Debian Bug report logs -
#828990
xerces-c: CVE-2016-4463
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 29 Jun 2016 14:45:10 UTC
Severity: important
Tags: fixed-upstream, patch, security, upstream
Found in version xerces-c/3.1.1-3
Fixed in versions xerces-c/3.1.1-5.1+deb8u3, xerces-c/3.1.3+debian-2.1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, William Blough <devel@blough.us>:
Bug#828990; Package src:xerces-c.
(Wed, 29 Jun 2016 14:45:14 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, William Blough <devel@blough.us>.
(Wed, 29 Jun 2016 14:45:14 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: xerces-c
Version: 3.1.1-3
Severity: important
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for xerces-c.
CVE-2016-4463[0]:
Apache Xerces-C XML Parser Crashes on Malformed DTD
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-4463
[1] https://xerces.apache.org/xerces-c/secadv/CVE-2016-4463.txt
Note that I have already prepared the corresponding debdiffs for
jessie-security (and since was basically the same as well for
wheezy lts).
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, William Blough <devel@blough.us>:
Bug#828990; Package src:xerces-c.
(Fri, 01 Jul 2016 12:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to William Blough <devel@blough.us>.
(Fri, 01 Jul 2016 12:51:05 GMT) (full text, mbox, link).
Message #10 received at 828990@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 828990 + pending
Hi,
I've prepared an NMU for xerces-c (versioned as 3.1.3+debian-2.1) and
uploaded it to DELAYED/10. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
[xerces-c-3.1.3+debian-2.1-nmu.diff (text/x-diff, attachment)]
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 828990-submit@bugs.debian.org.
(Fri, 01 Jul 2016 12:51:05 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Mon, 04 Jul 2016 08:12:15 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 04 Jul 2016 08:12:15 GMT) (full text, mbox, link).
Message #17 received at 828990-close@bugs.debian.org (full text, mbox, reply):
Source: xerces-c
Source-Version: 3.1.1-5.1+deb8u3
We believe that the bug you reported is fixed in the latest version of
xerces-c, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 828990@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated xerces-c package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 28 Jun 2016 16:53:20 +0200
Source: xerces-c
Binary: libxerces-c3.1 libxerces-c-dev libxerces-c-doc libxerces-c-samples
Architecture: all source
Version: 3.1.1-5.1+deb8u3
Distribution: jessie-security
Urgency: high
Maintainer: Jay Berkenbilt <qjb@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 828990
Description:
libxerces-c-dev - validating XML parser library for C++ (development files)
libxerces-c-doc - validating XML parser library for C++ (documentation)
libxerces-c-samples - validating XML parser library for C++ (compiled samples)
libxerces-c3.1 - validating XML parser library for C++
Changes:
xerces-c (3.1.1-5.1+deb8u3) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* CVE-2016-4463: Apache Xerces-C XML Parser Crashes on Malformed DTD
(Closes: #828990)
* Enable the ability to disable DTD processing through the use of an env
variable
* Add NEWS.Debian entry to document the XERCES_DISABLE_DTD variable
Checksums-Sha1:
e36e1fc63f554d1199300a1519d30f447d03df91 1968 xerces-c_3.1.1-5.1+deb8u3.dsc
57600d72735e43f91a1f14619a0c2ad36e7e706d 10056 xerces-c_3.1.1-5.1+deb8u3.debian.tar.xz
6e4db7c7ae3465f458d1edfc0cec047d88c4641f 1295348 libxerces-c-doc_3.1.1-5.1+deb8u3_all.deb
Checksums-Sha256:
4dfdc4229fdbb08a6dd241adc48d64d909721dc40776cded90c28b70614b66da 1968 xerces-c_3.1.1-5.1+deb8u3.dsc
5da9d98d43199d637aa7d079c058acebd20d92ed46dc7bc053d548bb509bcbeb 10056 xerces-c_3.1.1-5.1+deb8u3.debian.tar.xz
16241ba2fccc18868adef63b2e0f3c119a5b13105192e21724ebb34340a95f25 1295348 libxerces-c-doc_3.1.1-5.1+deb8u3_all.deb
Files:
41afc1e7bfe37c39e00d30a8519574a1 1968 libs optional xerces-c_3.1.1-5.1+deb8u3.dsc
fcd9e5370eba1d1ed99518004950f026 10056 libs optional xerces-c_3.1.1-5.1+deb8u3.debian.tar.xz
545eef2889ec0c63d248cd1222599d41 1295348 doc optional libxerces-c-doc_3.1.1-5.1+deb8u3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJXc+DZAAoJEAVMuPMTQ89EV6UP/1oe+C/fOG9WcntGvC5OqB7k
+b7/uSP4AEJPQldjThZRS7qU7IQZKFHGEoG5xav9L6x/qIp9UIyUPRiLmTpkRJp2
xQ3uSQ3Y9BkLU7UP9lmfgn73ocjEzCgz3PmV6P4VZTb7CZvEdsjrsvLePMXNW79x
Ylu+ItffwIfCAa9LV9x01x6tT2l0ufuqeuq4OSzEkOluN+AKHbSvD0VzFKMI9ltx
dKv4Y/SQL06f6r0nbgRuAlFch5zWi4ofXHFjf9k/AwjT/op9OjHkQ2bIxYZBcQbH
PciFUgjanh6B7Ei9h4erwmP/JZ06beTgl8y0jutqx5XR95cfv73UAocQMOcAMW1u
9dBtN0Y9zCUTW0jQNDTGe05BcpH9fcuyd6TSusZJrJyU7twSGp3MU25CQxqSPbLt
eRYWULe2htE1ZujoFTdS9mFMSpSloDIo41fjyyqCk/LWy+i5l9exBt/Xzz7I4hFb
WiLcryXp7CURspuRs5rTx9EYkumHSxlKRTiu4Zd2xTzreQlKLcAFZGKKnJUOsogE
LqJVCMlbxqDiDAYfNXQVkgeoMbvq1/xGz3xY6SC7oIN1BtsvSwG48maTy2leWRA4
ayx6ZJSezfB27Xp/Cz3nHjTvIZ3voClrHD/IyArKuMY0BaKNzXKmTqvqT/wke8Q8
M43A+g80XL463+h4Cjcc
=kY5O
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Mon, 11 Jul 2016 13:39:22 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 11 Jul 2016 13:39:22 GMT) (full text, mbox, link).
Message #22 received at 828990-close@bugs.debian.org (full text, mbox, reply):
Source: xerces-c
Source-Version: 3.1.3+debian-2.1
We believe that the bug you reported is fixed in the latest version of
xerces-c, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 828990@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated xerces-c package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 01 Jul 2016 14:28:51 +0200
Source: xerces-c
Binary: libxerces-c3.1 libxerces-c-dev libxerces-c-doc libxerces-c-samples
Architecture: source
Version: 3.1.3+debian-2.1
Distribution: unstable
Urgency: medium
Maintainer: William Blough <devel@blough.us>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 828990
Description:
libxerces-c-dev - validating XML parser library for C++ (development files)
libxerces-c-doc - validating XML parser library for C++ (documentation)
libxerces-c-samples - validating XML parser library for C++ (compiled samples)
libxerces-c3.1 - validating XML parser library for C++
Changes:
xerces-c (3.1.3+debian-2.1) unstable; urgency=medium
.
* Non-maintainer upload.
* CVE-2016-4463: Apache Xerces-C XML Parser Crashes on Malformed DTD
(Closes: #828990)
* Enable the ability to disable DTD processing through the use of an env
variable
* Add NEWS.Debian entry to document the XERCES_DISABLE_DTD variable
Checksums-Sha1:
4c3afdce8499332b87487c09d01191b58620c2b8 2239 xerces-c_3.1.3+debian-2.1.dsc
f0119137c2f105795ad9cb136b4b85d0612693a0 22432 xerces-c_3.1.3+debian-2.1.debian.tar.xz
Checksums-Sha256:
c4b1c6cf2d0d29325819d0554b09e7650c159e08ca68e765180347cf7a5ecb7b 2239 xerces-c_3.1.3+debian-2.1.dsc
f13c3ccba247f95fde57df4a59fbd2526a8e87493a0c91df0085e082d103e6d7 22432 xerces-c_3.1.3+debian-2.1.debian.tar.xz
Files:
4f1545bb88c3b4507089eba43ccbaed7 2239 libs optional xerces-c_3.1.3+debian-2.1.dsc
daef52ef1a14f85fa9072bb40858c174 22432 libs optional xerces-c_3.1.3+debian-2.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJXdmVqAAoJEAVMuPMTQ89EXJcP/RS+ZXNtgZccn0UY0y3RE0wV
HosipTNSEdt28rctAiSMpTX09qbrvVGW0huGQOF0IuSbMAZRWSTElckDD0GAIrY7
0NeCUc8wVi3vZAvPyV8RxZ/bxjiX1LDMVg2yuI1IARD4dZwYWB51v5LzhJ8ttgak
NUacBP1tCiAKR9/QA5XyrJoj4+gymHHs1DePUNN+P3rmr0UhnErhsO4/yGeoUzIb
dObBMQA1Tlqrr/hGUZhE6f4xYo1tnR6F1cWqdbOmH7mraUfFIie5Qsph43B/U8Nx
RuYddUdpqo49PZ5NZzRebv9D7089C70GvJPJBZ8nad45cq6/+BFilnEC8ptGwvwV
iXElixRJ0dzNhoDmaKhnS+HWm8TRv70HwQ0IxddXFanp6CHw9J57Tt1FoWdZRxT9
n7I/0gGnQJneGQc0qM2dsk8eXdtPYVRIS7j0T9mmuEBycIvUY5Bp3YKhyxdHzbGg
BifYxE/XFkXlycK6R16etS6aOw/XkukemAu1WRvpzz7XrBjOInXK/vJa39ilmF5w
xnzne763ZtF2iAwtqP08diwMXp8aUfW5884LdWXRh0XeLFVBssSy6+ApYdKHj/BP
B04727gsFXuWB2wxidAIGBvxpHHZP9rG1vzUo/dq9N8Fdb+jvPNL7+EYyidFSr3+
RPdVZjrb0v8BSkNEbSfU
=3sZq
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 14 Aug 2016 07:59:20 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:32:18 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon