Debian Bug report logs -
#780827
xerces-c: CVE-2015-0252: Apache Xerces-C XML Parser Crashes on Malformed Input
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 20 Mar 2015 05:54:01 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in version xerces-c/3.1.1-1
Fixed in versions xerces-c/3.1.1-3+deb7u1, xerces-c/3.1.1-5.1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Jay Berkenbilt <qjb@debian.org>:
Bug#780827; Package src:xerces-c.
(Fri, 20 Mar 2015 05:54:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Jay Berkenbilt <qjb@debian.org>.
(Fri, 20 Mar 2015 05:54:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: xerces-c
Version: 3.1.1-1
Severity: grave
Tags: security patch upstream fixed-upstream
Hi,
the following vulnerability was published for xerces-c.
CVE-2015-0252[0]:
Apache Xerces-C XML Parser Crashes on Malformed Input
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-0252
[1] https://xerces.apache.org/xerces-c/secadv/CVE-2015-0252.txt
[2] http://svn.apache.org/viewvc?view=revision&revision=1667870
Regards,
Salvatore
p.s.: I uploaded already prepared packages for wheezy-security, but
the packages are not yet released.
Marked as fixed in versions xerces-c/3.1.1-3+deb7u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 20 Mar 2015 18:30:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Jay Berkenbilt <qjb@debian.org>:
Bug#780827; Package src:xerces-c.
(Fri, 20 Mar 2015 19:03:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Jay Berkenbilt <qjb@debian.org>.
(Fri, 20 Mar 2015 19:03:10 GMT) (full text, mbox, link).
Message #12 received at 780827@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 780827 + pending
Hi Jay!
I've prepared an NMU for xerces-c (versioned as 3.1.1-5.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
It is the same patch as used for the wheezy-security upload.
Regards,
Salvatore
[xerces-c-3.1.1-5.1-nmu.diff (text/x-diff, attachment)]
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 780827-submit@bugs.debian.org.
(Fri, 20 Mar 2015 19:03:10 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sun, 22 Mar 2015 19:21:16 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 22 Mar 2015 19:21:16 GMT) (full text, mbox, link).
Message #19 received at 780827-close@bugs.debian.org (full text, mbox, reply):
Source: xerces-c
Source-Version: 3.1.1-5.1
We believe that the bug you reported is fixed in the latest version of
xerces-c, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 780827@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated xerces-c package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 20 Mar 2015 19:40:31 +0100
Source: xerces-c
Binary: libxerces-c3.1 libxerces-c-dev libxerces-c-doc libxerces-c-samples
Architecture: source all amd64
Version: 3.1.1-5.1
Distribution: unstable
Urgency: high
Maintainer: Jay Berkenbilt <qjb@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
libxerces-c-dev - validating XML parser library for C++ (development files)
libxerces-c-doc - validating XML parser library for C++ (documentation)
libxerces-c-samples - validating XML parser library for C++ (compiled samples)
libxerces-c3.1 - validating XML parser library for C++
Closes: 780827
Changes:
xerces-c (3.1.1-5.1) unstable; urgency=high
.
* Non-maintainer upload.
* Add CVE-2015-0252.patch patch.
CVE-2015-0252: Apache Xerces-C XML parser crashes on malformed input.
(Closes: #780827)
Checksums-Sha1:
7fc880ce7365a50ec492e5f2d1f64985a4f0d324 1937 xerces-c_3.1.1-5.1.dsc
f958a10ba4526853ca96bf286a979069e0429e7f 7008 xerces-c_3.1.1-5.1.debian.tar.xz
7619c5436ba44404d53fdfcb2a8db06970bfa68e 1294666 libxerces-c-doc_3.1.1-5.1_all.deb
Checksums-Sha256:
91e32be662356395adb6c2a1f4f0662dd1c1b637497334a5532e2acd9eaf5202 1937 xerces-c_3.1.1-5.1.dsc
1bec9a65f745d12e528710018d87800cf5a412452b1ab3a2d2a231de74930e1e 7008 xerces-c_3.1.1-5.1.debian.tar.xz
89b0ecc8bb65a15e39fb00ca6bee79485ceeff77b293d726624cbf797de42720 1294666 libxerces-c-doc_3.1.1-5.1_all.deb
Files:
b8482444bc286519181802b39d98aa3e 1937 libs optional xerces-c_3.1.1-5.1.dsc
2beb82692e72d7b84699f6401f37fc31 7008 libs optional xerces-c_3.1.1-5.1.debian.tar.xz
81c0370786743bce507f889fb2911d3a 1294666 doc optional libxerces-c-doc_3.1.1-5.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVDGwLAAoJEAVMuPMTQ89ETNkP/0zv35L4lv809zzUPUDvCLK1
3NjfKVnm1PRHBFgAWCkHcGGVbP9qI3e6LS291ryHfY+ld1WI2pWKPOemWo+CEMv1
HrDChAnHaL1DqBdruACQaJ1zkcdwi+p/8kv9PQPhLvfXeCgRqZNyd349vR9P647A
NNqlEfHVdQ8PQS/D5i68tqrrf4WRvms8YrTyodt27bO/s8NkAXp9zD6N5i02kS3t
bWxq3IJqLryBSoFISsGBT4pDNqcgZh45oMS9IPxwj7Oe1ubBq94qw2hXB4SSXyV7
INJe44MuFq2ytPzLPBBKreXVArCUr6zoWCb7OpD2kDZzXC+K2r2tIvrAJlC/aOh4
DXMDthkjgol1tWdTKGDhFtJEKTgFwtyxcUFyeymjPqoUFnZo6mryjUfvQsJL69wS
WCz66hcybaEZ70GZ2V2EGSoTOGXvcb1lUYggg5+aI4ioe9eHVDRAu3Ao+eDSHbdC
MbrqBq/e/I8mR9wUvyLLrQ3bc9hhxR3y+t0ijEUtF9DvGcjJ4V5t1R4E4fxBvNx5
zm4BKTyCxUkKRdJJwqIpi7NnQiB+ZUn0Dt9/j3zVV8me1wqi0Z9Tleziux//neo6
/sINCNvNiSq2dlvcErvvd6mcn47IsqObw4NK3SK4tcqtA8IIPillZNrTfnDUxGs+
JwL/w9IqKIVcHrAGVGgt
=BCEP
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Jay Berkenbilt <qjb@debian.org>:
Bug#780827; Package src:xerces-c.
(Mon, 23 Mar 2015 15:06:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Jay Berkenbilt <qjb@debian.org>.
(Mon, 23 Mar 2015 15:06:05 GMT) (full text, mbox, link).
Message #24 received at 780827@bugs.debian.org (full text, mbox, reply):
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of xerces-c:
https://security-tracker.debian.org/tracker/CVE-2015-0252
Would you like to take care of this yourself? We are still understaffed so
any help is always highly appreciated.
If yes, please follow the workflow we have defined here:
http://wiki.debian.org/LTS/Development
If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.
If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.
Thank you very much.
Raphaël Hertzog,
on behalf of the Debian LTS team.
PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 May 2015 07:41:30 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:59:17 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon