
    Closes: 1014960
    Changes:
    commons-configuration2 (2.8.0-1~deb11u1) bullseye-security; urgency=high
    .
    * Team upload.
    * Backport version 2.8.0 from Bullseye.
    * Fix CVE-2022-33980:
    Apache Commons Configuration performs variable interpolation, allowing
    properties to be dynamically evaluated and expanded. Starting with version
    2.4 and continuing through 2.7, the set of default Lookup instances
    included interpolators that could result in arbitrary code execution or
    contact with remote servers. These lookups are: - "script" - execute
    expressions using the JVM script execution engine (javax.script) - "dns" -
    resolve dns records - "url" - load values from urls, including from remote
    servers Applications using the interpolation defaults in the affected
    versions may be vulnerable to remote code execution or unintentional
    contact with remote servers if untrusted configuration values are used.
    (Closes: #1014960)
    Files:
    fa7cdaaae6a92a07a2bfe9b013f284e5 3147 java optional commons-configuration2_2.8.0-1~deb11u1.dsc
    fc1361d211825df0a92dc5d4d604f11a 674444 java optional commons-configuration2_2.8.0.orig.tar.xz
    0620bde3c78ac9a8dfb95d4ceabcb50f 5500 java optional commons-configuration2_2.8.0-1~deb11u1.debian.tar.xz
    0cc36f29d03b550d137bf46bddd90b9b 17765 java optional commons-configuration2_2.8.0-1~deb11u1_amd64.buildinfo

    -----BEGIN PGP SIGNATURE-----

    iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmOEjS5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1Hkwd8QAJXPYMh+uDb35rMRCiLHPWhqqctw7cawarmt liBUt1m5N5T+vDu+VdfhnBanikKeUHWOKlIQNa1htMtdYeVRroixWCXhdLf/vDQF KKxcx2ejjWxzU7khcpkWpAThRntHSDCtmZV5fs/+CybIicTFpQuKtryBdMsNM8cm hZJzeawZymNBG3GKxSQs2x3J+47G7H3NqtdV0BskJYB7Hxyd7LryE569dLQngtm1 PfGlZFkI6VaCYmnechux9SoRt/FemYWKVwRp83NmnoIIbgDwm2LSBsEdMFy0qM+8 vgde1LiIRqrJ952e6NWQ5mm2CrCmwIq2HO8wJOu2J3fGxiQcS+hZfrulryIhpJWB guLFm33onRuM1DH7upo7JQNJYDW26H/Hu8RqN2uDIb2FwD6wVO4DK3qT9jBGLlaJ WhiZtRCsXPdZYHyj3L/HVoGl7jjjg6q6XroHmHJ7aOd2SRooiwh2A4YD+xf0o6E5 kWmP6VpmEzEn0mi1ZeuqHluDB6yoj2bUDKyHyTtGHDl8AyLUS/3tFrVuIZxyoU25 mrLqXn7EB8yqPWx1n8FaBp7UA9fjzzkFaUZ3LqIOTgMXt4pobxErXsIu/CeFZuFv kx4rDdravwNrjnzOs2n36e59huSSIZwtfy+Piiqwz5kf6r8Pf1vCA83g/AjVhyUL
    M8RhtUSm
    =WJz0
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)