Bug#621691: marked as done (libxslt1.1: XML Security Library "xslt.c" Arbitrary File Access)

Debian Bug Tracking System Tue, 19 Apr 2011 12:57:29 -0700

Your message dated Tue, 19 Apr 2011 19:55:19 +0000
with message-id <e1qch15-0007zd...@franck.debian.org>
and subject line Bug#620560: fixed in xmlsec1 1.2.9-5+lenny1
has caused the Debian Bug report #620560,
regarding libxslt1.1: XML Security Library "xslt.c" Arbitrary File Access
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
620560: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=620560
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libxslt1.1
Version: 1.1.24-2
Severity: grave
Tags: security
Justification: user security hole


Please note messages:
  http://www.sans.org/newsletters/risk/display.php?v=10&i=14#11.15.18
  http://www.aleksey.com/pipermail/xmlsec/2011/009120.html
Seems to me that Debian is affected.
(I do not use XML so did not verify.)

Thanks,

Paul Szabo   p...@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia


-- System Information:
Debian Release: 5.0.8
  APT prefers oldstable
  APT policy: (500, 'oldstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-pk04.09-svr (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages libxslt1.1 depends on:
ii  libc6               2.7-18lenny7         GNU C Library: Shared libraries
ii  libgcrypt11         1.4.1-1              LGPL Crypto library - runtime libr
ii  libxml2             2.6.32.dfsg-5+lenny3 GNOME XML library

libxslt1.1 recommends no packages.

libxslt1.1 suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: xmlsec1
Source-Version: 1.2.9-5+lenny1

We believe that the bug you reported is fixed in the latest version of
xmlsec1, which is due to be installed in the Debian FTP archive:

libxmlsec1-dev_1.2.9-5+lenny1_amd64.deb
  to main/x/xmlsec1/libxmlsec1-dev_1.2.9-5+lenny1_amd64.deb
libxmlsec1-gnutls_1.2.9-5+lenny1_amd64.deb
  to main/x/xmlsec1/libxmlsec1-gnutls_1.2.9-5+lenny1_amd64.deb
libxmlsec1-nss_1.2.9-5+lenny1_amd64.deb
  to main/x/xmlsec1/libxmlsec1-nss_1.2.9-5+lenny1_amd64.deb
libxmlsec1-openssl_1.2.9-5+lenny1_amd64.deb
  to main/x/xmlsec1/libxmlsec1-openssl_1.2.9-5+lenny1_amd64.deb
libxmlsec1_1.2.9-5+lenny1_amd64.deb
  to main/x/xmlsec1/libxmlsec1_1.2.9-5+lenny1_amd64.deb
xmlsec1_1.2.9-5+lenny1.diff.gz
  to main/x/xmlsec1/xmlsec1_1.2.9-5+lenny1.diff.gz
xmlsec1_1.2.9-5+lenny1.dsc
  to main/x/xmlsec1/xmlsec1_1.2.9-5+lenny1.dsc
xmlsec1_1.2.9-5+lenny1_amd64.deb
  to main/x/xmlsec1/xmlsec1_1.2.9-5+lenny1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 620...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <th...@debian.org> (supplier of updated xmlsec1 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 13 Apr 2011 11:57:24 +0200
Source: xmlsec1
Binary: libxmlsec1-dev libxmlsec1 libxmlsec1-openssl libxmlsec1-gnutls 
libxmlsec1-nss xmlsec1
Architecture: source amd64
Version: 1.2.9-5+lenny1
Distribution: oldstable-security
Urgency: high
Maintainer: John V. Belmonte <jbelmo...@debian.org>
Changed-By: Thijs Kinkhorst <th...@debian.org>
Description: 
 libxmlsec1 - XML security library
 libxmlsec1-dev - Development files for the XML security library
 libxmlsec1-gnutls - Gnutls engine for the XML security library
 libxmlsec1-nss - Nss engine for the XML security library
 libxmlsec1-openssl - Openssl engine for the XML security library
 xmlsec1    - XML security command line processor
Closes: 620560
Changes: 
 xmlsec1 (1.2.9-5+lenny1) oldstable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Apply patch from upstream addressing arbitrary file overwrite
     (CVE-2011-1425, closes: #620560).
Checksums-Sha1: 
 5a984f9bdbacd80cd9a96c31100558f3deb7621b 1498 xmlsec1_1.2.9-5+lenny1.dsc
 a0f6615971198afa4bb4fc62306d10a1a16c6d13 1667363 xmlsec1_1.2.9.orig.tar.gz
 22778bc41ba385bb7f942324090ea860dd8fd8ac 5748 xmlsec1_1.2.9-5+lenny1.diff.gz
 541624180f7a59dbeaa1d8b7953b1a6b0e5ba740 889926 
libxmlsec1-dev_1.2.9-5+lenny1_amd64.deb
 14af21a690c388f645165f59d0f282ae69128511 159340 
libxmlsec1_1.2.9-5+lenny1_amd64.deb
 59ad8e70627accab4a506c035c3c9abcf050d04a 97852 
libxmlsec1-openssl_1.2.9-5+lenny1_amd64.deb
 50305fafcc6a3ed4b9911e98528c94aebb91d96c 39850 
libxmlsec1-gnutls_1.2.9-5+lenny1_amd64.deb
 25425dfae4ea3d2f75697ce8d3822de56fe09a2d 91314 
libxmlsec1-nss_1.2.9-5+lenny1_amd64.deb
 ddf4e32a764afab8bda46535d827da09d92438a9 43940 xmlsec1_1.2.9-5+lenny1_amd64.deb
Checksums-Sha256: 
 c1d13b1bf2a95f5d7c3ec7d136efd5e4074235c3fd70ddae6042b4c92f3809b7 1498 
xmlsec1_1.2.9-5+lenny1.dsc
 2ab5834d0d0488df9862ae9ccc6920a826584e2740dd0be1c8cc9d4f17249814 1667363 
xmlsec1_1.2.9.orig.tar.gz
 c99e225f0df5fab03e0887299b8c1c682019171d9efb711295ced4d9e79734d8 5748 
xmlsec1_1.2.9-5+lenny1.diff.gz
 a723db52017e7231d3b0c01f5e42ed497031b21a8b146ed130e5cfd9a45c68ff 889926 
libxmlsec1-dev_1.2.9-5+lenny1_amd64.deb
 bb3e2dfc8a57277d85e1ce608f17456fc031ab151670f2a4ecea417cded8ddc4 159340 
libxmlsec1_1.2.9-5+lenny1_amd64.deb
 80866dd1ae2458d716f2a7ba30f2596e4a8b983fb1b7e4914a454f8e90acc7f6 97852 
libxmlsec1-openssl_1.2.9-5+lenny1_amd64.deb
 b27642ca46c90ec264f702618de729d836828cf2c11e5f4f9019c3aee465828b 39850 
libxmlsec1-gnutls_1.2.9-5+lenny1_amd64.deb
 d5fd11b37501b64dd21740ba0aac1e9c335e1f0d5a36e567c7458f2649f18965 91314 
libxmlsec1-nss_1.2.9-5+lenny1_amd64.deb
 aa334715b7eefaf4968f8e81763d3792b5969598b0eed0570772a8090adf8239 43940 
xmlsec1_1.2.9-5+lenny1_amd64.deb
Files: 
 a59af43b54affbac5f92e702142e90fa 1498 text optional xmlsec1_1.2.9-5+lenny1.dsc
 b378a076708766966724aaeba09e4607 1667363 text optional 
xmlsec1_1.2.9.orig.tar.gz
 9e311d79ac58b34b0888d66923281894 5748 text optional 
xmlsec1_1.2.9-5+lenny1.diff.gz
 dcfa3a74d398f28897b74ad7e5b24c63 889926 libdevel optional 
libxmlsec1-dev_1.2.9-5+lenny1_amd64.deb
 929a9864554be071822f15f2539dc851 159340 libs optional 
libxmlsec1_1.2.9-5+lenny1_amd64.deb
 94f33bc46467f7d9d2916ba937e64be1 97852 libs optional 
libxmlsec1-openssl_1.2.9-5+lenny1_amd64.deb
 485f673f5a6d25f990162ec09d40c532 39850 libs optional 
libxmlsec1-gnutls_1.2.9-5+lenny1_amd64.deb
 eab6d17ea16aef7e1fea74bf56ef8200 91314 libs optional 
libxmlsec1-nss_1.2.9-5+lenny1_amd64.deb
 3b04dbe298500b420e55b1321256c8f7 43940 text optional 
xmlsec1_1.2.9-5+lenny1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJNpXagAAoJEOxfUAG2iX578rwIAMSU2oksf/+CRsT7uVnDPd6V
pJm3vrbF58zPJCuojL08Gm7bglGd6L8ruAgt5wKi/8KHqCr6b3QRVZHzWk56GnSO
6c1xtBrxTfIhy0Qzb9KV578TMNUkSuf2I/avmp848saaoCsL1NydfOFq/B3WAerL
3e3bEs+rHsiIfW7HBnuCd3P/ts1WxK19xacavzkp0CfZ6I6F45lkUVG+Nf9yJBH5
tyKSMf/Hl6WbpEe9Vxln1J99dLxdcuz6v5OHw1no8S8MicJypknAkpWh7IPpCvq8
cuUVcnWifbWSrohF6xIlgYZYUC0ixTKMcVPLBe7+h6536C2mDBPMKt8RuiZxlow=
=6j9O
-----END PGP SIGNATURE-----

--- End Message ---

Bug#621691: marked as done (libxslt1.1: XML Security Library "xslt.c" Arbitrary File Access)

Reply via email to