Back to commons-configuration2 PTS page

Accepted commons-configuration2 2.8.0-1~deb11u1 (source) into proposed-updates

To: debian-changes@lists.debian.org
Subject: Accepted commons-configuration2 2.8.0-1~deb11u1 (source) into proposed-updates
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Sat, 03 Dec 2022 20:02:43 +0000
Debian: DAK
Debian-architecture: source
Debian-archive-action: accept
Debian-changes: commons-configuration2_2.8.0-1~deb11u1_source.changes
Debian-source: commons-configuration2
Debian-suite: proposed-updates
Debian-version: 2.8.0-1~deb11u1
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.fasolo; h=Date:Message-Id: Content-Transfer-Encoding:Content-Type:Subject:MIME-Version:To:Reply-To:From: Cc:Content-ID:Content-Description:In-Reply-To:References; bh=rwQOgpX7LrhFWce+nuYfwcs4KE1LlVMxI3mMt6WQyTs=; b=m2ye2K+XYVDjBy3Z3+wif6eNHO 9U+Z2eloSjtgfTqwVhUsrOfkf0wYKvzhBukCiaiJ1oCNj90LQld33KBWfPEOzAWN8w4FwzBvRbyGE DzRJTdQhaZVx5frfDQALPeCSVHV3LpGI+Wx6EbQLnkKN8yOliZoexCpGZXzH/MnqUiFAVpA2z85cl yBvZxZvJre3AY/oqr4Pd7rSjeRdz6xhTKtCjwjfBs5/5KZKlrMQccgY5M3pFq5VkkPJRG19aG3Ksd wfUFMcl5uJrfA3qPbvb89rO6WDI0L2mHCGTPVSYw5FH44EG+kAORSsM1uBXGu7woRRC1h/Ch4/UKe xgLGyDtg==;
Mail-followup-to: debian-devel@lists.debian.org
Message-id: <E1p1Yih-00Fkv1-09@fasolo.debian.org>
Reply-to: debian-devel@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 28 Nov 2022 11:00:21 CET
Source: commons-configuration2
Architecture: source
Version: 2.8.0-1~deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Checksums-Sha1:
 4a6b341cc007f5f471e2dc5ac188646a9d6871ca 3147 commons-configuration2_2.8.0-1~deb11u1.dsc
 c03103d376cdd50db521b0d5a327705bfad6e48a 674444 commons-configuration2_2.8.0.orig.tar.xz
 a8af81b5e8b6ea69a007656074b7ac0e38693cf3 5500 commons-configuration2_2.8.0-1~deb11u1.debian.tar.xz
 f7cf409535a07dfe691f72ac6aa9e2d4e4087395 17765 commons-configuration2_2.8.0-1~deb11u1_amd64.buildinfo
Checksums-Sha256:
 c1538a574a3c86b57b03e53e176f3c560d8cb04e34bdad24a1ec7ab7ff62bc12 3147 commons-configuration2_2.8.0-1~deb11u1.dsc
 ac1a055140e91ef8937420552512b7e8cd8bbf8899d10e753f01d6cc3dbe0f1b 674444 commons-configuration2_2.8.0.orig.tar.xz
 60255b7b4d91ae24370cad85b72408f562ec6f61450e6ee64fb8550fa7c4e6d8 5500 commons-configuration2_2.8.0-1~deb11u1.debian.tar.xz
 86acb86b71369da8dda8dfc370d11effe6820556c665b67ad6fc1b17e6f1471d 17765 commons-configuration2_2.8.0-1~deb11u1_amd64.buildinfo
Closes: 1014960
Changes:
 commons-configuration2 (2.8.0-1~deb11u1) bullseye-security; urgency=high
 .
   * Team upload.
   * Backport version 2.8.0 from Bullseye.
   * Fix CVE-2022-33980:
     Apache Commons Configuration performs variable interpolation, allowing
     properties to be dynamically evaluated and expanded. Starting with version
     2.4 and continuing through 2.7, the set of default Lookup instances
     included interpolators that could result in arbitrary code execution or
     contact with remote servers. These lookups are: - "script" - execute
     expressions using the JVM script execution engine (javax.script) - "dns" -
     resolve dns records - "url" - load values from urls, including from remote
     servers Applications using the interpolation defaults in the affected
     versions may be vulnerable to remote code execution or unintentional
     contact with remote servers if untrusted configuration values are used.
     (Closes: #1014960)
Files:
 fa7cdaaae6a92a07a2bfe9b013f284e5 3147 java optional commons-configuration2_2.8.0-1~deb11u1.dsc
 fc1361d211825df0a92dc5d4d604f11a 674444 java optional commons-configuration2_2.8.0.orig.tar.xz
 0620bde3c78ac9a8dfb95d4ceabcb50f 5500 java optional commons-configuration2_2.8.0-1~deb11u1.debian.tar.xz
 0cc36f29d03b550d137bf46bddd90b9b 17765 java optional commons-configuration2_2.8.0-1~deb11u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmOEjS5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hkwd8QAJXPYMh+uDb35rMRCiLHPWhqqctw7cawarmt
liBUt1m5N5T+vDu+VdfhnBanikKeUHWOKlIQNa1htMtdYeVRroixWCXhdLf/vDQF
KKxcx2ejjWxzU7khcpkWpAThRntHSDCtmZV5fs/+CybIicTFpQuKtryBdMsNM8cm
hZJzeawZymNBG3GKxSQs2x3J+47G7H3NqtdV0BskJYB7Hxyd7LryE569dLQngtm1
PfGlZFkI6VaCYmnechux9SoRt/FemYWKVwRp83NmnoIIbgDwm2LSBsEdMFy0qM+8
vgde1LiIRqrJ952e6NWQ5mm2CrCmwIq2HO8wJOu2J3fGxiQcS+hZfrulryIhpJWB
guLFm33onRuM1DH7upo7JQNJYDW26H/Hu8RqN2uDIb2FwD6wVO4DK3qT9jBGLlaJ
WhiZtRCsXPdZYHyj3L/HVoGl7jjjg6q6XroHmHJ7aOd2SRooiwh2A4YD+xf0o6E5
kWmP6VpmEzEn0mi1ZeuqHluDB6yoj2bUDKyHyTtGHDl8AyLUS/3tFrVuIZxyoU25
mrLqXn7EB8yqPWx1n8FaBp7UA9fjzzkFaUZ3LqIOTgMXt4pobxErXsIu/CeFZuFv
kx4rDdravwNrjnzOs2n36e59huSSIZwtfy+Piiqwz5kf6r8Pf1vCA83g/AjVhyUL
M8RhtUSm
=WJz0
-----END PGP SIGNATURE-----