Debian Bug report logs -
#1065868
expat: CVE-2024-28757
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#1065868; Package src:expat.
(Sun, 10 Mar 2024 15:03:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Sun, 10 Mar 2024 15:03:09 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: expat
Version: 2.6.1-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/libexpat/libexpat/pull/842
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for expat.
CVE-2024-28757[0]:
| libexpat through 2.6.1 allows an XML Entity Expansion attack when
| there is isolated use of external parsers (created via
| XML_ExternalEntityParserCreate).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-28757
https://www.cve.org/CVERecord?id=CVE-2024-28757
[1] https://github.com/libexpat/libexpat/pull/842
[2] https://github.com/libexpat/libexpat/commit/1d50b80cf31de87750103656f6eb693746854aa8
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility.
(Sun, 10 Mar 2024 17:54:19 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 10 Mar 2024 17:54:19 GMT) (full text, mbox, link).
Message #10 received at 1065868-close@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: expat
Source-Version: 2.6.1-2
Done: Laszlo Boszormenyi (GCS) <gcs@debian.org>
We believe that the bug you reported is fixed in the latest version of
expat, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1065868@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated expat package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 10 Mar 2024 18:24:38 +0100
Source: expat
Architecture: source
Version: 2.6.1-2
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Closes: 1065868
Changes:
expat (2.6.1-2) unstable; urgency=high
.
* Backport security fix for CVE-2024-28757: prevent billion laughs attacks
in isolated external parser (closes: #1065868).
Checksums-Sha1:
82208c1d9e2ff1c7e58b1c6f9a113cf2dbc5b5d3 1964 expat_2.6.1-2.dsc
7c61bbd29b3dffaea4801fbebf28f1e08b92f39e 14756 expat_2.6.1-2.debian.tar.xz
Checksums-Sha256:
01d9c45426c6f6afb498c3c9d4b50c77f51f13df849f5529a50014f66f9448f2 1964 expat_2.6.1-2.dsc
b7c2a812e7baa87851f4045efd9d13514d3ebd42da079f26f2716723182bc077 14756 expat_2.6.1-2.debian.tar.xz
Files:
e4ffdedb90e95e8dbcf6d4b2aa7ce1be 1964 text optional expat_2.6.1-2.dsc
20382e20a2de1b85ff6af4ff6126c66e 14756 text optional expat_2.6.1-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmXt8CMACgkQ3OMQ54ZM
yL9VoA//f2G4/B4nHd+NS3luaeX68XmjiP/7Ub17E/phRFGWRj1nkBEdCzrDCEYj
eUwE1p7zJMN5+O+kVuEmNKXT1b0NFIuoLjWvkPxyKD5cGwdq1fR2OYOAnv9Rhh5d
K87DugjNPsHRSWLGpz0omJ006gkgrB7JtnIWhZvYv2wu1eVHfENo+dbXbpWK4QGK
cm0kCaeyU010uIkstceBuhpDh5iAAbHe3dcMXGkEbgELRYNuWTiPvlJfD2HJzyJM
3nhhZfLMQtPe50MDPQ4i/8itSX9nf3mNSh4oAgusft+4WNeMJ0iyUGkdMMJIBPYC
gcbnWlqnjjKTLy9QP4Ypkv1GXpOnBPPTWDZGNik7yK2PlqEt+VJ+enh4LqvZT+j1
vH+MExrRBs2MRYXoXvqaNm1zxK8GHhGdSBuxMOyao6xoTK7TXJHKZ4H5BWcE544t
ykMUFHDkXrqHqvQ/RdJ1Xy8xMPpsMEZpsr8gvYUUHEwUKZa3V6dsKN39gGYnBLj1
LyinyJbjcTaARF1lfUiaj9Q60QXc+MBmVBujPt3uLo4iMH7CMFQsj6M7NKz7R5Ny
VZ3UPJbVOZ3lb0qppRVbp7XiPPcSLBb/8E2EM0e5oOXY4ciZ2ssuczfJX70fXRBK
Rvc7zwf3fM/n+Zzo2WBo4yEA63axl/S5ycWGhZLwZeAL5YPPEo0=
=0iCF
-----END PGP SIGNATURE-----
[Message part 2 (application/pgp-signature, inline)]
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon Mar 11 11:51:04 2024;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon