Debian Bug report logs -
#720375
libxml-security-java: CVE-2013-2172
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 21 Aug 2013 07:21:01 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in version libxml-security-java/1.4.5-1
Fixed in versions libxml-security-java/1.5.5-2, libxml-security-java/1.4.5-1+deb7u1, libxml-security-java/1.4.3-2+deb6u1
Done: Thorsten Alteholz <debian@alteholz.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#720375; Package libxml-security-java.
(Wed, 21 Aug 2013 07:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Wed, 21 Aug 2013 07:21:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libxml-security-java
Severity: grave
Tags: security patch upstream fixed-upstream
Hi,
the following vulnerability was published for libxml-security-java.
CVE-2013-2172[0]:
Java XML Signature spoofing attack
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2172
http://security-tracker.debian.org/tracker/CVE-2013-2172
[1] http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc
[2] http://svn.apache.org/viewvc?view=revision&revision=1493772
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Emmanuel Bourg <ebourg@apache.org>:
You have taken responsibility.
(Mon, 26 Aug 2013 18:21:19 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 26 Aug 2013 18:21:19 GMT) (full text, mbox, link).
Message #10 received at 720375-close@bugs.debian.org (full text, mbox, reply):
Source: libxml-security-java
Source-Version: 1.5.5-2
We believe that the bug you reported is fixed in the latest version of
libxml-security-java, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 720375@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated libxml-security-java package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 26 Aug 2013 19:56:57 +0200
Source: libxml-security-java
Binary: libxml-security-java libxml-security-java-doc
Architecture: source all
Version: 1.5.5-2
Distribution: unstable
Urgency: low
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
libxml-security-java - Apache Santuario
libxml-security-java-doc - Documentation for Apache Santuario
Closes: 720375
Changes:
libxml-security-java (1.5.5-2) unstable; urgency=low
.
* Upload to unstable
* Release 1.5.5 fixes CVE-2013-2172 (Closes: #720375)
* Added the Classpath attribute in the jar manifest
Checksums-Sha1:
f2b8aaa6768668d6782d0314035d2f24da79e99b 2526 libxml-security-java_1.5.5-2.dsc
aa7571f4778fc101eabbf03b031929e1e0f710b2 5218 libxml-security-java_1.5.5-2.debian.tar.gz
b389d2165c63b453e0d7c8113bec1ab08fe92f67 557206 libxml-security-java_1.5.5-2_all.deb
d2c7f208ad3dbd4908fe117c88187d45d0ec17a7 2152894 libxml-security-java-doc_1.5.5-2_all.deb
Checksums-Sha256:
5e95a8b5932df89401f57b89d0740dc38ba13e2acbc86d870fcf9418d26def5a 2526 libxml-security-java_1.5.5-2.dsc
a8e9af1bd9cce9671a46236c4afa63c3f32b90e11089ea48169ab820a1437c7f 5218 libxml-security-java_1.5.5-2.debian.tar.gz
77b9548b5edf3f335f7fef6600f9c453eef4d5111649986f858fe640c3f753eb 557206 libxml-security-java_1.5.5-2_all.deb
951a33afd76b8ae5268aa00c498efc2f2ef6fceb93ae7bd68bc178b5cf9221ea 2152894 libxml-security-java-doc_1.5.5-2_all.deb
Files:
426e67c2c04983c971780c9da3ecfee5 2526 java optional libxml-security-java_1.5.5-2.dsc
1f72cfc05f57c9cfab3d3c133af6b57d 5218 java optional libxml-security-java_1.5.5-2.debian.tar.gz
fe4ea9ef2e4cb3b325477c2fc090c16b 557206 java optional libxml-security-java_1.5.5-2_all.deb
28ce098c15adf3ed392870b504a5672d 2152894 doc optional libxml-security-java-doc_1.5.5-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
iQIcBAEBAgAGBQJSG5gzAAoJEPUTxBnkudCsIVkP/jdfjlZWf9SHhZrPX2PUod1H
wDaJDxYrvlXe7kQUEU0lGmHTibD83Ga1mBj0M7xb6gsDJOzfxwb53lRFxmPqQeib
vRQyo0ooAGc2NBPVeSnnK2d6Buapg5A+C4EQJCgAGM9CGaKk/pgjcbQ5KKp9i/ls
1tj3BIjhsA9nPcOY0yDzF39iH1bU6+ZzS2oTaMjo2escgBV8++5zsibht4lbsksk
EObHIl8pDWyyrC9LH/bCax4Ydg7PcqiT0ISTM9poMAb90HlrQG3Dd88TxclhAjbu
zLk44HBvoWGfg9/Oxu1ZTGWw2X1AhDYtYOE+E0WWYg6U21sBO+f4mZaLCh4tJKr5
/OnV8WvRK6hDOd+/MAAw7wPgC/OONWpoI2y6oVCYS7TTkpoG2EchmUtMyiOgTdUu
ZQZ5c7ciE882zehzLAlCSf068i49yp+ZOPYhvh60MX09XAs2bLYUEWowUhfSlvt+
14TNei8QHbUxRGK+xw/pikCfuiVEqbyc4qvJFdVDjbdZLDjZntA5PCjJmfd8Rjy5
sSTV6tp8etaClewGQNQgnB+2DY59/kHX///vhZIWg4R9lsHGyzAxoEJJih4M9mxT
Vpj4cP4Lxg4+cAYPqStnSiocm4hftOO2MuP0aKcMa5K/xHQB1p+hk7179g5T3ZcD
Bd2hRz/8VWF08NFkIdOi
=ew7x
-----END PGP SIGNATURE-----
Marked as found in versions libxml-security-java/1.4.5-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 03 Nov 2014 20:18:25 GMT) (full text, mbox, link).
Reply sent
to Sebastien Delafond <seb@debian.org>:
You have taken responsibility.
(Fri, 07 Nov 2014 15:36:10 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 07 Nov 2014 15:36:10 GMT) (full text, mbox, link).
Message #17 received at 720375-close@bugs.debian.org (full text, mbox, reply):
Source: libxml-security-java
Source-Version: 1.4.5-1+deb7u1
We believe that the bug you reported is fixed in the latest version of
libxml-security-java, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 720375@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastien Delafond <seb@debian.org> (supplier of updated libxml-security-java package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 03 Nov 2014 11:24:21 +0100
Source: libxml-security-java
Binary: libxml-security-java libxml-security-java-doc
Architecture: source all
Version: 1.4.5-1+deb7u1
Distribution: wheezy-security
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Sebastien Delafond <seb@debian.org>
Description:
libxml-security-java - Apache Santuario
libxml-security-java-doc - Documentation for Apache Santuario
Closes: 720375
Changes:
libxml-security-java (1.4.5-1+deb7u1) wheezy-security; urgency=medium
.
* Fix CVE-2013-2172 (Closes: #720375)
Checksums-Sha1:
0bd069615846b12dc8b9d077947ccf49818841fb 2157 libxml-security-java_1.4.5-1+deb7u1.dsc
db2122074ad86cee1d0763d7aaffe9e6815470f0 1205867 libxml-security-java_1.4.5.orig.tar.gz
45c5450050b99a9486886abe27cd5fc4ebad29b7 5297 libxml-security-java_1.4.5-1+deb7u1.debian.tar.gz
7339353c115f6e5f1cc8b0fbfb1941b19aa89f78 516950 libxml-security-java_1.4.5-1+deb7u1_all.deb
1f33d96651b9571cebe202adbd59c63458c88e6e 2408878 libxml-security-java-doc_1.4.5-1+deb7u1_all.deb
Checksums-Sha256:
cba683a21107e516939966eeeab56cd4fe8fdcf222d3178bba308a1a8f638b78 2157 libxml-security-java_1.4.5-1+deb7u1.dsc
8774f7680548d1768f383eff3f74f6151ea9144a4e1a6591a121b34ddbb08242 1205867 libxml-security-java_1.4.5.orig.tar.gz
ff6dcb874495bcaa9fa8d96a7fb273be46ec2a9314d3e1029129e8800d0c9e2a 5297 libxml-security-java_1.4.5-1+deb7u1.debian.tar.gz
8661bb687b673cc2b0fa9e3b265b879e833585e39c89f98b8687f3236aac9730 516950 libxml-security-java_1.4.5-1+deb7u1_all.deb
33df16ee3b34f86b8a21c11d9f47be7a990ae0593f9d8c614c9e69840a6eb7a2 2408878 libxml-security-java-doc_1.4.5-1+deb7u1_all.deb
Files:
ca6cc38b7be0c735e76c6e43f154e699 2157 java optional libxml-security-java_1.4.5-1+deb7u1.dsc
19e6ac5ad1e3ab7756cefec1f8aec2c1 1205867 java optional libxml-security-java_1.4.5.orig.tar.gz
b1f12b1a6a9509244d95586d54a60532 5297 java optional libxml-security-java_1.4.5-1+deb7u1.debian.tar.gz
ccdd0b948e18bddebacf50806fdc9bbd 516950 java optional libxml-security-java_1.4.5-1+deb7u1_all.deb
0aefad6093f363a0db5f7102769ac35c 2408878 doc optional libxml-security-java-doc_1.4.5-1+deb7u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJUWyhXAAoJEBC+iYPz1Z1kSOAIAMpYoaM7X6x65CzfB4xTmImy
OVgvUg8I9eLfOBbdmiihSAFJbokgAw6y95kJSd2KEGVE5uAvSGeO4dPHrknLPuCm
W2Cz0swxOPMhtOtOcCwQbH1QDex5KTYlr6o44/t30kEBYBgi/58ISgXAijRz7zBN
m7BWWgTPRDnZ63yrjj1HSSn9aD3zvix3IbuKX4kW+NApghLNYabg4EZGRt5/qJjJ
bGnFo8bDoUkMs8GyygcfqRG6Oa4m1QPPq1IxkRMMizVQPK4iDKbjGb6HDt3Ehkiu
lYQm0JSlQXBXuz5lI10L+Xs4wEcu/ELQUgxtWuAcdv47Ist9St1lk3IEaDMDNkY=
=sFKz
-----END PGP SIGNATURE-----
Reply sent
to Thorsten Alteholz <debian@alteholz.de>:
You have taken responsibility.
(Sun, 09 Nov 2014 16:21:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 09 Nov 2014 16:21:09 GMT) (full text, mbox, link).
Message #22 received at 720375-close@bugs.debian.org (full text, mbox, reply):
Source: libxml-security-java
Source-Version: 1.4.3-2+deb6u1
We believe that the bug you reported is fixed in the latest version of
libxml-security-java, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 720375@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thorsten Alteholz <debian@alteholz.de> (supplier of updated libxml-security-java package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 09 Nov 2014 16:24:21 +0100
Source: libxml-security-java
Binary: libxml-security-java
Architecture: source all
Version: 1.4.3-2+deb6u1
Distribution: squeeze-lts
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Thorsten Alteholz <debian@alteholz.de>
Description:
libxml-security-java - implementation of security standards for XML
Closes: 720375
Changes:
libxml-security-java (1.4.3-2+deb6u1) squeeze-lts; urgency=high
.
* Non-maintainer upload by the Squeeze LTS Team.
* Fix CVE-2013-2172 (Closes: #720375)
Checksums-Sha1:
566cc96fe6c7374615ce78cac73120545a3b3209 2289 libxml-security-java_1.4.3-2+deb6u1.dsc
311e5ec6829a990b6d12fbbad1caaaf45133e214 1034408 libxml-security-java_1.4.3.orig.tar.gz
e56b007626d3e9bb15aac6cd0d8880b60a640630 3441 libxml-security-java_1.4.3-2+deb6u1.diff.gz
3b712b37bcb6c60965839d9b97b1bce993d0e1c5 517978 libxml-security-java_1.4.3-2+deb6u1_all.deb
Checksums-Sha256:
d885d9a7459d71522350c962458455b33bab22fd1e99ee2e1d97ef31591c0bdb 2289 libxml-security-java_1.4.3-2+deb6u1.dsc
3cbf558a419473315e5ff556388901e4cdc79a387aa2efcd6b14fef99ed1fcd1 1034408 libxml-security-java_1.4.3.orig.tar.gz
812609140a4af6861cd83eeb08db48226248b661dfc55f3437cc6e35cae18d60 3441 libxml-security-java_1.4.3-2+deb6u1.diff.gz
3526ff5115a774584975eea3726aee43b1da0180b37a2e5a5ce02ebb423f864d 517978 libxml-security-java_1.4.3-2+deb6u1_all.deb
Files:
425a735f132702b8b1cac45c09e85feb 2289 java optional libxml-security-java_1.4.3-2+deb6u1.dsc
28dd2eb4c9d3d11d23038447cee35a1c 1034408 java optional libxml-security-java_1.4.3.orig.tar.gz
2731ac2464f22d4897b2121e8bbe5174 3441 java optional libxml-security-java_1.4.3-2+deb6u1.diff.gz
0fcf7712859b16085672112314d23e09 517978 java optional libxml-security-java_1.4.3-2+deb6u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQJ8BAEBCgBmBQJUX5G+XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHfjQP/RnsDoi94PoS5B7ZAbo80J4a
quSOsses1SdTurOBsZfm8mvijlUgY9Zua9GcrfMsAOiBhxk/KecmnWMQysNlYq3t
JagU8iUmYA4j9P/l6/zgCdan/+cndcG+IWj5WLTLU7tT+41MvEDijBFd9FmImNQ1
ktu6Sfiyk4kx0YUl7fk9Sr2PaT6umv5orR/EyF4ozvVchDwbUsmKWvjifP2RoXcz
/eRDUBPgytn9AdMf4xvKFjnN97vlTkHfRY9GkWplbtlycfHkIkqfRzIJE0+Rr0zW
Qo6K4KN722VBYemT9FonxcRSlF8y+/eo9k9cHS/Tzgy4D26oSJaNDCz/kO2u3EXn
YCYCyg1k/G9Tws8JfXhfKb/BLWca9uzElPWwTGYosgL2t4G/aFTbshSn1TgOVe1z
+ILE2+UTUFZs/dD2teVXsZZGrkz3BAMTYH614lExt+w2u50d+D1N8BHyrhEVns4S
u+AQokKzGunBApDlwGJSXQjhsbKBdbXcwlaD1WDm6TukXHyaxhmjtn1WhhSStmRe
n2taEif92QWwBPGLFjHWoJhVwuB4pTRfrpP7CZ6CAaAcduxlsGF7OlG0hhlKwhGd
pZEDEKVlE3NJqv1AJgIaxgfHBipJiWCmBpTNBdGrWx0fAoL72KMBJiOO2Nh6yC17
G1kWYCxjAVNIIIO1/XRn
=JafK
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 11 Jan 2015 07:33:29 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:13:53 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon