[Desktop-packages] [Bug 1194410] Re: Apply upstream patch to close XXE vulnerability in precise

Mon, 15 Jul 2013 06:02:44 -0700 

This bug was fixed in the package libxml2 - 2.7.8.dfsg-5.1ubuntu4.5

---------------
libxml2 (2.7.8.dfsg-5.1ubuntu4.5) precise-security; urgency=low

  * SECURITY UPDATE: external entity expansion attack (LP: #1194410)
    - do not fetch external parsed entities in parser.c, added test to
      test/errors/extparsedent.xml, result/errors/extparsedent.xml.
    - 
https://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f
    - CVE-2013-0339
  * SECURITY UPDATE: denial of service via incomplete document
    - try to stop parsing as quickly as possible in parser.c,
      include/libxml/xmlerror.h.
    - 
https://git.gnome.org/browse/libxml2/commit/?id=48b4cdde3483e054af8ea02e0cd7ee467b0e9a50
    - 
https://git.gnome.org/browse/libxml2/commit/?id=e50ba8164eee06461c73cd8abb9b46aa0be81869
    - CVE-2013-2877
 -- Marc Deslauriers <marc.deslauri...@ubuntu.com>   Thu, 11 Jul 2013 14:57:48 
-0400

** Changed in: libxml2 (Ubuntu Precise)
       Status: In Progress => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-2877

** Changed in: libxml2 (Ubuntu Lucid)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to libxml2 in Ubuntu.
https://bugs.launchpad.net/bugs/1194410

Title:
  Apply upstream patch to close XXE vulnerability in precise

Status in “libxml2” package in Ubuntu:
  Fix Released
Status in “libxml2” source package in Lucid:
  Fix Released
Status in “libxml2” source package in Precise:
  Fix Released
Status in “libxml2” source package in Quantal:
  Fix Released
Status in “libxml2” source package in Raring:
  Fix Released
Status in “libxml2” source package in Saucy:
  Fix Released

Bug description:
  In version 2.7.8 there is no way to avoid opening and reading a file
  if it is specified in the ENTITY section of the document.

  The issue has been raised in:
    https://mail.gnome.org/archives/xml/2012-October/msg00002.html
    https://github.com/sparklemotion/nokogiri/issues/693

  An upstream fix has been released:
    
https://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libxml2/+bug/1194410/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to     : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to