Debian Bug report logs -
#829718
libxml2: CVE-2016-4448
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 5 Jul 2016 15:12:02 UTC
Severity: important
Tags: fixed-upstream, patch, security, upstream
Found in version libxml2/2.8.0+dfsg1-7
Fixed in version libxml2/2.9.4+dfsg1-1
Done: Aron Xu <aron@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
:
Bug#829718
; Package src:libxml2
.
(Tue, 05 Jul 2016 15:12:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
.
(Tue, 05 Jul 2016 15:12:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libxml2
Version: 2.8.0+dfsg1-7
Severity: important
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for libxml2.
CVE-2016-4448[0]:
| Format string vulnerability in libxml2 before 2.9.4 allows attackers
| to have unspecified impact via format string specifiers in unknown
| vectors.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-4448
Note it is marked no-dsa in the security-tracker, since probably too
intrusive to backport to older versions. It is part of the 2.9.4
upstream release.
Regards,
Salvatore
Reply sent
to Aron Xu <aron@debian.org>
:
You have taken responsibility.
(Tue, 19 Jul 2016 04:24:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Tue, 19 Jul 2016 04:24:09 GMT) (full text, mbox, link).
Message #10 received at 829718-close@bugs.debian.org (full text, mbox, reply):
Source: libxml2
Source-Version: 2.9.4+dfsg1-1
We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 829718@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aron Xu <aron@debian.org> (supplier of updated libxml2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 19 Jul 2016 11:42:45 +0800
Source: libxml2
Binary: libxml2 libxml2-utils libxml2-utils-dbg libxml2-dev libxml2-dbg libxml2-doc python-libxml2 python-libxml2-dbg
Architecture: source
Version: 2.9.4+dfsg1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Aron Xu <aron@debian.org>
Description:
libxml2 - GNOME XML library
libxml2-dbg - Debugging symbols for the GNOME XML library
libxml2-dev - Development files for the GNOME XML library
libxml2-doc - Documentation for the GNOME XML library
libxml2-utils - XML utilities
libxml2-utils-dbg - XML utilities (debug extension)
python-libxml2 - Python bindings for the GNOME XML library
python-libxml2-dbg - Python bindings for the GNOME XML library (debug extension)
Closes: 829718
Changes:
libxml2 (2.9.4+dfsg1-1) unstable; urgency=medium
.
* Imported Upstream version 2.9.4+dfsg1
- Closes: 829718, CVE-2016-4448
* Drop patches applied upstream, refresh remainers
* Update Std-Ver to 3.9.8 from 3.9.6
* Update symbols for 2.9.4
* cherry-pick: Fix NULL pointer deref in XPointer range-to
Checksums-Sha1:
e6fd5759c38175a1bed04eff676c8cc35622655c 2229 libxml2_2.9.4+dfsg1-1.dsc
ca9a4f7f1eab2b69ead6174885a5e6b1629ec956 2446412 libxml2_2.9.4+dfsg1.orig.tar.xz
ea93df6493a7a2abcd101c8c81f19c5843fc8189 24648 libxml2_2.9.4+dfsg1-1.debian.tar.xz
Checksums-Sha256:
6fb2ae041a273877193ef6c625ceb8cb355e824b692c77aa12e83cd64c195175 2229 libxml2_2.9.4+dfsg1-1.dsc
a74ad55e346aa0b2b41903e66d21f8f3d2a736b3f41e32496376861ab484184e 2446412 libxml2_2.9.4+dfsg1.orig.tar.xz
c30d73590a114274dc2e2c9db743b1c040d8f13a0dd1571670b497593725dd3e 24648 libxml2_2.9.4+dfsg1-1.debian.tar.xz
Files:
43033f38f664eb0b01940c0fa06f1eb0 2229 libs optional libxml2_2.9.4+dfsg1-1.dsc
3ced197721416e7e2f13b0f4e0f1185b 2446412 libs optional libxml2_2.9.4+dfsg1.orig.tar.xz
cf3a4e1ce4fa9f78e4f6fa5bf60fd2c5 24648 libs optional libxml2_2.9.4+dfsg1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJXjaOOAAoJEPbsVcVkKA0eyPIH/0+MhPHDWZDd8CS72vjvreV8
nkdakvl+HAzAqWycaBSokgEzBjLOaQL99GXl9QKwCjYuih0Sv7D/ZWVGBoJ3Tl1C
RApZuFC9yTIlMK5i0PZzMWCEfnT8vWX2F1QmcveEZBKlqS5F54nzkdmmhILV1Ms5
SQVxXRFnHOZH3Rt/i9j9ccspcdg3ipOtSyYpnw/SsvIj8PuNrqMkDF0OL/hMD4PG
KddttakDb1DnXCMISI5K0wgCbX/XazK4mXodya0LysOju+1hgWLcYDsnMAfSwQAn
hr4n3BJDYUDID4j7n+nzDQlXLm3wX/X+v3A6tV1tZP3oGdQ/doEfeydF83gw38Y=
=7XQS
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 21 Aug 2016 07:30:14 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:36:44 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.