Bug#747309: marked as done (CVE-2014-0191)

Tue, 08 Jul 2014 16:09:40 -0700 

Your message dated Tue, 08 Jul 2014 23:04:21 +0000
with message-id <[email protected]>
and subject line Bug#747309: fixed in libxml2 2.9.1+dfsg1-4
has caused the Debian Bug report #747309,
regarding CVE-2014-0191
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
747309: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=747309
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: libxml2
Version: 2.9.1+dfsg1-3
Severity: grave
Tags: security

Hi,
from oss-security. This was assigned CVE-2014-0191

| It was discovered that libxml2, a library providing support to read,
| modify and write XML files, incorrectly performs entity substituton in
| the doctype prolog, even if the application using libxml2 disabled any
| entity substitution. A remote attacker could provide a
| specially-crafted XML file that, when processed, would lead to the
| exhaustion of CPU and memory resources or file descriptors.
| 
| This issue was discovered by Daniel Berrange of Red Hat.

Fix:
https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df

Cheers,
        Moritz

--- End Message ---
--- Begin Message --- 
Source: libxml2
Source-Version: 2.9.1+dfsg1-4

We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Aron Xu <[email protected]> (supplier of updated libxml2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 09 Jul 2014 05:40:15 +0800
Source: libxml2
Binary: libxml2 libxml2-utils libxml2-utils-dbg libxml2-dev libxml2-dbg 
libxml2-doc python-libxml2 python-libxml2-dbg
Architecture: source amd64 all
Version: 2.9.1+dfsg1-4
Distribution: unstable
Urgency: low
Maintainer: Debian XML/SGML Group <[email protected]>
Changed-By: Aron Xu <[email protected]>
Description:
 libxml2    - GNOME XML library
 libxml2-dbg - Debugging symbols for the GNOME XML library
 libxml2-dev - Development files for the GNOME XML library
 libxml2-doc - Documentation for the GNOME XML library
 libxml2-utils - XML utilities
 libxml2-utils-dbg - XML utilities (debug extension)
 python-libxml2 - Python bindings for the GNOME XML library
 python-libxml2-dbg - Python bindings for the GNOME XML library (debug 
extension)
Closes: 738080 742350 747309 753005
Changes:
 libxml2 (2.9.1+dfsg1-4) unstable; urgency=low
 .
   [ Christian Svensson ]
   * Do not build-depend on readline (Closes: #742350)
 .
   [ Daniel Schepler ]
   * Patch to bootstrap without python (Closes: #738080)
 .
   [ Helmut Grohne ]
   * Drop unneeded B-D on perl and binutils (Closes: #753005)
 .
   [ Adam Conrad ]
   * Actually run dh_autoreconf, which the old/new mixed rules file misses.
 .
   [ Matthias Klose ]
   * Add patch to fix python multiarch issue
   * Allow the package to cross-build by tweaking B-Ds on python
   * Set PYTHON_LIBS for cross builds
 .
   [ Aron Xu ]
   * Use correct $CC
   * Configure udeb without python
   * New round of cherry-picking upstream fixes
     - Includes fixes for CVE-2014-0191 (Closes: #747309).
   * Call prename with -vf
   * Require python-all-dev (>= 2.7.5-5~)
   * Bump std-ver: 3.9.4 -> 3.9.5, no change
Checksums-Sha1:
 a7101936e0888d1bb4a7087a5edf5db67ef22092 2220 libxml2_2.9.1+dfsg1-4.dsc
 6ceda384b5ad36bc187cb55fd684f97825208c5d 32980 
libxml2_2.9.1+dfsg1-4.debian.tar.xz
 5cf24aa29f6ac7b1b2b47dad9f5fdcf6cf41a79e 797136 libxml2_2.9.1+dfsg1-4_amd64.deb
 a416d9caa4a578e01d59338e6e7c4922d73c4936 90582 
libxml2-utils_2.9.1+dfsg1-4_amd64.deb
 d787620b73ac7c1ba9793a55376fe98684f8a6e8 120646 
libxml2-utils-dbg_2.9.1+dfsg1-4_amd64.deb
 46e4276f39c0db656b24044ca1f8ec1def7228c6 689202 
libxml2-dev_2.9.1+dfsg1-4_amd64.deb
 ae50b5fb8d9b2770372d21d18dc4e243c86c5635 1221708 
libxml2-dbg_2.9.1+dfsg1-4_amd64.deb
 e698d9b5413e08901c2ba62dbe24a3071cf8275b 810830 
libxml2-doc_2.9.1+dfsg1-4_all.deb
 2679a421b2f54c1022d847870b7b41fb046e2256 189772 
python-libxml2_2.9.1+dfsg1-4_amd64.deb
 90f13f94c208bd453a2abbec2bf733a986811057 310280 
python-libxml2-dbg_2.9.1+dfsg1-4_amd64.deb
Checksums-Sha256:
 f2058399dd598168a9edd07efef21d3f216dd7a9e7a85a4cbbef8068c9fc2b8c 2220 
libxml2_2.9.1+dfsg1-4.dsc
 4625874af6154b945e7d020baa061649f3c2047d73d247a8a5140ef31c5ba812 32980 
libxml2_2.9.1+dfsg1-4.debian.tar.xz
 05224fca7e70de7f4d1f9fc6f2828839756762e98071ef5666eb8dfd33205c43 797136 
libxml2_2.9.1+dfsg1-4_amd64.deb
 facc676c4285efcd92fa2943a967691fcd0ac5a9119d67747de5c699e7ce6488 90582 
libxml2-utils_2.9.1+dfsg1-4_amd64.deb
 23b8d52108f95246c131510f36e3cfe6122612a68cf099fa00c74f1a5ec56d9f 120646 
libxml2-utils-dbg_2.9.1+dfsg1-4_amd64.deb
 7c177e8418debb0e628b05588d2114e5289eb211a0c40ff3fe7ebfecf5192591 689202 
libxml2-dev_2.9.1+dfsg1-4_amd64.deb
 9a2bbb1f86dc1812db90bbe922e4c161305afc46658e3edd9df2bc99f6ca239f 1221708 
libxml2-dbg_2.9.1+dfsg1-4_amd64.deb
 90549a7a613538ccd7a9df4c3214a20a5de883e38be869a62cfe995a295d81a7 810830 
libxml2-doc_2.9.1+dfsg1-4_all.deb
 fea2593dc270ed726adc03abbf3393b052413765a60da4089ce675a32e33876b 189772 
python-libxml2_2.9.1+dfsg1-4_amd64.deb
 9ff8dd5fb01af1184b57862415a9e485db61a15d2abe1cecad2d0ce0d1b5cfad 310280 
python-libxml2-dbg_2.9.1+dfsg1-4_amd64.deb
Files:
 b4bb504e52cb75770d719f5520dac8f9 797136 libs standard 
libxml2_2.9.1+dfsg1-4_amd64.deb
 1fa93abaef5d89da1beb15d7da691795 90582 text optional 
libxml2-utils_2.9.1+dfsg1-4_amd64.deb
 2492c8b2897a132399bbcee92585bc36 120646 debug extra 
libxml2-utils-dbg_2.9.1+dfsg1-4_amd64.deb
 e856af40164a44a4e4b6d3cff14237c8 689202 libdevel optional 
libxml2-dev_2.9.1+dfsg1-4_amd64.deb
 deafdf7e30402d0c4afd855e3051a7c7 1221708 debug extra 
libxml2-dbg_2.9.1+dfsg1-4_amd64.deb
 a018b810a5d19f16f50437df080a14c3 810830 doc optional 
libxml2-doc_2.9.1+dfsg1-4_all.deb
 f4068e6236f122df7422f9854aa8f210 189772 python optional 
python-libxml2_2.9.1+dfsg1-4_amd64.deb
 4310cf067e36c7b8162be4d0e65baa19 310280 debug extra 
python-libxml2-dbg_2.9.1+dfsg1-4_amd64.deb
 abe59d5632bb4e40a3fd558581d97a05 2220 libs optional libxml2_2.9.1+dfsg1-4.dsc
 2879a66ea84620f7e5c567aed972fd21 32980 libs optional 
libxml2_2.9.1+dfsg1-4.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJTvHeaAAoJEGa1A/2e4BN5+vsH/jH0CsIDhljB6yLkksQ1rCuN
lNFUfXBHTMEActOLHkqffEeZ4NbRlPUgC/ybglKGgXrkOAJT9xlTcsBGkIvPpwh3
/2/NvDlZ1xAdW4mPv0rRgQ2C0a0rB3KEY3vMYOGsCxaKNF7bdsy+AJMmDZUTskpd
ZdO+SEFpCcbXsvDs0+Ndnr3eIQVQSg0rmQVoCz4IaM3NH1g+up1AQ7UzxOR4+/eS
SGB++qRG8vCf9Ele2zo3Po2yKy8jwxS4VufLuIuZ4TkKAchSNuXNImp32ORXTBG9
eyc4JihxgFGomjBiiSFlIa34CrJ2iVSnx62gYkLZMetVMm5+/Nc+fXsqC09Vt2k=
=F90d
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to