Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted apache-jena 4.9.0-1 (source) into unstable
Date: Thu, 14 Sep 2023 17:51:09 +0000
Signed by: Markus Koschany <apo@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 14 Sep 2023 19:21:03 +0200
Source: apache-jena
Architecture: source
Version: 4.9.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Closes: 1035952 1041108
Changes:
 apache-jena (4.9.0-1) unstable; urgency=medium
 .
   * New upstream version 4.9.0.
     - Fix CVE-2023-22665: (Closes: #1041108)
       There is insufficient checking of user queries in Apache Jena versions
       4.7.0 and earlier, when invoking custom scripts. It allows a remote user
       to execute arbitrary javascript via a SPARQL query.
     - Fix CVE-2023-32200: (Closes: #1035952)
       There is insufficient restrictions of called script functions in Apache
       Jena versions 4.8.0 and earlier. It allows a remote user to execute
       javascript via a SPARQL query. This issue affects Apache Jena: from 3.7.0
       through 4.8.0.
   * B-D on libcaffeine-java and libcommons-collections4-java.
   * Ignore org.roaringbitmap:RoaringBitmap artifact. Needs packaging.
   * Rebase and update the patches for the new release.
Checksums-Sha1:
 245f1749d90701cfac0a53795c77d67828d15ae0 2602 apache-jena_4.9.0-1.dsc
 a2e572a91a91cde46582a716592b0592462aa898 36144688 apache-jena_4.9.0.orig.tar.gz
 efcb5d0a450bacf17651b382af332f95c68a84ac 19408 apache-jena_4.9.0-1.debian.tar.xz
 1aeaf1ded1bf34d5b0e9392354cff0d9587ab013 15199 apache-jena_4.9.0-1_amd64.buildinfo
Checksums-Sha256:
 c68e858c8435bc0f3ffee858c9aad713f5cb685a2623429d6410d990b747e5f2 2602 apache-jena_4.9.0-1.dsc
 204c7c02982b4f84e817fbefd07ad9fe6e7ecf3d1e5451686e2bcba290500aef 36144688 apache-jena_4.9.0.orig.tar.gz
 1ad064935e7befcbf667ef1ae32452ffb16363cb6fc554488afcb9afb5d946c2 19408 apache-jena_4.9.0-1.debian.tar.xz
 b85fba0258916198909857c48087ce0d559fd244cb5771a60f327f60d57cf4b3 15199 apache-jena_4.9.0-1_amd64.buildinfo
Files:
 65cd283dae2117e42f4c87ca1c913ee4 2602 java optional apache-jena_4.9.0-1.dsc
 3d320c9a5ea1fd5d509aff6bfeb4b74e 36144688 java optional apache-jena_4.9.0.orig.tar.gz
 bd2d75acc955dad803d9c2a068953d6a 19408 java optional apache-jena_4.9.0-1.debian.tar.xz
 87ff3a4257fc816c85024002f9e5a0df 15199 java optional apache-jena_4.9.0-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmUDRRlfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkssoQALyG46XVieg/+H60uZaQzp+bvHDE4eBGLL46
dcaMvki5Eoa/mXvBxxT/scL2axIIUL334lJ8uVNofqPhbNaNRj1Sih9FuHinDE9O
7Naa9bKne++NlSBbNV4TTtzNW62SyYu/qOQ8NLzTCkGJ6GQfaPRH4pj+rGxIR1Jx
a+dvjPqXXTvqNpNLkd7pYqsBv/Mit9qZLo/6HMorlVbvLbwm9rRFV48CvVMRWH7N
UI+FsG+bfJ5xzrdd1qgldVKaAdFl8fmTZ2idWW100kJtPZql2xLOdPBekKM6xMgC
TcvCpQCfSUOYlxx1Z0nHFL5tfPrTlWLdcmxYUPQIRwFf3rD158N9+avXOtWsv8O0
m4orTS5UjX/XQX6f4EFYJ9SMH9su/0qXVgoGQiohb+sTm6AagCJqxmbiBGZ8of9d
ddlHKbj5VuB+TMg39m+MlMGUYST/RrInFO/MBxKNlvgUr8Kqx7RTQ2kK4/3P5eCK
JWCjr5NmZZJm3t3W9MBtODDOFSll8bfsDbu3d90zATfiSwizs0ojFr57rX9nxi9r
vqBZgkoYC8Uxft9Dab8t8hcnbG8IAfRonqNvpHdoJCdX0OtPUBZw9lia6WLkMVu8
WplHW1hN/l37Yek8j15ep8d960o25c9g8a2z0pbmE0zS4rVC3X+CJiGstOj1yQhi
vmDcqzhR
=21jH
-----END PGP SIGNATURE-----
News for package apache-jena
