Debian Bug report logs -
#714241
xml-security-c: CVE-2013-2210
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 27 Jun 2013 07:03:01 UTC
Severity: grave
Tags: patch, security
Fixed in versions xml-security-c/1.6.1-7, xml-security-c/1.7.2-1, xml-security-c/1.6.1-5+deb7u2, xml-security-c/1.5.1-3+squeeze3
Done: Russ Allbery <rra@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>
:
Bug#714241
; Package xml-security-c
.
(Thu, 27 Jun 2013 07:03:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>
.
(Thu, 27 Jun 2013 07:03:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: xml-security-c
Severity: grave
Tags: security patch
Justification: user security hole
Hi Russ,
the following vulnerability was published for xml-security-c. It looks
the fix for CVE-2013-2154 introduced the possibility of a heap overflow.
CVE-2013-2210[0]:
heap overflow during XPointer evaluation
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2210
http://security-tracker.debian.org/tracker/CVE-2013-2210
[1] http://santuario.apache.org/secadv.data/CVE-2013-2210.txt
[2] http://svn.apache.org/viewvc?view=revision&revision=r1496703
Could you double check this, and prepare packages for squeeze and
wheezy too?
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>
:
Bug#714241
; Package xml-security-c
.
(Thu, 27 Jun 2013 17:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Russ Allbery <rra@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>
.
(Thu, 27 Jun 2013 17:30:04 GMT) (full text, mbox, link).
Message #10 received at submit@bugs.debian.org (full text, mbox, reply):
Salvatore Bonaccorso <carnil@debian.org> writes:
> the following vulnerability was published for xml-security-c. It looks
> the fix for CVE-2013-2154 introduced the possibility of a heap overflow.
> CVE-2013-2210[0]:
> heap overflow during XPointer evaluation
Yeah, thanks -- working on this today. I was going to work on it
yesterday but then something else I was working on didn't go as planned.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>
:
Bug#714241
; Package xml-security-c
.
(Thu, 27 Jun 2013 17:30:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Russ Allbery <rra@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>
.
(Thu, 27 Jun 2013 17:30:07 GMT) (full text, mbox, link).
Reply sent
to Russ Allbery <rra@debian.org>
:
You have taken responsibility.
(Thu, 27 Jun 2013 21:09:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Thu, 27 Jun 2013 21:09:09 GMT) (full text, mbox, link).
Message #20 received at 714241-close@bugs.debian.org (full text, mbox, reply):
Source: xml-security-c
Source-Version: 1.6.1-7
We believe that the bug you reported is fixed in the latest version of
xml-security-c, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 714241@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Russ Allbery <rra@debian.org> (supplier of updated xml-security-c package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 27 Jun 2013 13:44:56 -0700
Source: xml-security-c
Binary: libxml-security-c16 libxml-security-c-dev
Architecture: source i386
Version: 1.6.1-7
Distribution: unstable
Urgency: high
Maintainer: Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>
Changed-By: Russ Allbery <rra@debian.org>
Description:
libxml-security-c-dev - C++ library for XML Digital Signatures (development)
libxml-security-c16 - C++ library for XML Digital Signatures (runtime)
Closes: 714241
Changes:
xml-security-c (1.6.1-7) unstable; urgency=high
.
* The attempted fix to address CVE-2013-2154 introduced the possibility
of a heap overflow, possibly leading to arbitrary code execution, in
the processing of malformed XPointer expressions in the XML Signature
Reference processing code. Apply upstream patch to fix that heap
overflow. (Closes: #714241, CVE-2013-2210)
Checksums-Sha1:
00bfb2fe2d2610247399a92d25be1b6741fb1894 1785 xml-security-c_1.6.1-7.dsc
88bab9e767cbba07ad789b245547fcfcc461a096 12009 xml-security-c_1.6.1-7.debian.tar.gz
7fc0b8e1da45668cfc87100eb5217643a3a8bfca 359686 libxml-security-c16_1.6.1-7_i386.deb
58f871c561ee58e67ccfa167404bf9d4bc641917 151294 libxml-security-c-dev_1.6.1-7_i386.deb
Checksums-Sha256:
2b9323dc02ceb2705fc22395dcd4e170f72c8cc3bea321689c69d86c02a09774 1785 xml-security-c_1.6.1-7.dsc
dc9308b535a57592ae450c8374be2eb6081d539c1f64d44c79ab11095153555b 12009 xml-security-c_1.6.1-7.debian.tar.gz
82342fc3a0982d62e5fbf0a2a2eb089747f9ae4a8dc1dde7cbbcceb83fdce1be 359686 libxml-security-c16_1.6.1-7_i386.deb
a9530bad8d09482a79ea7322bd1c422fd6156e4c0480b6893a2f27cdb6e9eab7 151294 libxml-security-c-dev_1.6.1-7_i386.deb
Files:
094bf36076fe14078fe156029ec8a981 1785 libs extra xml-security-c_1.6.1-7.dsc
2818b708f8525ede455dfa57f768c2a5 12009 libs extra xml-security-c_1.6.1-7.debian.tar.gz
2526c149389b0d418653aaf56036cd2e 359686 libs extra libxml-security-c16_1.6.1-7_i386.deb
153a8eee6ee8d937e6a66ae331b579cf 151294 libdevel extra libxml-security-c-dev_1.6.1-7_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBCAAGBQJRzKYiAAoJEH2AMVxXNt51WL0H/jG3B/qEKrDXDtuViCeU/7ke
ez8KhhY7gmTojUl+qY0X5xkjnH50dpCBh+0HmmPwDodyRjAeHH+vnVmbOX/Sfaea
5DBLHuq6+eF0f/9Zlwxx6/xkO5z/wzjpxA9aOiTOKK99WO145PBshvVacmK2vt4I
vblFWXr3Cmo7i1YMqbqXNhAGFGm8mvFUI5/+X9KjquqkOHzw8gupsy5nN7TxWOep
Dmvuen9GC+ce+8U1AONZJ1ZcOGqFk+rd264BkpgqQCsr4CetJ5Qlr5x0gD6Q9419
tvEf36pE0oRI1wdLmMhuSzOroaTSuPY4XrOd4c0adYXwXKhNu3OfcHodtERwcT8=
=c4fI
-----END PGP SIGNATURE-----
Reply sent
to Russ Allbery <rra@debian.org>
:
You have taken responsibility.
(Thu, 27 Jun 2013 21:09:13 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Thu, 27 Jun 2013 21:09:13 GMT) (full text, mbox, link).
Message #25 received at 714241-close@bugs.debian.org (full text, mbox, reply):
Source: xml-security-c
Source-Version: 1.7.2-1
We believe that the bug you reported is fixed in the latest version of
xml-security-c, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 714241@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Russ Allbery <rra@debian.org> (supplier of updated xml-security-c package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 27 Jun 2013 13:00:54 -0700
Source: xml-security-c
Binary: libxml-security-c17 libxml-security-c-dev xml-security-c-utils
Architecture: source i386
Version: 1.7.2-1
Distribution: experimental
Urgency: high
Maintainer: Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>
Changed-By: Russ Allbery <rra@debian.org>
Description:
libxml-security-c-dev - C++ library for XML Digital Signatures (development)
libxml-security-c17 - C++ library for XML Digital Signatures (runtime)
xml-security-c-utils - C++ library for XML Digital Signatures (utilities)
Closes: 714241
Changes:
xml-security-c (1.7.2-1) experimental; urgency=high
.
* New upstream release.
- The attempted fix to address CVE-2013-2154 introduced the
possibility of a heap overflow, possibly leading to arbitrary code
execution, in the processing of malformed XPointer expressions in
the XML Signature Reference processing code. Fix that heap
overflow. (Closes: #714241, CVE-2013-2210)
Checksums-Sha1:
eea2280cf4b9542193e1ec78af1736e700168355 1841 xml-security-c_1.7.2-1.dsc
fee59d5347ff0666802c8e5aa729e0304ee492bc 875465 xml-security-c_1.7.2.orig.tar.gz
37f7cecc570e7f0e83a09c1a1c301a62b53f4140 12024 xml-security-c_1.7.2-1.debian.tar.xz
7d9a425c3fae7bd8d7b193be726ee4af383ac969 279102 libxml-security-c17_1.7.2-1_i386.deb
87a7de0704530cc794b8e86643dbd3091274fa2a 110818 libxml-security-c-dev_1.7.2-1_i386.deb
449e2a02058dc840e04a85e81d144d05d8249d25 120508 xml-security-c-utils_1.7.2-1_i386.deb
Checksums-Sha256:
c22ae064be9b7b681cf4c6497ad6ef3649f24c5497d698ea9d07ac5f35a26710 1841 xml-security-c_1.7.2-1.dsc
d576b07bb843eaebfde3be01301db40504ea8e8e477c0ad5f739b07022445452 875465 xml-security-c_1.7.2.orig.tar.gz
50e9ce850a35457602edbaddee58b0ecccfdabee2515f1a2ecb6655752da667c 12024 xml-security-c_1.7.2-1.debian.tar.xz
7b0ce19c4e77d366754dbb8cb814db3d967884e61b0a0b9730c2e999126cb809 279102 libxml-security-c17_1.7.2-1_i386.deb
bd5f0d2acabed65cd24fa22d26f9e5c07ab074d2dd95344119ee39da89bee967 110818 libxml-security-c-dev_1.7.2-1_i386.deb
aec9ba52f52837a02fc469e5036bf2c2b82d29aaf25cc315ad198c3ef7b64b86 120508 xml-security-c-utils_1.7.2-1_i386.deb
Files:
f142b0bd9081ecc5cdd50007410ef9cf 1841 libs extra xml-security-c_1.7.2-1.dsc
2487e00569f6465f7070389e40a3d84f 875465 libs extra xml-security-c_1.7.2.orig.tar.gz
0672e72dce6d315bdda2a1bb34fc8a08 12024 libs extra xml-security-c_1.7.2-1.debian.tar.xz
473dfed2707bd4a2569991fc66321ac6 279102 libs extra libxml-security-c17_1.7.2-1_i386.deb
1fd67612c8653987583d6d4282843596 110818 libdevel extra libxml-security-c-dev_1.7.2-1_i386.deb
8b391edddc3e08cd1af8fd82ca5a854b 120508 utils extra xml-security-c-utils_1.7.2-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBCAAGBQJRzJ5BAAoJEH2AMVxXNt51kZ8H+wR6GrybFrKzrYyh9UQ0pacr
QZFq5fAEyNtcoCt2eIkYFzNQIWuV4CWxvmok/+I65t3exrfFd3ZfJQ9lA1I3SKPL
zTWRGYkU6T3hovEO4fzTX8LoxUsDCrIeYhzDsD3j9pYj7yK4SikVs7zVfIyrL5lv
yr5iLzcmr/I0TqFmGwjzK3NhkKCYCBHdAHIFCIjv+81vl6PNpo/NPZl26em+KmHA
JTMhO08Sae1/xwYuxgLEhJvTEK1dMhN7vAPPzcGN/UxHzvsjHE7HTSkWbKaNfXwM
WYbnqvAa9l0kv9V8sQOUBnXPk2W2RROZwIJgt9OmCNCBZ4jOWbRECHoiPiSG5L8=
=YXbC
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>
:
Bug#714241
; Package xml-security-c
.
(Thu, 27 Jun 2013 22:33:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Russ Allbery <rra@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>
.
(Thu, 27 Jun 2013 22:33:05 GMT) (full text, mbox, link).
Message #30 received at 714241@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Salvatore Bonaccorso <carnil@debian.org> writes:
> Could you double check this, and prepare packages for squeeze and
> wheezy too?
I've uploaded fixed versions for experimental and unstable. Here are the
debdiff patches for wheezy and squeeze. Permission to upload to the
security queue?
Please note that Shibboleth doesn't exercise this part of the code, so I
don't personally have any application that tests this part of the
library. However, the upstream change is fairly simple.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
[squeeze.diff (text/x-diff, attachment)]
[wheezy.diff (text/x-diff, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>
:
Bug#714241
; Package xml-security-c
.
(Fri, 28 Jun 2013 04:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>
.
(Fri, 28 Jun 2013 04:57:04 GMT) (full text, mbox, link).
Message #35 received at 714241@bugs.debian.org (full text, mbox, reply):
Hi Russ,
On Thu, Jun 27, 2013 at 03:29:42PM -0700, Russ Allbery wrote:
> Salvatore Bonaccorso <carnil@debian.org> writes:
>
> > Could you double check this, and prepare packages for squeeze and
> > wheezy too?
>
> I've uploaded fixed versions for experimental and unstable. Here are the
> debdiff patches for wheezy and squeeze. Permission to upload to the
> security queue?
>
> Please note that Shibboleth doesn't exercise this part of the code, so I
> don't personally have any application that tests this part of the
> library. However, the upstream change is fairly simple.
Looks good. Yes please upload to security-master both.
Thanks for your quick update.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>
:
Bug#714241
; Package xml-security-c
.
(Fri, 28 Jun 2013 05:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Russ Allbery <rra@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>
.
(Fri, 28 Jun 2013 05:03:04 GMT) (full text, mbox, link).
Message #40 received at 714241@bugs.debian.org (full text, mbox, reply):
Salvatore Bonaccorso <carnil@debian.org> writes:
> Looks good. Yes please upload to security-master both.
> Thanks for your quick update.
Done. Thank you for handling security issues!
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply sent
to Russ Allbery <rra@debian.org>
:
You have taken responsibility.
(Sat, 29 Jun 2013 10:51:19 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sat, 29 Jun 2013 10:51:19 GMT) (full text, mbox, link).
Message #45 received at 714241-close@bugs.debian.org (full text, mbox, reply):
Source: xml-security-c
Source-Version: 1.6.1-5+deb7u2
We believe that the bug you reported is fixed in the latest version of
xml-security-c, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 714241@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Russ Allbery <rra@debian.org> (supplier of updated xml-security-c package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 27 Jun 2013 13:54:03 -0700
Source: xml-security-c
Binary: libxml-security-c16 libxml-security-c-dev
Architecture: source i386
Version: 1.6.1-5+deb7u2
Distribution: stable-security
Urgency: high
Maintainer: Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>
Changed-By: Russ Allbery <rra@debian.org>
Description:
libxml-security-c-dev - C++ library for XML Digital Signatures (development)
libxml-security-c16 - C++ library for XML Digital Signatures (runtime)
Closes: 714241
Changes:
xml-security-c (1.6.1-5+deb7u2) stable-security; urgency=high
.
* The attempted fix to address CVE-2013-2154 introduced the possibility
of a heap overflow, possibly leading to arbitrary code execution, in
the processing of malformed XPointer expressions in the XML Signature
Reference processing code. Apply upstream patch to fix that heap
overflow. (Closes: #714241, CVE-2013-2210)
Checksums-Sha1:
69343ccfc8fb3368cd3bf5cb289897f2f9b655a2 1813 xml-security-c_1.6.1-5+deb7u2.dsc
ba7f9c8b5c122ea213ab6b880e13952cace2b36f 12013 xml-security-c_1.6.1-5+deb7u2.debian.tar.gz
6c3d73f2d99f2f6b1f6c7ba97820209f17d64437 375560 libxml-security-c16_1.6.1-5+deb7u2_i386.deb
7a4a814816050ca5d6e62d67ad17fce18dc7b460 151332 libxml-security-c-dev_1.6.1-5+deb7u2_i386.deb
Checksums-Sha256:
a5aaeff16e400d7351fde6903fb32733af8c38990365913d42923280cf9a39ec 1813 xml-security-c_1.6.1-5+deb7u2.dsc
c0218aa7181316be9fa44753b09c81c5a327e5d6ed01d533f462a37325723789 12013 xml-security-c_1.6.1-5+deb7u2.debian.tar.gz
05fdb7667ce34abb7cf2b7f3ea0f38820b4d6cbda9cd153842be9470079be733 375560 libxml-security-c16_1.6.1-5+deb7u2_i386.deb
8f14e1257df217c479fddd63aaaa7345a772a1f359faf4e6f18beb1bc6170947 151332 libxml-security-c-dev_1.6.1-5+deb7u2_i386.deb
Files:
fd91e1b027e8af76e9260aa86a2c96cc 1813 libs extra xml-security-c_1.6.1-5+deb7u2.dsc
ab3cf5ffdde120bbdf4aebd3c88bb9c9 12013 libs extra xml-security-c_1.6.1-5+deb7u2.debian.tar.gz
95959ea297072b19617efd9757b34182 375560 libs extra libxml-security-c16_1.6.1-5+deb7u2_i386.deb
8ae52f2ded56659e2e1e984a62b3a55c 151332 libdevel extra libxml-security-c-dev_1.6.1-5+deb7u2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBCAAGBQJRzRelAAoJEH2AMVxXNt51XosIAJimFictwIv+bNuF0ruNq+de
PcB3JFutC3hikV62nyEpT4/EBFGAF12NTAnESrqoEo2/nvwZvquPj3Yzbwg+SSfV
Bp8o/KVPbo8k+uV5cpzQlaPgEg5BCgHy2XNoOakaoIjTQb3+5YeY1mAlWeT05248
6zxdQ2YzGxmdWEhT5+u2wW2LTMynNrbHM3qc0HIEBnCkwOnnOcCg+Z6Be7nHprv1
EPQOIA+wiAB+T5KVw0IOj1LV7OeH9unxKc19iOZ8l5H2NSqiVNPWmnkJwfsXKanU
9sDWsoxUZUCVd6pYqAV8JmgEdxyeff4xkIFzaV9Gvcm6ieUx8zHcfGFltFwEv1o=
=Sa/6
-----END PGP SIGNATURE-----
Reply sent
to Russ Allbery <rra@debian.org>
:
You have taken responsibility.
(Sat, 29 Jun 2013 10:51:23 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sat, 29 Jun 2013 10:51:23 GMT) (full text, mbox, link).
Message #50 received at 714241-close@bugs.debian.org (full text, mbox, reply):
Source: xml-security-c
Source-Version: 1.5.1-3+squeeze3
We believe that the bug you reported is fixed in the latest version of
xml-security-c, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 714241@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Russ Allbery <rra@debian.org> (supplier of updated xml-security-c package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 27 Jun 2013 15:15:18 -0700
Source: xml-security-c
Binary: libxml-security-c15 libxml-security-c-dev
Architecture: source i386
Version: 1.5.1-3+squeeze3
Distribution: oldstable-security
Urgency: high
Maintainer: Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>
Changed-By: Russ Allbery <rra@debian.org>
Description:
libxml-security-c-dev - C++ library for XML Digital Signatures (development)
libxml-security-c15 - C++ library for XML Digital Signatures (runtime)
Closes: 714241
Changes:
xml-security-c (1.5.1-3+squeeze3) oldstable-security; urgency=high
.
* The attempted fix to address CVE-2013-2154 introduced the possibility
of a heap overflow, possibly leading to arbitrary code execution, in
the processing of malformed XPointer expressions in the XML Signature
Reference processing code. Apply upstream patch to fix that heap
overflow. (Closes: #714241, CVE-2013-2210)
Checksums-Sha1:
8ab33f3e4f2f86f2400a900d97850dc11b0b2b67 1670 xml-security-c_1.5.1-3+squeeze3.dsc
0baa3d982be6e10174b3c44ec6fdbe5844ccefd4 11620 xml-security-c_1.5.1-3+squeeze3.diff.gz
d6ad35760bc00e601e1f57b2dcccde1b9279c716 353922 libxml-security-c15_1.5.1-3+squeeze3_i386.deb
40f1e58a8c278dacca0a9f6ccbb2499aad20148c 141932 libxml-security-c-dev_1.5.1-3+squeeze3_i386.deb
Checksums-Sha256:
b631057a640a9df2bfe292e971ce064028acfe4bc6cdb17e670408c9f4b43dde 1670 xml-security-c_1.5.1-3+squeeze3.dsc
b1e4d83a267a40316e30f1b961b51e7cb7a9b2b7fb82929f2cfb396136936b1f 11620 xml-security-c_1.5.1-3+squeeze3.diff.gz
887e28919a86e19cbdd6a496ed06c9b366366374ae00a78a8637da7f1b2397d3 353922 libxml-security-c15_1.5.1-3+squeeze3_i386.deb
956a172a4debd28ef6cc61b7b3803a72f65bf9357fb4c4f9eec7b5444f254e66 141932 libxml-security-c-dev_1.5.1-3+squeeze3_i386.deb
Files:
844929bf53f34c0ebc97c54bcd9f484b 1670 libs extra xml-security-c_1.5.1-3+squeeze3.dsc
d224b034021957819fa8f08f3058a971 11620 libs extra xml-security-c_1.5.1-3+squeeze3.diff.gz
7e60f8d3ffe67987d98a773986d985b2 353922 libs extra libxml-security-c15_1.5.1-3+squeeze3_i386.deb
c0fc7af171374aa6e1ba762d797460ff 141932 libdevel extra libxml-security-c-dev_1.5.1-3+squeeze3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBCAAGBQJRzRfJAAoJEH2AMVxXNt51a0MH/3kUSswfHZwIVkDc9hLbsjgV
2MGL2/K0kPyUSahax86julJCT/flNFlalve3baSlSKW+0bxCz+LEvwdf3Kn2za1g
j5K/eNtr4U6M4CeUXV0aPydyRK3NymsPUBim30mTSTLHFCLXfbGCAicnzb99A7LD
iaX8Pt2PVkefRm7kcw3BZx/ukPtcb/CKiZf9BeFuDkiWcKQGNyDcI2Z4uEiT+hKj
jBZEZICkvnF70oVd286PlHyuThLwXHAj4bJZgRONGZr2RXAomDP6BqYTfak1cQeZ
wOO5/qMpnq8pgIV070tFEy6Nb6O1rJpw9ReJu+rMp4RDggBQE+bQld7a7IZNcVA=
=vUUF
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 13 Oct 2013 07:30:16 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:10:32 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.