php-openid: CVE-2013-4701

Related Vulnerabilities: CVE-2013-4701  

Debian Bug report logs - #721221
php-openid: CVE-2013-4701

version graph

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Thu, 29 Aug 2013 08:39:02 UTC

Severity: grave

Tags: patch, security

Fixed in version php-openid/2.2.2-1.2

Done: Artur Rona <ari-tczew@tlen.pl>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Jan Hauke Rahm <jhr@debian.org>:
Bug#721221; Package php-openid. (Thu, 29 Aug 2013 08:39:06 GMT) (full text, mbox, link).


Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Jan Hauke Rahm <jhr@debian.org>. (Thu, 29 Aug 2013 08:39:06 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: php-openid: CVE-2013-4701
Date: Thu, 29 Aug 2013 10:29:48 +0200
Package: php-openid
Severity: grave
Tags: security
Justification: user security hole

This was assigned CVE-2013-4701:
http://jvn.jp/en/jp/JVN24713981/index.html
http://jvndb.jvn.jp/en/contents/2013/JVNDB-2013-000080.html

Fix is here:
https://github.com/openid/php-openid/commit/625c16bb28bb120d262b3f19f89c2c06cb9b0da9

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Jan Hauke Rahm <jhr@debian.org>:
Bug#721221; Package php-openid. (Mon, 16 Sep 2013 19:39:04 GMT) (full text, mbox, link).


Acknowledgement sent to Luca Falavigna <dktrkranz@debian.org>:
Extra info received and forwarded to list. Copy sent to Jan Hauke Rahm <jhr@debian.org>. (Mon, 16 Sep 2013 19:39:04 GMT) (full text, mbox, link).


Message #10 received at 721221@bugs.debian.org (full text, mbox, reply):

From: Luca Falavigna <dktrkranz@debian.org>
To: 721221@bugs.debian.org
Subject: php-openid: diff for NMU version 2.2.2-1.2
Date: Mon, 16 Sep 2013 21:35:04 +0200
[Message part 1 (text/plain, inline)]
tags 721221 + patch pending
thanks


Dear maintainer,

I've prepared an NMU for php-openid (versioned as 2.2.2-1.2) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards.
[php-openid-2.2.2-1.2-nmu.diff (text/x-diff, attachment)]

Added tag(s) pending and patch. Request was from Luca Falavigna <dktrkranz@debian.org> to control@bugs.debian.org. (Mon, 16 Sep 2013 19:39:07 GMT) (full text, mbox, link).


Reply sent to Artur Rona <ari-tczew@tlen.pl>:
You have taken responsibility. (Wed, 18 Sep 2013 20:00:23 GMT) (full text, mbox, link).


Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Wed, 18 Sep 2013 20:00:23 GMT) (full text, mbox, link).


Message #17 received at 721221-close@bugs.debian.org (full text, mbox, reply):

From: Artur Rona <ari-tczew@tlen.pl>
To: 721221-close@bugs.debian.org
Subject: Bug#721221: fixed in php-openid 2.2.2-1.2
Date: Wed, 18 Sep 2013 19:49:59 +0000
Source: php-openid
Source-Version: 2.2.2-1.2

We believe that the bug you reported is fixed in the latest version of
php-openid, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 721221@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Artur Rona <ari-tczew@tlen.pl> (supplier of updated php-openid package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 11 Sep 2013 16:57:40 +0200
Source: php-openid
Binary: php-openid
Architecture: source all
Version: 2.2.2-1.2
Distribution: unstable
Urgency: high
Maintainer: Jan Hauke Rahm <jhr@debian.org>
Changed-By: Artur Rona <ari-tczew@tlen.pl>
Description: 
 php-openid - PHP OpenID library
Closes: 721221
Changes: 
 php-openid (2.2.2-1.2) unstable; urgency=high
 .
   * Non-maintainer upload.
   * debian/patches/CVE-2013-4701.patch:
     - Disable external XML entities and libxml errors. Fixes
       security issue. (Closes: #721221)
     - CVE-2013-4701
Checksums-Sha1: 
 fd23e7a24907e88a01c6683bc5bf0a41880ed6b7 1858 php-openid_2.2.2-1.2.dsc
 e4fd9f16b5e21e2f2683d3f251386607cd37c11e 3694 php-openid_2.2.2-1.2.debian.tar.gz
 c6e4f33a8e529109f3fe5e185c8949b9f06b55f9 208450 php-openid_2.2.2-1.2_all.deb
Checksums-Sha256: 
 6afd74447ad4e5090f858200cb0a55efbe576760c4ea36e5f0dc5fb1c82b6aee 1858 php-openid_2.2.2-1.2.dsc
 2c99afc9cce279cce0efed3f53fef11933433f7285a04f72a6f90dccab9f60a7 3694 php-openid_2.2.2-1.2.debian.tar.gz
 4b9aef62837c8f3c8d30a282de1349c14c982620a9c6340d014f0dd7020dc4ae 208450 php-openid_2.2.2-1.2_all.deb
Files: 
 f881758feffab5330c06050723bcdd29 1858 php optional php-openid_2.2.2-1.2.dsc
 fec78ff85d590891f311b2e7297ac9fc 3694 php optional php-openid_2.2.2-1.2.debian.tar.gz
 ba7ffdaec977595c3420aa549781b81b 208450 php optional php-openid_2.2.2-1.2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBCAAGBQJSN10pAAoJEEkIatPr4vMf040P/1sSx/j6OWvjl0qRAlXUVuq1
yHxhSLLLgPBZ05tRI2Pshrq7qpo1mlBFAV6LB1A8vhheopdzAJRwEBHlzWTg9YZS
hsPtbd47eqYcVqVD+ihD0byVpYmyAKs9IvgcFinwK+Wn5VUSREfceBQ2nS9nXPxs
nnDRqVRGdLwV3Z2OiV3wBim98RgrUqGKcJ5VKttEE3QIrbvIYwBpmY6FHvuKHuvi
R5YmXtHZMGRTf3YudsZYpfZF95FF0NbmpCcvxZCsXAKOA/uRqEfzf7s5bBiUu1vz
W++5eLU2h5GRFLzZ4wEk1q9tjzpDwPaXqlz25be/2EZDi5XBlrAk3V1pK3HhLYfH
TuTQ2KCEQ7W7qdEjJIQ4oXee+W5oEF+vIsVucH0ayPLb0bBx7gly0Du8NfvaM41G
JejsRv0Rpyay4QLpExrT66Xw2qKkdWN1V/29xyxFkK+GUwPePV+4/phuwoNT1ZIx
SSTgFRh4hbQITfN6QVx0YcqgYrT9E17PRjLW35ollJWjVnPR/y3Pe+Fe37LFgL5C
LsVnJNUq2nESV5J4dAMWDVOnvmcoCuzBRVGGYf/Z8XMs+hIZu4XmVbJCS9d/Z6r4
6OnkIYQR96MUCdQdg6bAzQaC6bEbB5HqnDD9hHPSXblkwwBm1PHwYpCfxb0wDmx6
Z8IQoXnjBDMQlIwASizH
=ws+Q
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 May 2015 07:38:07 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:45:23 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.