Your message dated Sat, 29 Jun 2013 10:47:22 +0000 with message-id <e1ussgc-0000oq...@franck.debian.org> and subject line Bug#714241: fixed in xml-security-c 1.6.1-5+deb7u2 has caused the Debian Bug report #714241, regarding xml-security-c: CVE-2013-2210 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 714241: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714241 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: xml-security-c Severity: grave Tags: security patch Justification: user security hole Hi Russ, the following vulnerability was published for xml-security-c. It looks the fix for CVE-2013-2154 introduced the possibility of a heap overflow. CVE-2013-2210[0]: heap overflow during XPointer evaluation If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2210 http://security-tracker.debian.org/tracker/CVE-2013-2210 [1] http://santuario.apache.org/secadv.data/CVE-2013-2210.txt [2] http://svn.apache.org/viewvc?view=revision&revision=r1496703 Could you double check this, and prepare packages for squeeze and wheezy too? Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: xml-security-c Source-Version: 1.6.1-5+deb7u2 We believe that the bug you reported is fixed in the latest version of xml-security-c, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 714...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Russ Allbery <r...@debian.org> (supplier of updated xml-security-c package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 27 Jun 2013 13:54:03 -0700 Source: xml-security-c Binary: libxml-security-c16 libxml-security-c-dev Architecture: source i386 Version: 1.6.1-5+deb7u2 Distribution: stable-security Urgency: high Maintainer: Debian Shib Team <pkg-shibboleth-de...@lists.alioth.debian.org> Changed-By: Russ Allbery <r...@debian.org> Description: libxml-security-c-dev - C++ library for XML Digital Signatures (development) libxml-security-c16 - C++ library for XML Digital Signatures (runtime) Closes: 714241 Changes: xml-security-c (1.6.1-5+deb7u2) stable-security; urgency=high . * The attempted fix to address CVE-2013-2154 introduced the possibility of a heap overflow, possibly leading to arbitrary code execution, in the processing of malformed XPointer expressions in the XML Signature Reference processing code. Apply upstream patch to fix that heap overflow. (Closes: #714241, CVE-2013-2210) Checksums-Sha1: 69343ccfc8fb3368cd3bf5cb289897f2f9b655a2 1813 xml-security-c_1.6.1-5+deb7u2.dsc ba7f9c8b5c122ea213ab6b880e13952cace2b36f 12013 xml-security-c_1.6.1-5+deb7u2.debian.tar.gz 6c3d73f2d99f2f6b1f6c7ba97820209f17d64437 375560 libxml-security-c16_1.6.1-5+deb7u2_i386.deb 7a4a814816050ca5d6e62d67ad17fce18dc7b460 151332 libxml-security-c-dev_1.6.1-5+deb7u2_i386.deb Checksums-Sha256: a5aaeff16e400d7351fde6903fb32733af8c38990365913d42923280cf9a39ec 1813 xml-security-c_1.6.1-5+deb7u2.dsc c0218aa7181316be9fa44753b09c81c5a327e5d6ed01d533f462a37325723789 12013 xml-security-c_1.6.1-5+deb7u2.debian.tar.gz 05fdb7667ce34abb7cf2b7f3ea0f38820b4d6cbda9cd153842be9470079be733 375560 libxml-security-c16_1.6.1-5+deb7u2_i386.deb 8f14e1257df217c479fddd63aaaa7345a772a1f359faf4e6f18beb1bc6170947 151332 libxml-security-c-dev_1.6.1-5+deb7u2_i386.deb Files: fd91e1b027e8af76e9260aa86a2c96cc 1813 libs extra xml-security-c_1.6.1-5+deb7u2.dsc ab3cf5ffdde120bbdf4aebd3c88bb9c9 12013 libs extra xml-security-c_1.6.1-5+deb7u2.debian.tar.gz 95959ea297072b19617efd9757b34182 375560 libs extra libxml-security-c16_1.6.1-5+deb7u2_i386.deb 8ae52f2ded56659e2e1e984a62b3a55c 151332 libdevel extra libxml-security-c-dev_1.6.1-5+deb7u2_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBCAAGBQJRzRelAAoJEH2AMVxXNt51XosIAJimFictwIv+bNuF0ruNq+de PcB3JFutC3hikV62nyEpT4/EBFGAF12NTAnESrqoEo2/nvwZvquPj3Yzbwg+SSfV Bp8o/KVPbo8k+uV5cpzQlaPgEg5BCgHy2XNoOakaoIjTQb3+5YeY1mAlWeT05248 6zxdQ2YzGxmdWEhT5+u2wW2LTMynNrbHM3qc0HIEBnCkwOnnOcCg+Z6Be7nHprv1 EPQOIA+wiAB+T5KVw0IOj1LV7OeH9unxKc19iOZ8l5H2NSqiVNPWmnkJwfsXKanU 9sDWsoxUZUCVd6pYqAV8JmgEdxyeff4xkIFzaV9Gvcm6ieUx8zHcfGFltFwEv1o= =Sa/6 -----END PGP SIGNATURE-----
--- End Message ---
