Bug#566503: marked as done (RM: libgnucrypto-java/stable -- RoM; security issue, no rdeps, low popcon)
Your message dated Fri, 29 Jan 2010 19:57:01 +0000
with message-id <E1Nawxh-00067Q-PO@ries.debian.org>
and subject line Bug#566503: Removed package(s) from stable
has caused the Debian Bug report #566503,
regarding RM: libgnucrypto-java/stable -- RoM; security issue, no rdeps, low popcon
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
566503: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566503
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: libgnucrypto-java: CVE-2008-5659 predictable random number generator
- From: Michael Gilbert <michael.s.gilbert@gmail.com>
- Date: Sun, 6 Dec 2009 22:33:43 -0500
- Message-id: <20091206223343.f79c1ef2.michael.s.gilbert@gmail.com>
Package: libgnucrypto-java
Version: 2.1.0-2
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for classpath. libgnucrypto-java embeds classpath, so it is
also affected.
CVE-2008-5659[0]:
| The gnu.java.security.util.PRNG class in GNU Classpath 0.97.2 and
| earlier uses a predictable seed based on the system time, which makes
| it easier for context-dependent attackers to conduct brute force
| attacks against cryptographic routines that use this class for
| randomness, as demonstrated against DSA private keys.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5659
http://security-tracker.debian.org/tracker/CVE-2008-5659
--- End Message ---
--- Begin Message ---
We believe that the bug you reported is now fixed; the following
package(s) have been removed from stable:
libgnucrypto-java | 2.1.0-2 | source, all
------------------- Reason -------------------
RoRT; libgnucrypto-java/stable -- RoM; security issue, no rdeps, low popcon
----------------------------------------------
Note that the package(s) have simply been removed from the tag
database and may (or may not) still be in the pool; this is not a bug.
The package(s) will be physically removed automatically when no suite
references them (and in the case of source, when no binary references
it). Please also remember that the changes have been done on the
master archive (ftp-master.debian.org) and will not propagate to any
mirrors (ftp.debian.org included) until the next cron.daily run at the
earliest.
Packages are usually not removed from testing by hand. Testing tracks
unstable and will automatically remove packages which were removed
from unstable when removing them from testing causes no dependency
problems. The release team can force a removal from testing if it is
really needed, please contact them if this should be the case.
Bugs which have been reported against this package are not automatically
removed from the Bug Tracking System. Please check all open bugs and
close them or re-assign them to another package if the removed package
was superseded by another one.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 566503@bugs.debian.org.
The full log for this bug can be viewed at http://bugs.debian.org/566503
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@debian.org.
Debian distribution maintenance software
pp.
Archive Administrator (the ftpmaster behind the curtain)
--- End Message ---
Reply to: