Debian Bug report logs -
#765722
CVE-2014-3660 libxml2 billion laugh variant
Reported by: Thijs Kinkhorst <thijs@debian.org>
Date: Fri, 17 Oct 2014 14:06:01 UTC
Severity: serious
Tags: patch, security
Found in versions libxml2/2.8.0+dfsg1-7+wheezy1, libxml2/2.9.1+dfsg1-1
Fixed in versions libxml2/2.9.2+dfsg1-1, libxml2/2.8.0+dfsg1-7+wheezy2, libxml2/2.7.8.dfsg-2+squeeze10, libxml2/2.9.1+dfsg1-5
Done: Aron Xu <aron@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#765722; Package libxml2.
(Fri, 17 Oct 2014 14:06:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Thijs Kinkhorst <thijs@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>.
(Fri, 17 Oct 2014 14:06:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libxml2
Severity: serious
Tags: security patch
Hi,
The Netherlands Cyber Security Center announced an issue in libxml2.
https://www.ncsc.nl/actueel/nieuwsberichten/kwetsbaarheid-ontdekt-in-libxml2.html
It seems to be a variant of the classic 'billion laughs' vulnerability.
Upstream has fixed this in 2.9.2:
https://git.gnome.org/browse/libxml2/commit/?id=be2a7edaf289c5da74a4f9ed3a0b6c733e775230
Cheers,
Thijs
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#765722; Package libxml2.
(Sat, 25 Oct 2014 22:30:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Aron Xu <aron@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>.
(Sat, 25 Oct 2014 22:30:09 GMT) (full text, mbox, link).
Message #10 received at 765722@bugs.debian.org (full text, mbox, reply):
Hi,
I'm preparing 2.9.2 for jessie, and for stable/oldstable I'll work on
them after the upload of 2.9.2.
Thanks,
Aron
Reply sent
to Aron Xu <aron@debian.org>:
You have taken responsibility.
(Sun, 26 Oct 2014 01:09:05 GMT) (full text, mbox, link).
Notification sent
to Thijs Kinkhorst <thijs@debian.org>:
Bug acknowledged by developer.
(Sun, 26 Oct 2014 01:09:05 GMT) (full text, mbox, link).
Message #15 received at 765722-close@bugs.debian.org (full text, mbox, reply):
Source: libxml2
Source-Version: 2.9.2+dfsg1-1
We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 765722@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aron Xu <aron@debian.org> (supplier of updated libxml2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 26 Oct 2014 07:04:50 +0800
Source: libxml2
Binary: libxml2 libxml2-utils libxml2-utils-dbg libxml2-dev libxml2-dbg libxml2-doc python-libxml2 python-libxml2-dbg
Architecture: source amd64 all
Version: 2.9.2+dfsg1-1
Distribution: unstable
Urgency: low
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Aron Xu <aron@debian.org>
Description:
libxml2 - GNOME XML library
libxml2-dbg - Debugging symbols for the GNOME XML library
libxml2-dev - Development files for the GNOME XML library
libxml2-doc - Documentation for the GNOME XML library
libxml2-utils - XML utilities
libxml2-utils-dbg - XML utilities (debug extension)
python-libxml2 - Python bindings for the GNOME XML library
python-libxml2-dbg - Python bindings for the GNOME XML library (debug extension)
Closes: 765722
Changes:
libxml2 (2.9.2+dfsg1-1) unstable; urgency=low
.
* New upstream release (Closes: #765722, CVE-2014-3660)
* Remove no-longer-needed upstream patches
* Update distro patch
* Std-ver: 3.9.5 -> 3.9.6, no change.
Checksums-Sha1:
b33bc6c1a2453df7450f6f03fabadee08421e16f 2578 libxml2_2.9.2+dfsg1-1.dsc
6dc1815cd83ecda87988d7528fc918f2aca91cfc 2473592 libxml2_2.9.2+dfsg1.orig.tar.xz
07d798e1920f0372b7f1c166e4109a0c35c8906a 22916 libxml2_2.9.2+dfsg1-1.debian.tar.xz
2dbaa2a73560955e36c757d4cabdedb99fef5f7e 932966 libxml2_2.9.2+dfsg1-1_amd64.deb
45a7d6a962bfbe7a5279033d6ce64859ea80efa3 101570 libxml2-utils_2.9.2+dfsg1-1_amd64.deb
9aadccfc3a64a41277a9b7f7c8ee4d78a5c6c402 132428 libxml2-utils-dbg_2.9.2+dfsg1-1_amd64.deb
c322d80f1233d4a61f2368c57bf59e620e28d746 826726 libxml2-dev_2.9.2+dfsg1-1_amd64.deb
d2d12c77a88b424fab9eb28e7934d6d522cee10c 1599626 libxml2-dbg_2.9.2+dfsg1-1_amd64.deb
eab48d71b806999062043f907c5be4564b41abab 823914 libxml2-doc_2.9.2+dfsg1-1_all.deb
7481a03de5d78597d6b7dce146b2fd7e28ec718d 203788 python-libxml2_2.9.2+dfsg1-1_amd64.deb
11696f3e37825f5af648c91a2ba23d64a59ee383 331994 python-libxml2-dbg_2.9.2+dfsg1-1_amd64.deb
Checksums-Sha256:
edbdfc52935b14210c7cacd84e625350d29c913f5d9043e5336ed30488c77097 2578 libxml2_2.9.2+dfsg1-1.dsc
0e2ba8bcdb181343f78acfacd342f211f70894b904747367c52011ab9a096776 2473592 libxml2_2.9.2+dfsg1.orig.tar.xz
ff2ab07c7b6220572dc4a513d0ac037095c24ed51ee42452fff3bd64ae465a99 22916 libxml2_2.9.2+dfsg1-1.debian.tar.xz
5d2348eb0cc17623251362dc0a56dbe27bf765e1b7a8daa7dd8ca09da9c45192 932966 libxml2_2.9.2+dfsg1-1_amd64.deb
41e651a4499aebf4719d7e1e0368100dcfef548a11ef28e3af5a7ff862c35c1b 101570 libxml2-utils_2.9.2+dfsg1-1_amd64.deb
188ef6f0a693a16f67a8835e5cecad68b4fd4ce6e5fb6e48c88d37be94ee5225 132428 libxml2-utils-dbg_2.9.2+dfsg1-1_amd64.deb
51ffe88790f73c796ef5c583ad3418d4911eb0899ba6db85a593ef452569be41 826726 libxml2-dev_2.9.2+dfsg1-1_amd64.deb
57b377a49a684b2e258675d20bd1ed263cdbc671b3cb4c1b56ed232fc3335ecc 1599626 libxml2-dbg_2.9.2+dfsg1-1_amd64.deb
8375353efc8a1606d28333003e748f490c99b01ed7612d63d1893b1f770cff07 823914 libxml2-doc_2.9.2+dfsg1-1_all.deb
03fe267273dfe09b24e8c750f52aa25ef92f91a1879ea651e79fdaa69f9af6c1 203788 python-libxml2_2.9.2+dfsg1-1_amd64.deb
c91ae76ae789c509e0160628d4a6c772080948ba656d8832b3bfb70bebd2c869 331994 python-libxml2-dbg_2.9.2+dfsg1-1_amd64.deb
Files:
b5c2fca4d36d55d2719bf252a998c0c4 2578 libs optional libxml2_2.9.2+dfsg1-1.dsc
459ddafff94a763976bbdccfcc6394f7 2473592 libs optional libxml2_2.9.2+dfsg1.orig.tar.xz
2a5a00844e47101822f0d1bcc0be443f 22916 libs optional libxml2_2.9.2+dfsg1-1.debian.tar.xz
cc72d1abbd029405fcb677b32a765f82 932966 libs standard libxml2_2.9.2+dfsg1-1_amd64.deb
755f9e85b1211241aae69d599f06130c 101570 text optional libxml2-utils_2.9.2+dfsg1-1_amd64.deb
bfc9d0f74ba736f60d9d86d4bd5d06fc 132428 debug extra libxml2-utils-dbg_2.9.2+dfsg1-1_amd64.deb
1613df1eb2110f62d33cb93cd1107a61 826726 libdevel optional libxml2-dev_2.9.2+dfsg1-1_amd64.deb
8c8356cab60a7ddcd5c6aedaae55dd23 1599626 debug extra libxml2-dbg_2.9.2+dfsg1-1_amd64.deb
8f482b293a72cbccfe0252b26c018ce4 823914 doc optional libxml2-doc_2.9.2+dfsg1-1_all.deb
daa5e3648621aadf93f7855d4b9d5562 203788 python optional python-libxml2_2.9.2+dfsg1-1_amd64.deb
dc1fdc170f0653af6eceb12589e0c624 331994 debug extra python-libxml2-dbg_2.9.2+dfsg1-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBAgAGBQJUTEa8AAoJEMOOgWCheEH+YpoP/jkME4CHjeZPDPCdkOUDkOfQ
dAOcbaDrZwO7InzPNGehM+VB8bdlE1XLqEHDvI/wxX2PpnAq+QUJiO92Tl9qrHVD
aaezLB2ghTrMQrRW5Xid+4THBe7CEnXUpjOcb6qZA/440L8MaQCBu7dQ+gNkGJn+
Nl1OHtEfDKkBj1+o64cuT/O5lk125A+Wb1xyj4Mr5DrYsVhynyn+g5RgW0oO8/FI
Y3cnS++RToOrpm6BU7tUmEkg6FLBtJx/XDR7fk2Y26OdP5HiW04Hm5AE4HrRXmmW
fRnGLQ9kr84b51ayjB5DDHxbRj8Z7MtwptutitfN9CY5YRKrJokYzxsZtu1Iptnj
3eeULO/Et8H89NAMHp302Ov5hEbCG7p4LhoIB1Vdx/rskUi4aslxnKWvjuRagdLg
Qx3bIpzAH6MpIz8hJMxhopMZBN7Ub8uXNSNDNGQbfvL7X9YPUh+EnVNvVmZUk6Ip
y7A4eBmvToB1YLx4lN8kxiw4QZE2gct6GrIGHjn8KA3gwOtj2Hx1WVYI8yr8qStc
b0866Mxf6WWQ6OxE90NQV03VCf1chwrDjKYt7xvM++MX/NAVl0FFS7sybU4z0mv0
1pxV8D12o/Oxg2rnvWfeL3koYDC/LLJ2A2X89ya3DNAQ0ldWAl6OlfxcRRCzIwdO
Ce89bAIEfc+FzhU4m52U
=BjRY
-----END PGP SIGNATURE-----
Marked as found in versions libxml2/2.8.0+dfsg1-7+wheezy1.
Request was from Aron Xu <aron@debian.org>
to control@bugs.debian.org.
(Sun, 26 Oct 2014 05:03:05 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Aron Xu <aron@debian.org>
to control@bugs.debian.org.
(Sun, 26 Oct 2014 05:03:06 GMT) (full text, mbox, link).
Marked as found in versions libxml2/2.9.1+dfsg1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 26 Oct 2014 05:57:10 GMT) (full text, mbox, link).
Reply sent
to Aron Xu <aron@debian.org>:
You have taken responsibility.
(Tue, 28 Oct 2014 22:40:53 GMT) (full text, mbox, link).
Notification sent
to Thijs Kinkhorst <thijs@debian.org>:
Bug acknowledged by developer.
(Tue, 28 Oct 2014 22:40:53 GMT) (full text, mbox, link).
Message #26 received at 765722-close@bugs.debian.org (full text, mbox, reply):
Source: libxml2
Source-Version: 2.8.0+dfsg1-7+wheezy2
Fixed in wheezy security update.
Reply sent
to Thorsten Alteholz <debian@alteholz.de>:
You have taken responsibility.
(Wed, 29 Oct 2014 19:36:36 GMT) (full text, mbox, link).
Notification sent
to Thijs Kinkhorst <thijs@debian.org>:
Bug acknowledged by developer.
(Wed, 29 Oct 2014 19:36:36 GMT) (full text, mbox, link).
Message #31 received at 765722-close@bugs.debian.org (full text, mbox, reply):
Source: libxml2
Source-Version: 2.7.8.dfsg-2+squeeze10
We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 765722@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thorsten Alteholz <debian@alteholz.de> (supplier of updated libxml2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 28 Oct 2014 18:00:28 +0100
Source: libxml2
Binary: libxml2 libxml2-utils libxml2-dev libxml2-dbg libxml2-doc python-libxml2 python-libxml2-dbg
Architecture: source i386 all
Version: 2.7.8.dfsg-2+squeeze10
Distribution: squeeze-lts
Urgency: high
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Thorsten Alteholz <debian@alteholz.de>
Description:
libxml2 - GNOME XML library
libxml2-dbg - Debugging symbols for the GNOME XML library
libxml2-dev - Development files for the GNOME XML library
libxml2-doc - Documentation for the GNOME XML library
libxml2-utils - XML utilities
python-libxml2 - Python bindings for the GNOME XML library
python-libxml2-dbg - Python bindings for the GNOME XML library (debug extension)
Closes: 762864 765722
Changes:
libxml2 (2.7.8.dfsg-2+squeeze10) squeeze-lts; urgency=high
.
* Non-maintainer upload by the Squeeze LTS Team.
* Fix wrongly applied patch for CVE-2014-0191 (Closes: #762864)
* Add patch for CVE-2014-3660 (Closes: #765722)
Checksums-Sha1:
a3e519ddeb9fdbe342cc4a5db1fa20edb84b0521 2311 libxml2_2.7.8.dfsg-2+squeeze10.dsc
bf481743478da6899a65507a34b67731466960dd 3509930 libxml2_2.7.8.dfsg.orig.tar.gz
e57d4ca4635f7d652f241332cc5e51e3eef79eff 124159 libxml2_2.7.8.dfsg-2+squeeze10.diff.gz
7936822eafd70dbb3d5ca244e695d5fa0ca2121d 829480 libxml2_2.7.8.dfsg-2+squeeze10_i386.deb
1be0736c4d5f3c08ff70beccb65635a5cd91cedb 90910 libxml2-utils_2.7.8.dfsg-2+squeeze10_i386.deb
107133b4ebf8bfca5c4a0d5a6b33feca47183042 753492 libxml2-dev_2.7.8.dfsg-2+squeeze10_i386.deb
be561dddffa0afb47516c08ce6b22f8f954bb9e1 991394 libxml2-dbg_2.7.8.dfsg-2+squeeze10_i386.deb
29527627f5b593a47dc0060722c85b50c04adbcd 1382264 libxml2-doc_2.7.8.dfsg-2+squeeze10_all.deb
f69baf3d4f5e1abb55224238d3b04f40f171d0cd 310586 python-libxml2_2.7.8.dfsg-2+squeeze10_i386.deb
f2f3f70fb7be9dd8b4dacaeea7f6b1fe42d38470 823254 python-libxml2-dbg_2.7.8.dfsg-2+squeeze10_i386.deb
Checksums-Sha256:
a7eac158f88480083b15cb05c5879ec4c2346d8beebb694cf256dfc489cf42a4 2311 libxml2_2.7.8.dfsg-2+squeeze10.dsc
9f5262963fda356708903b42ff862a816c714582d0cf41477a8b3839945f0e43 3509930 libxml2_2.7.8.dfsg.orig.tar.gz
9579fe3a12d3ed3f90e62fe304bad6813cc1462ad4cdaa7e15f7dd23b4f33eb6 124159 libxml2_2.7.8.dfsg-2+squeeze10.diff.gz
0450ea20ef210affd223d55418906cb1efb31874040730de5f96bfeebba5ef51 829480 libxml2_2.7.8.dfsg-2+squeeze10_i386.deb
d3c35c1ecc4d6f3ef7030ce0821aa218678980a380684afa1292b70d75b3d29d 90910 libxml2-utils_2.7.8.dfsg-2+squeeze10_i386.deb
175833cf5cf4f27804ec6e5bb556f22580ad03ef108c56d3052f792eace7fb8f 753492 libxml2-dev_2.7.8.dfsg-2+squeeze10_i386.deb
31b9f3e087c5d202a6de5012371a70f6e485b92bf72b388aef90afa20c64f1e4 991394 libxml2-dbg_2.7.8.dfsg-2+squeeze10_i386.deb
cba40d11d807c73916062e7e4cc929f36b7eb938e1412d8fe1facab92f5e5527 1382264 libxml2-doc_2.7.8.dfsg-2+squeeze10_all.deb
c189d03eac971c2c1193bc6c7092a542498d5a68b2181f222f22304e643801f1 310586 python-libxml2_2.7.8.dfsg-2+squeeze10_i386.deb
00266eba79e4462dd2463c4e1765c929c442c873bbf6841c5adfaa69464ce5df 823254 python-libxml2-dbg_2.7.8.dfsg-2+squeeze10_i386.deb
Files:
d2c8572c6ef2d33d1822f50b67a90bab 2311 libs optional libxml2_2.7.8.dfsg-2+squeeze10.dsc
116fd86aa1b392dfe38d6b17613deebb 3509930 libs optional libxml2_2.7.8.dfsg.orig.tar.gz
c0947d08db8e293a0c7434fd213d3eb8 124159 libs optional libxml2_2.7.8.dfsg-2+squeeze10.diff.gz
e95375e728e5e7b3530db39cc0917d33 829480 libs standard libxml2_2.7.8.dfsg-2+squeeze10_i386.deb
8ce8da27e6c9ae4189f21ddfc0b4e1b6 90910 text optional libxml2-utils_2.7.8.dfsg-2+squeeze10_i386.deb
b2a87a4ee5ba84f69775e69a36ece736 753492 libdevel optional libxml2-dev_2.7.8.dfsg-2+squeeze10_i386.deb
ab2b1eea99b9d6acc8041130964eb999 991394 debug extra libxml2-dbg_2.7.8.dfsg-2+squeeze10_i386.deb
e0b8dd8dd54d69e254fb25a741f356df 1382264 doc optional libxml2-doc_2.7.8.dfsg-2+squeeze10_all.deb
53f5a1f198312d550ba45313e9ad6f9e 310586 python optional python-libxml2_2.7.8.dfsg-2+squeeze10_i386.deb
6ddd57ca7e9a7d4409916da580b0ec64 823254 debug extra python-libxml2-dbg_2.7.8.dfsg-2+squeeze10_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQJ8BAEBCgBmBQJUUT1BXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hH56AP/3ykJiuFWkc2G9ESju+8c7on
6SyZnqIK264bZ3ZWrj0noNpC4S3HdsRnX4SQkck6KyaBSOZ6W9KmxRNeCppvmtSn
adtnug1F7dk4u8p+We2BAkE7wINmRpYqloezPjcOH36C9jGxJeK1+UdVCGOhvGzP
be2VNk6cmZbl9HB+qsijdV+wBx3A1Wu4OwfKQFz5f2vibwpI5Uve+RIIcYliHChm
BOuq2/npRfKsZ7Vss/tomPHVeCwY8x9qHfM5HLa742QG4E2bGFGlyjIkDy1XUbEf
tuW8sFw6DXMKaT2CUd1g1+Ch6wMznjWS39VHSyW4dwQmqpMMp3k+2JERYGf7iEZK
6/VBJJGK6gPfCAidIsHsEf2KDO/LuBAjAmQKCptF1nQsnF6Oor0TeVArm3c4be3T
PmWw9aeguDHYPyOpsVbZE5L8BBb9Ayj6zjUO8fJ7Su9LSmXTHNQNwPNsoQ51XvAB
iJkoI+7y9xDuCG4CrtXjZ+RLwBab+yVAHfBhD3jYWmqQoMlTE1ScmEyfaKL/Oas3
A1BZ70zVnNzW8Tbm/z7p0lbvjaz7cPVVP/iaP49aMzr9EUIIE5D/G1+sEELcz/Qs
0rdm2fHkosJWb/qELtlsjD5WgUmTPEXIhgL89rYVL2NRtNdg9h4bAnShZPTahbxv
TFK9vLxtRs2DcQGJ7s2O
=LFGW
-----END PGP SIGNATURE-----
Reply sent
to Aron Xu <aron@debian.org>:
You have taken responsibility.
(Wed, 05 Nov 2014 23:51:19 GMT) (full text, mbox, link).
Notification sent
to Thijs Kinkhorst <thijs@debian.org>:
Bug acknowledged by developer.
(Wed, 05 Nov 2014 23:51:19 GMT) (full text, mbox, link).
Message #36 received at 765722-close@bugs.debian.org (full text, mbox, reply):
Source: libxml2
Source-Version: 2.8.0+dfsg1-7+wheezy2
We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 765722@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aron Xu <aron@debian.org> (supplier of updated libxml2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 26 Oct 2014 12:39:34 +0800
Source: libxml2
Binary: libxml2 libxml2-utils libxml2-utils-dbg libxml2-dev libxml2-dbg libxml2-doc python-libxml2 python-libxml2-dbg
Architecture: source amd64 all
Version: 2.8.0+dfsg1-7+wheezy2
Distribution: stable-security
Urgency: high
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Aron Xu <aron@debian.org>
Description:
libxml2 - GNOME XML library
libxml2-dbg - Debugging symbols for the GNOME XML library
libxml2-dev - Development files for the GNOME XML library
libxml2-doc - Documentation for the GNOME XML library
libxml2-utils - XML utilities
libxml2-utils-dbg - XML utilities (debug extension)
python-libxml2 - Python bindings for the GNOME XML library
python-libxml2-dbg - Python bindings for the GNOME XML library (debug extension)
Closes: 762864 765722 765770
Changes:
libxml2 (2.8.0+dfsg1-7+wheezy2) stable-security; urgency=high
.
* Fix buggy patch (Closes: #765770)
* Fix wrongly applied patch for CVE-2014-0191 (Closes: #762864)
* Add patch for CVE-2014-3660 (Closes: #765722)
Checksums-Sha1:
51107b8fce5d168575e1cf9e497e2e9e428eb86b 2515 libxml2_2.8.0+dfsg1-7+wheezy2.dsc
0e1bdef385ac71a065f9e082565e42e428de9e4b 39792 libxml2_2.8.0+dfsg1-7+wheezy2.debian.tar.gz
f516c2bc62c71ef56eb9a98ae6e9c7b4d281359c 904014 libxml2_2.8.0+dfsg1-7+wheezy2_amd64.deb
5ec9596ce925f90762d2cf6e2be6ae63464bce64 96650 libxml2-utils_2.8.0+dfsg1-7+wheezy2_amd64.deb
4ac4a26b651be006613fe54a1bd31d498e686db8 127194 libxml2-utils-dbg_2.8.0+dfsg1-7+wheezy2_amd64.deb
535f12d0508faa3b7f11e6533bf787b4f3cd4030 900586 libxml2-dev_2.8.0+dfsg1-7+wheezy2_amd64.deb
ef2f6289b0ceca7b1b3550d93c6e5a7e8ed562ea 1402368 libxml2-dbg_2.8.0+dfsg1-7+wheezy2_amd64.deb
ce2c9c10f34168429151ad81e4d0b8b190788d2c 1356592 libxml2-doc_2.8.0+dfsg1-7+wheezy2_all.deb
c38e04a1f527c972b3df0b72c1139b0f72a3fd9b 345872 python-libxml2_2.8.0+dfsg1-7+wheezy2_amd64.deb
3ef46a1558ec65c75dd0ee912d21309acb06df7f 727890 python-libxml2-dbg_2.8.0+dfsg1-7+wheezy2_amd64.deb
Checksums-Sha256:
0acf14b87187b18d2a73d6e75f362ebdc9a00c93a873ce41bc8b2c63456a7ecf 2515 libxml2_2.8.0+dfsg1-7+wheezy2.dsc
68ea9779c7ae6553d263cf5ac02652ce9937525fef56011e36c0149cd64a26e9 39792 libxml2_2.8.0+dfsg1-7+wheezy2.debian.tar.gz
23b31dd57be8acfff05d6a0805b5a2ef76b82d5be46a1ba5dde64f049c56f28d 904014 libxml2_2.8.0+dfsg1-7+wheezy2_amd64.deb
632a040db162747f045dcc773868c9452b499e247475b1169602d23e79c012c2 96650 libxml2-utils_2.8.0+dfsg1-7+wheezy2_amd64.deb
def1f6fa25ebcc8098c1c28f9ec33498a95c44d2ab24a0b21b3f90529e5a7daf 127194 libxml2-utils-dbg_2.8.0+dfsg1-7+wheezy2_amd64.deb
d9440868cc6dd9da5629836e26199525f5b0f2fafe31e1510319a4d4b6b6c79c 900586 libxml2-dev_2.8.0+dfsg1-7+wheezy2_amd64.deb
9b57a91425a4f50ddc720855e1b37b044b083367361cade34600220a379c5d28 1402368 libxml2-dbg_2.8.0+dfsg1-7+wheezy2_amd64.deb
5e13f0a2957b761b844a5fb2b276d111f780f3dd38b6dbe5b1c37912b5340c5a 1356592 libxml2-doc_2.8.0+dfsg1-7+wheezy2_all.deb
0d2a773bd708bb380b1561a3b812a2f6be90ef600fd5f56d7aa0d37d505a3557 345872 python-libxml2_2.8.0+dfsg1-7+wheezy2_amd64.deb
ba7d9d124e539ce634445b966a05d0ca002865640a5ef8f85d9a048ef015fe06 727890 python-libxml2-dbg_2.8.0+dfsg1-7+wheezy2_amd64.deb
Files:
151af1c37262ba30f412e0daf5642b2e 2515 libs optional libxml2_2.8.0+dfsg1-7+wheezy2.dsc
45f65a383bc7cd449fae45d1920adbf1 39792 libs optional libxml2_2.8.0+dfsg1-7+wheezy2.debian.tar.gz
158928748ac3d71e08e43ed1e715cd28 904014 libs standard libxml2_2.8.0+dfsg1-7+wheezy2_amd64.deb
a2a49fa622f08bbc4992cbb9eb673592 96650 text optional libxml2-utils_2.8.0+dfsg1-7+wheezy2_amd64.deb
f4e55e397696b7f34946cdb011bda201 127194 debug extra libxml2-utils-dbg_2.8.0+dfsg1-7+wheezy2_amd64.deb
b8190a5205b6e8330b8dec7c537eb691 900586 libdevel optional libxml2-dev_2.8.0+dfsg1-7+wheezy2_amd64.deb
7a9f940bf35514b425c6d476eed22d4d 1402368 debug extra libxml2-dbg_2.8.0+dfsg1-7+wheezy2_amd64.deb
88a2f71f2228d35c91c6760821972c5a 1356592 doc optional libxml2-doc_2.8.0+dfsg1-7+wheezy2_all.deb
1a3f747add9d184da0109516de1f0e02 345872 python optional python-libxml2_2.8.0+dfsg1-7+wheezy2_amd64.deb
142d9e533d4355718b9f5f2e61721d89 727890 debug extra python-libxml2-dbg_2.8.0+dfsg1-7+wheezy2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBAgAGBQJUTOVfAAoJEMOOgWCheEH+DUEP/1wiSio6nEQ3uUO9ofVoxtfZ
zbDJCfAEtQ8kG5G5nOV+uUsaL9cn35WF75CmHRfni8ExZy6Xf52tcoU8v26zyMh4
KRSJNjd9FYRrS5cKrJvUZV4+BiD0AdVHLbwnCiEQXxwP7h/J2WyKaE31YiNrDUbY
KDH5e9MYDrXNLCZFWdxL0dwTvOIPphTl1oEmT3lgu6chAcYlB5I3dsIIcvpd9LPM
BQfrSz75FcBEXFwEvOUlGvtWcTf4IJFXrcv8NVtHaluRs9WH1IAI2StMf4K19tcG
QKlgJVpTAOKd7Lj9tcn+9jj+BSGlJfhnJuvrwszJ7vwK39eXYpRBw7dRaX6Qr+2+
D8W/xoTSskbZAT03hQ/ckJX33pP/szBCFKmyp+rLaYaiYD9syPHChcZNvW3WfkJW
bdYXMhnGrPSvJulJ2AwOgzsHGE1r9Y8ppMh8H/nLJHr/1Rat3ubLhIbpov7KaoTZ
rIdyVpiCZsPmpVaw3+rcmIbQg4DLsuCFtxKhxGPgNOXvhcJYfHSF1rrYzcW41NjJ
sLOqRr+2z2GKs5nMaD3igas6q9Bd20aWgMvobqtRlAhmumt6ipssOEErD0XzTDmW
DKOFXcJ2SmW3wCPENC7hlwEQ2myNV+JVJ/pd7w7VjXQhXblQd5e6BjZFdpiZlLa6
6aOCRFizjFfFuMWFCBEf
=LsH5
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#765722; Package libxml2.
(Sat, 08 Nov 2014 10:57:13 GMT) (full text, mbox, link).
Acknowledgement sent
to Lucas Nussbaum <lucas@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>.
(Sat, 08 Nov 2014 10:57:13 GMT) (full text, mbox, link).
Message #41 received at 765722@bugs.debian.org (full text, mbox, reply):
Hi,
I looked at this bug (kind-of randomly looking through RC bugs).
The current status is:
- fixed in unstable with a new upstream version
- that new upstream version was aged/2
- however, an RC bug (#766884) was found in that new upstream version
- in the upstream bug[1] for #766884, the upstream author says
'it's not gonna be simple :-('
:-(
A good strategy is probably to see if the upstream bug get fixed soon,
migrate the fixed new upstream if that's the case, and issue a targetted
fix for #765722 if that's not the case.
However, maybe the release team prefers a targetted fix anyway?
(I did not really understand if the fix for #765722 is related to the
introduction of #766884. But I believe they are independant)
[1] https://bugzilla.gnome.org/show_bug.cgi?id=737840
Lucas
Reply sent
to Aron Xu <aron@debian.org>:
You have taken responsibility.
(Thu, 19 Feb 2015 17:21:05 GMT) (full text, mbox, link).
Notification sent
to Thijs Kinkhorst <thijs@debian.org>:
Bug acknowledged by developer.
(Thu, 19 Feb 2015 17:21:05 GMT) (full text, mbox, link).
Message #46 received at 765722-close@bugs.debian.org (full text, mbox, reply):
Source: libxml2
Source-Version: 2.9.1+dfsg1-5
We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 765722@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aron Xu <aron@debian.org> (supplier of updated libxml2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 01 Feb 2015 13:48:36 +0800
Source: libxml2
Binary: libxml2 libxml2-utils libxml2-utils-dbg libxml2-dev libxml2-dbg libxml2-doc python-libxml2 python-libxml2-dbg
Architecture: source amd64 all
Version: 2.9.1+dfsg1-5
Distribution: testing
Urgency: medium
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Aron Xu <aron@debian.org>
Description:
libxml2 - GNOME XML library
libxml2-dbg - Debugging symbols for the GNOME XML library
libxml2-dev - Development files for the GNOME XML library
libxml2-doc - Documentation for the GNOME XML library
libxml2-utils - XML utilities
libxml2-utils-dbg - XML utilities (debug extension)
python-libxml2 - Python bindings for the GNOME XML library
python-libxml2-dbg - Python bindings for the GNOME XML library (debug extension)
Closes: 765722 768089
Changes:
libxml2 (2.9.1+dfsg1-5) testing; urgency=medium
.
* Add pkg-config to B-D
* Cherry-pick upstream memory related fixes
- Including CVE-2014-3660 (Closes: #765722, #768089)
Checksums-Sha1:
28ba030b95de233bdeed8d66f9d4c4f332785edf 2217 libxml2_2.9.1+dfsg1-5.dsc
e1de54e052e92d5c46b20e250adfde4df577e55f 41216 libxml2_2.9.1+dfsg1-5.debian.tar.xz
3585568e126d89525e3d2b9f89255701b1f4d6df 799914 libxml2_2.9.1+dfsg1-5_amd64.deb
5d657cc8ac22f658b5ac73443f8a88a5d4db6253 90482 libxml2-utils_2.9.1+dfsg1-5_amd64.deb
3e0a5879144248e5b3055a03ac8907eecf62fcbf 120694 libxml2-utils-dbg_2.9.1+dfsg1-5_amd64.deb
9c77608a8a5093c0524fa0be7a7c00f6fc152cc5 693092 libxml2-dev_2.9.1+dfsg1-5_amd64.deb
da618bd8480630b4942856428f3739759cc5a196 1231148 libxml2-dbg_2.9.1+dfsg1-5_amd64.deb
c8deb5a3af72f6f881bca41c916848ffa96701ed 811014 libxml2-doc_2.9.1+dfsg1-5_all.deb
4ccc5ea89d12aeedec6584cf25d5d3520f2df57a 193290 python-libxml2_2.9.1+dfsg1-5_amd64.deb
d683c1c282f2cb7ea1b28761f3178acacf431498 319002 python-libxml2-dbg_2.9.1+dfsg1-5_amd64.deb
Checksums-Sha256:
b5c3828c56cf16df0ed4bb89f16a020bfdaeb3843415cb1dce40223061cc2899 2217 libxml2_2.9.1+dfsg1-5.dsc
bae5cd32f47c8c0c8dbe51abaa6056435ffef29038216824e2ae4d746376f756 41216 libxml2_2.9.1+dfsg1-5.debian.tar.xz
1f8ec65a97d80da632b154d47d9657136af6a68a841ceef406f9d8f0cb3e236b 799914 libxml2_2.9.1+dfsg1-5_amd64.deb
50692f80ee56bb7db8e9fa7f49a94b2fc04431ca0c2f39b8f248501dc74fb64a 90482 libxml2-utils_2.9.1+dfsg1-5_amd64.deb
ad293659c9b71dd87a0e97c41c507c6ce5c4f6e2ec73d05dc041f2de3d29de0c 120694 libxml2-utils-dbg_2.9.1+dfsg1-5_amd64.deb
a9cdef488cbcd18cc2bb9cc007b01abb179c61077acaf909ec3cd6d609f45b3b 693092 libxml2-dev_2.9.1+dfsg1-5_amd64.deb
de34d894d78241ff5a30e6183365256f23a0655ca1c5949ec8e74c65ac6522ba 1231148 libxml2-dbg_2.9.1+dfsg1-5_amd64.deb
fda004bb461202c3a9cd42a32736c37d96db8cdadc6e887060f8ae226e60123f 811014 libxml2-doc_2.9.1+dfsg1-5_all.deb
954190bf32508f9765f3e62d20735641c62d50e89f7418678907bb5d64ca8efc 193290 python-libxml2_2.9.1+dfsg1-5_amd64.deb
285d64b89fc3434ec914da913be9b612fd89e76b95510100e1845cbc3f7ad75c 319002 python-libxml2-dbg_2.9.1+dfsg1-5_amd64.deb
Files:
312c07b37c06d43da7a368c6dbfdbd38 2217 libs optional libxml2_2.9.1+dfsg1-5.dsc
62d007b34760042cf11438bb80e70543 41216 libs optional libxml2_2.9.1+dfsg1-5.debian.tar.xz
2c7b8ceda85db0cc7a6a66490d870509 799914 libs standard libxml2_2.9.1+dfsg1-5_amd64.deb
e6335aad202de3415389d7ed46dd73bc 90482 text optional libxml2-utils_2.9.1+dfsg1-5_amd64.deb
07172942a683a108428c6c7864f80d24 120694 debug extra libxml2-utils-dbg_2.9.1+dfsg1-5_amd64.deb
72105bf1e6a7cd5c69650cd023dfabdc 693092 libdevel optional libxml2-dev_2.9.1+dfsg1-5_amd64.deb
26dc420532f607131b69eaee6fb05394 1231148 debug extra libxml2-dbg_2.9.1+dfsg1-5_amd64.deb
a0e5b9e80b7659c9af5e105e00b01691 811014 doc optional libxml2-doc_2.9.1+dfsg1-5_all.deb
c79bac6e99bc7a33d10756d9247ce264 193290 python optional python-libxml2_2.9.1+dfsg1-5_amd64.deb
34ba8c4cd29a60356312d4df488c79b6 319002 debug extra python-libxml2-dbg_2.9.1+dfsg1-5_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJU5hicAAoJEPbsVcVkKA0e89gH+gOeEjE78oOCrMwduXe1ut7v
xXNeoHG8CiE+coGpF87EFpFHHGszLXg/XGc2lQVUyY/CpvEKRHW7SSQ/AHDX8Lsp
OUALWNWZYq9XOE8ZuqBRiWvsdZ68yd2yWDF3Okp4AqCjG4CgpdscbnFCA7qWeJ3w
xkwob/BktWzPDjERIFEdSkdIKcUKizZAGBrL6j3/aMvrpy/A6EKEk+RbXdOsBxc3
RRk919GXnHiwI8C6c4Kgrgg5iAWV+nAxIO/Sj6zajrK5Pm17n33Bd4QCDMfe8t2N
RvOKWeFszi55I7wBOxQHfMB/4UXzWdbhwhTUXN7mcKca5ZrBlKwd7vFICcqfPcg=
=s77w
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 20 Mar 2015 07:25:21 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:19:39 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon