Debian Bug report logs -
#815907
xerces-c: CVE-2016-0729
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 25 Feb 2016 15:03:02 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in version xerces-c/3.1.1-1
Fixed in versions xerces-c/3.1.1-5.1+deb8u1, xerces-c/3.1.1-1+deb6u2, xerces-c/3.1.1-3+deb7u2, xerces-c/3.1.3+debian-1
Done: William Blough <devel@blough.us>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, William Blough <devel@blough.us>:
Bug#815907; Package src:xerces-c.
(Thu, 25 Feb 2016 15:03:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, William Blough <devel@blough.us>.
(Thu, 25 Feb 2016 15:03:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: xerces-c
Version: 3.1.1-1
Severity: grave
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for xerces-c.
CVE-2016-0729[0]:
Apache Xerces-C XML Parser Crashes on Malformed Input
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-0729
[1] http://svn.apache.org/viewvc?view=revision&revision=1727978
Regards,
Salvatore
Marked as fixed in versions xerces-c/3.1.1-3+deb7u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 25 Feb 2016 15:36:04 GMT) (full text, mbox, link).
Marked as fixed in versions xerces-c/3.1.1-5.1+deb8u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 25 Feb 2016 15:36:05 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from William Blough <devel@blough.us>
to control@bugs.debian.org.
(Sat, 27 Feb 2016 05:42:17 GMT) (full text, mbox, link).
Marked as fixed in versions xerces-c/3.1.1-1+deb6u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 27 Feb 2016 20:18:03 GMT) (full text, mbox, link).
Reply sent
to William Blough <devel@blough.us>:
You have taken responsibility.
(Sat, 19 Mar 2016 11:51:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 19 Mar 2016 11:51:06 GMT) (full text, mbox, link).
Message #18 received at 815907-close@bugs.debian.org (full text, mbox, reply):
Source: xerces-c
Source-Version: 3.1.3+debian-1
We believe that the bug you reported is fixed in the latest version of
xerces-c, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 815907@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
William Blough <devel@blough.us> (supplier of updated xerces-c package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 27 Feb 2016 00:48:56 -0500
Source: xerces-c
Binary: libxerces-c3.1 libxerces-c-dev libxerces-c-doc libxerces-c-samples
Architecture: source
Version: 3.1.3+debian-1
Distribution: unstable
Urgency: medium
Maintainer: William Blough <devel@blough.us>
Changed-By: William Blough <devel@blough.us>
Description:
libxerces-c-dev - validating XML parser library for C++ (development files)
libxerces-c-doc - validating XML parser library for C++ (documentation)
libxerces-c-samples - validating XML parser library for C++ (compiled samples)
libxerces-c3.1 - validating XML parser library for C++
Closes: 815907 816021
Changes:
xerces-c (3.1.3+debian-1) unstable; urgency=medium
.
* New upstream version.
Fixes CVE-2016-0729: Apache Xerces-C XML Parser Crashes on Malformed
Input. Closes: #815907
* Add build dependency on libatk-wrapper-java. Closes: #816021
* Updated standards version to 3.9.7 (no updates needed)
* Lintian fixes
d/copyright
fix typo in filename
fix duplicate license short name
add .svn to excluded files
Checksums-Sha1:
78a87b5202af3e046eecbea207d46976fd4947d5 2231 xerces-c_3.1.3+debian-1.dsc
6205815c8b386c600fb9e7f2c1bcbbfc15ec880a 2425084 xerces-c_3.1.3+debian.orig.tar.gz
c1cca318d3de198356abbc97987496b978a3a54a 20780 xerces-c_3.1.3+debian-1.debian.tar.xz
Checksums-Sha256:
20b767d36b0f69bab905f2d2902cf8d8572f1c502e9607fb0633432459526380 2231 xerces-c_3.1.3+debian-1.dsc
a8ccda886ed53a827ebfbbe88a0e3225e5b4341ed7ee80a379f2e446b3ec6db2 2425084 xerces-c_3.1.3+debian.orig.tar.gz
ca2b7be9b64003070868b1c88d868decde5911ccbe15fb62d00321b54280acf4 20780 xerces-c_3.1.3+debian-1.debian.tar.xz
Files:
5c60a5434acaeb530261077e591e6952 2231 libs optional xerces-c_3.1.3+debian-1.dsc
24b31ff4fef59f10cd2e5c9e8c271091 2425084 libs optional xerces-c_3.1.3+debian.orig.tar.gz
4883d83beba070a2c0392caabff2cbb5 20780 libs optional xerces-c_3.1.3+debian-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJW7TnxAAoJEEsEP825REVAQssP/RMlqjIU9tzNWJcS293ajZQf
nDWZCbTltqi3X2O+CZZ79k7HrseLTdyk7joSCUntgNSsJqoiEn/ghshfugqC4BGB
IYSukrmYh7IvQ9xqc7lR905xqxMvy4mb6Atk/Ym6AVx5j115bMiZkselWVkozWE7
eQCOG264nbnmZ2b37hr/VTjIa0FdwYSzdjHq/f5aCpKFrZowpnURvnxo6UPRBbMA
AhYoe9/o0IDz38kOC0DAmysif73fUm+xUjs41Vq5M6hx0P2fDvbe/TrL/jTh0Jek
0ZxPjjTOPy6IOkaTZlEO1nNtPTQQSUZlPp88lwqH4MND/uYXaOOa5Y+PIeLVSAcS
XXhlsiIS1lcsJ2un6/48j7CgftEc9jwN0jEOz1A9GQ+SR4reE73tA2EASZtyW00P
BObwy5c6+/ZlzJ0+VDNYGfILAnFBxu3GHyEHO6krzZqiA8gzkJwhV/FmrsTbfY4R
47vI92NY1xL7Ps8+WccxPzGUuENpqbcgMigY9PGAtK4iirN9bXcDJAE9fa61Ef/2
enPvFuOEMwbFr6v5ATw6k3ri334qEyM+YDeSu3smEOiaKAyy+y+qXiatQPUx14bi
rXPf0XewvTysMpzRruQJ7UhuQ9T/IwJaZHMJ3uvySmOCX/mrBfIV6cmYUWvsZE4n
P/20ARzXaCLvHGHy+lvI
=cC++
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 22 Apr 2016 07:25:56 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:56:57 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon