Bug#548358: marked as done (libxerces2-java: CVE-2009-2625 infinite loop denial of service in libxerces2-java)

[Debian Bug Tracking System]

Your message dated Sun, 31 Jan 2010 19:57:12 +0000
with message-id <e1nbfuy-0005ev...@ries.debian.org>
and subject line Bug#548358: fixed in libxerces2-java 2.9.1-2+lenny1
has caused the Debian Bug report #548358,
regarding libxerces2-java: CVE-2009-2625 infinite loop denial of service in 
libxerces2-java
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
548358: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=548358
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libxerces2-java
Version: 2.9.1-2
Severity: normal

Discussed here:
http://mail-archives.apache.org/mod_mbox/xerces-j-users/200908.mbox/thread

Michael Glavassevich claims this is fixed in Xerces Java subversion here:
http://marc.info/?l=xerces-cvs&m=124569778024398&w=2


-- System Information:
Debian Release: 5.0.2
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libxerces2-java depends on:
ii  libjaxp1.3-java             1.3.04-3     Java XML parser and transformer AP
ii  sun-java5-jre [java2-runtim 1.5.0-17-0.1 Sun Java(TM) Runtime Environment (
ii  sun-java6-jre [java2-runtim 6-12-1       Sun Java(TM) Runtime Environment (

Versions of packages libxerces2-java recommends:
ii  libxerces2-java-gcj           2.9.1-2    Validating XML parser for Java wit

Versions of packages libxerces2-java suggests:
pn  libxerces2-java-doc           <none>     (no description available)

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: libxerces2-java
Source-Version: 2.9.1-2+lenny1

We believe that the bug you reported is fixed in the latest version of
libxerces2-java, which is due to be installed in the Debian FTP archive:

libxerces2-java-doc_2.9.1-2+lenny1_all.deb
  to main/libx/libxerces2-java/libxerces2-java-doc_2.9.1-2+lenny1_all.deb
libxerces2-java-gcj_2.9.1-2+lenny1_i386.deb
  to main/libx/libxerces2-java/libxerces2-java-gcj_2.9.1-2+lenny1_i386.deb
libxerces2-java_2.9.1-2+lenny1.diff.gz
  to main/libx/libxerces2-java/libxerces2-java_2.9.1-2+lenny1.diff.gz
libxerces2-java_2.9.1-2+lenny1.dsc
  to main/libx/libxerces2-java/libxerces2-java_2.9.1-2+lenny1.dsc
libxerces2-java_2.9.1-2+lenny1_all.deb
  to main/libx/libxerces2-java/libxerces2-java_2.9.1-2+lenny1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 548...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <iucul...@debian.org> (supplier of updated libxerces2-java 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 29 Jan 2010 12:15:45 +0100
Source: libxerces2-java
Binary: libxerces2-java libxerces2-java-gcj libxerces2-java-doc
Architecture: source all i386
Version: 2.9.1-2+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Debian Java Maintainers 
<pkg-java-maintain...@lists.alioth.debian.org>
Changed-By: Giuseppe Iuculano <iucul...@debian.org>
Description: 
 libxerces2-java - Validating XML parser for Java with DOM level 3 support
 libxerces2-java-doc - Validating XML parser for Java -- Documentation and 
examples
 libxerces2-java-gcj - Validating XML parser for Java with DOM level 3 support 
(native c
Closes: 548358
Changes: 
 libxerces2-java (2.9.1-2+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fixed CVE-2009-2625: denial of service (infinite loop and application hang)
     via malformed XML input (Closes: #548358)
Checksums-Sha1: 
 cc083e32fef53f21c7f01720c9245b87cd9938b9 1564 
libxerces2-java_2.9.1-2+lenny1.dsc
 78786a120c10b3d7079384cecbd2860260e47445 1711507 
libxerces2-java_2.9.1.orig.tar.gz
 2dabb7c2f0723621510d14c6933030132ed4a350 10682 
libxerces2-java_2.9.1-2+lenny1.diff.gz
 19256426fbc3380b2e436c407c903cd14bd8fc38 1127062 
libxerces2-java_2.9.1-2+lenny1_all.deb
 35a242fc67ac3bd3ec773386429b310d3cf8a268 2088698 
libxerces2-java-doc_2.9.1-2+lenny1_all.deb
 693321ec49dcc318cc324e680f919ff82e4e827d 1552678 
libxerces2-java-gcj_2.9.1-2+lenny1_i386.deb
Checksums-Sha256: 
 20170dbfa3b8c447ed8bf05994ae69f44e8265a12943e01273630a0448e7f53b 1564 
libxerces2-java_2.9.1-2+lenny1.dsc
 13af0062a72a4a0d541ca5336391eafa4d580258cacf4a5e062ea584ca950592 1711507 
libxerces2-java_2.9.1.orig.tar.gz
 6d7b13cf5eccf3b2ee852fa97423312ab3297a149f656fcff89b51f7641234d1 10682 
libxerces2-java_2.9.1-2+lenny1.diff.gz
 8a5c70b8dec83f4a741716b593abcd19c7b4587ef0d02f70ff896a0bc25dc89b 1127062 
libxerces2-java_2.9.1-2+lenny1_all.deb
 2eee10f7936561ac506cdcfcf9c9b3bc538817fd29c622f01188fd6c401fed6a 2088698 
libxerces2-java-doc_2.9.1-2+lenny1_all.deb
 c901eb66c8562ad604929e285d509d34fb5aac9d601e71f85fd9c1646cdae8bf 1552678 
libxerces2-java-gcj_2.9.1-2+lenny1_i386.deb
Files: 
 687af8f7589c187b3eb845d56a212e8a 1564 libs optional 
libxerces2-java_2.9.1-2+lenny1.dsc
 e340cba4a2abf4f0f833488380821153 1711507 libs optional 
libxerces2-java_2.9.1.orig.tar.gz
 d670183e18c295c02409a4fdefaebce5 10682 libs optional 
libxerces2-java_2.9.1-2+lenny1.diff.gz
 597c68ab6819ef03af42d61134923d59 1127062 libs optional 
libxerces2-java_2.9.1-2+lenny1_all.deb
 44509a477751e947333653be05b5ad96 2088698 doc optional 
libxerces2-java-doc_2.9.1-2+lenny1_all.deb
 a41c909d90a8c374099743cbcb8fc322 1552678 libs optional 
libxerces2-java-gcj_2.9.1-2+lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAktix8kACgkQNxpp46476arrJgCdHWqNEf0OElwrnOX1CocUXMru
/k4AnRpWp89MOZiRUEfT+xJVGVLQPqCL
=h29s
-----END PGP SIGNATURE-----

--- End Message ---