Your message dated Sat, 26 Feb 2022 18:47:18 +0000
with message-id <[email protected]>
and subject line Bug#1005895: fixed in expat 2.2.10-2+deb11u2
has caused the Debian Bug report #1005895,
regarding expat: CVE-2022-25236
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1005895: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005895
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: expat
Version: 2.4.4-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/libexpat/libexpat/pull/561
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for expat.
CVE-2022-25236[0]:
| xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to
| insert namespace-separator characters into namespace URIs.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-25236
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25236
[1] https://github.com/libexpat/libexpat/pull/561
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: expat
Source-Version: 2.2.10-2+deb11u2
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
expat, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated expat package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 20 Feb 2022 17:08:18 +0100
Source: expat
Architecture: source
Version: 2.2.10-2+deb11u2
Distribution: bullseye-security
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1005894 1005895
Changes:
expat (2.2.10-2+deb11u2) bullseye-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Prevent stack exhaustion in build_model (CVE-2022-25313)
* Prevent integer overflow in storeRawNames (CVE-2022-25315)
* Prevent integer overflow in copyString (CVE-2022-25314)
* lib: Fix (harmless) use of uninitialized memory
* lib: Protect against malicious namespace declarations (CVE-2022-25236)
(Closes: #1005895)
* tests: Cover CVE-2022-25236
* lib: Drop unused macro UTF8_GET_NAMING
* lib: Add missing validation of encoding (CVE-2022-25235)
(Closes: #1005894)
* lib: Add comments to BT_LEAD* cases where encoding has already been
validated
* tests: Cover missing validation of encoding (CVE-2022-25235)
* Fix build_model regression.
* tests: Protect against nested element declaration model regressions
Package-Type: udeb
Checksums-Sha1:
65b091ad484ca78f0d974ea87812286fb815ebbe 2175 expat_2.2.10-2+deb11u2.dsc
4fe82dd3d1963aeddc0368890cd22fec8a62030c 25192
expat_2.2.10-2+deb11u2.debian.tar.xz
Checksums-Sha256:
6baf9313138838ef15bcc454e73c041c8cd0aef70e1f4e074c88f6caabc23fd3 2175
expat_2.2.10-2+deb11u2.dsc
76a3b5cd539b299fac69502009dec3acbb3a4020732df548ddbde4344d8fa27e 25192
expat_2.2.10-2+deb11u2.debian.tar.xz
Files:
12361cd6e83af439a8a6d307993fe802 2175 text optional expat_2.2.10-2+deb11u2.dsc
eda469432dd5c3d92fa1f761b39d69df 25192 text optional
expat_2.2.10-2+deb11u2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmISaGdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E/VkP/1c9KBW4loHGtkza9o5IV97sWhg28fNt
UuABjSUfXI4JbR2SyEg68VJ0Jczzr15UwOA3OUVNg9B0hNRg6aRuvb2hjeqVg8fj
CAjKQDFHS0Ww+evd1Zw7rPtzP9oa1K2lxJT7U7x6zeqDfC3eF1sPMiDWhVTBQZSu
/683dM7CvZP48c6p8D2Na0eyIpFO9AKRou9KqhOamNI0//UYH3zktxtS9RhV2G6L
9u/rgRRR2C1GKpxyIaXuyURyGMR5C/RoOZ9Yrz56AFLulnwQbfGeszFn6lv23+MK
MkzelMI5bwr9KdArRMYhfcql5vD0SFWRYIokXwI2m+NIR+mK35Pcahz+AXOYTYLi
TLuI903JyFVH4g+/ioOMsxSweIRoGJSHbxADc4UK8i1mm7l+BkFHNW6zBqXrcD7X
aM02rsDYSZ+fx4daEziH/Gl8yRu3W1De5+3QwtI1lLmtQaw5P39wwsU3W618SLMX
JK9WmBwnBU8ANb3kPY63wVcrT/FrP4DUlpM3m+a3gv5gTlsjtLI4S5n0ZFY994uE
6MzaBeaVu5DiRvv0c/aYSql/Lja+H7WLHXR4GNwNfFJPRp4Mysqe/oqDyQ4t3FLS
rRGm97aJ2B90ZGA3OpM6o5V8NIU6QqVO5uiF65ajKj8RoN2hMezgoam37sA7UmnI
xSaiIdOBoXZs
=A9aH
-----END PGP SIGNATURE-----
--- End Message ---