Debian Bug report logs -
#823863
xerces-c: CVE-2016-2099: use-after-free
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, William Blough <devel@blough.us>:
Bug#823863; Package src:xerces-c.
(Mon, 09 May 2016 17:57:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, William Blough <devel@blough.us>.
(Mon, 09 May 2016 17:57:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: xerces-c
Version: 3.1.1-1
Severity: grave
Tags: security upstream patch
Forwarded: https://issues.apache.org/jira/browse/XERCESC-2066
Hi,
the following vulnerability was published for xerces-c.
CVE-2016-2099[0]:
use-after-free
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-2099
[1] https://issues.apache.org/jira/browse/XERCESC-2066
Regards,
Salvatore
Changed Bug title to 'xerces-c: CVE-2016-2099: use-after-free' from 'xerces-c: CVE-2016-2099: upse-after-free'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 09 May 2016 18:03:08 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from William Blough <devel@blough.us>
to control@bugs.debian.org.
(Tue, 10 May 2016 04:39:09 GMT) (full text, mbox, link).
Reply sent
to William Blough <devel@blough.us>:
You have taken responsibility.
(Tue, 10 May 2016 17:33:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 10 May 2016 17:33:04 GMT) (full text, mbox, link).
Message #14 received at 823863-close@bugs.debian.org (full text, mbox, reply):
Source: xerces-c
Source-Version: 3.1.3+debian-2
We believe that the bug you reported is fixed in the latest version of
xerces-c, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 823863@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
William Blough <devel@blough.us> (supplier of updated xerces-c package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 10 May 2016 00:34:51 -0400
Source: xerces-c
Binary: libxerces-c3.1 libxerces-c-dev libxerces-c-doc libxerces-c-samples
Architecture: source
Version: 3.1.3+debian-2
Distribution: unstable
Urgency: medium
Maintainer: William Blough <devel@blough.us>
Changed-By: William Blough <devel@blough.us>
Description:
libxerces-c-dev - validating XML parser library for C++ (development files)
libxerces-c-doc - validating XML parser library for C++ (documentation)
libxerces-c-samples - validating XML parser library for C++ (compiled samples)
libxerces-c3.1 - validating XML parser library for C++
Closes: 823863
Changes:
xerces-c (3.1.3+debian-2) unstable; urgency=medium
.
* Fix CVE-2016-2099: Exception handling mistake in DTDScanner.
Closes: #823863
* Update standards version to 3.9.8 (no changes needed)
Checksums-Sha1:
a4a93e7e822ae36f8ecb711f5e1d071bc17e8fb4 2231 xerces-c_3.1.3+debian-2.dsc
267026e10adda0c48d367555827d66a002fa3c2f 21224 xerces-c_3.1.3+debian-2.debian.tar.xz
Checksums-Sha256:
6095444b27c7e69d99a59dd181acbe2e6c34a480e75076c057c1e93f31a70d29 2231 xerces-c_3.1.3+debian-2.dsc
b27cc0686bb2f3fd413baf7dfbc06ecff4a729d0853e4ff7269d192cce11a594 21224 xerces-c_3.1.3+debian-2.debian.tar.xz
Files:
e518a398333974f1c00ce2f6e9012275 2231 libs optional xerces-c_3.1.3+debian-2.dsc
f925df082d4e558da70776e8157eaf81 21224 libs optional xerces-c_3.1.3+debian-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJXMg2VAAoJEPNPCXROn13ZkP4QAJEnKnDpyDw51/V9qGShZKRm
SxJhxSICy+g4rFBth0nF51XzwobZWiGQfKPPh9w+iUdbDPQt8KcxvZ7ctBarucSV
4zBH4jNwzrPIM+nsco3bAut+cJN59O0ik3gfY10WzNNSrw77ytofgAEiy6TJSNI0
b3GAP3Imj+/PWGGODDRKOGVWWHhGanvnAbmGhtRAXo+SrM+rYidl/TEsvEsx01Xc
/zH8SbzVD4XZekCSztR7hZElh69T7+MWaPzhOsp+MOEwNt+H2aizR8SdoTLkwBeo
q5Ms6L4rHMs70TlzF9+1HJocT1mVhQddrEIWcu2/jK3/DnKUJPwRbECx2x7F3byS
NfCNTMq0zsgwqXl80RgI3gJbvqgu8Q0fd6oE3wNy/5JqufcWcjkEO+E/gB8b7utN
/fFrkLN2/FY9gH7bH8ELfPOwK3IsH2Kt5DWIUpNoIWRFXI7h4kPxVNCx1Haoh4ju
+4BQNH/WiR8EcQzk6pdTuNJDZbUm62yVmmlRC59rBl5LwGpEg+EaaanL5lhULt6s
PlyBTQyJNg9c6diKc1J2EsoyhThmY75BrIHDakaviscJBGLn18TeoC+vcCI3+mPq
MTn9XCOLaVOdLNIwP9/TGdf0Tyuvmbsql0IVY0mwj5sCxYSqM7ljoWekQ5HyrQUT
w/Xd1Is+SF1YtDf4h0Fa
=DN8C
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Wed, 18 May 2016 22:57:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 18 May 2016 22:57:08 GMT) (full text, mbox, link).
Message #19 received at 823863-close@bugs.debian.org (full text, mbox, reply):
Source: xerces-c
Source-Version: 3.1.1-5.1+deb8u2
We believe that the bug you reported is fixed in the latest version of
xerces-c, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 823863@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated xerces-c package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 14 May 2016 05:45:10 +0200
Source: xerces-c
Binary: libxerces-c3.1 libxerces-c-dev libxerces-c-doc libxerces-c-samples
Architecture: all source
Version: 3.1.1-5.1+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Jay Berkenbilt <qjb@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 823863
Description:
libxerces-c-dev - validating XML parser library for C++ (development files)
libxerces-c-doc - validating XML parser library for C++ (documentation)
libxerces-c-samples - validating XML parser library for C++ (compiled samples)
libxerces-c3.1 - validating XML parser library for C++
Changes:
xerces-c (3.1.1-5.1+deb8u2) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* CVE-2016-2099: Use-after-free in heap on specially crafted XML input
(Closes: #823863)
Checksums-Sha1:
175d8f626fef082d6ac954437c65c9043e985c57 1965 xerces-c_3.1.1-5.1+deb8u2.dsc
eb96d10c6dde58c0e2960ede2d9d7ccf3002edc9 8928 xerces-c_3.1.1-5.1+deb8u2.debian.tar.xz
e6e2df3c96e6cb610c2b6d51989c8f0b0c0f2554 1294914 libxerces-c-doc_3.1.1-5.1+deb8u2_all.deb
Checksums-Sha256:
4b93a2dd309c6cf34366037af0dd5fd5bec5da33eea3b930f273f49efde55cec 1965 xerces-c_3.1.1-5.1+deb8u2.dsc
9426a484224bdaf996b1b5cf39c2027f426fe6c54c3c3db2a6fece2f8c8c4e64 8928 xerces-c_3.1.1-5.1+deb8u2.debian.tar.xz
0f39cddabbbb00d2d2e1a5fe820599dd114999f1fab6fd986ea8f01064120aa7 1294914 libxerces-c-doc_3.1.1-5.1+deb8u2_all.deb
Files:
f2b08e78b6019ca9c89df05e4d7d3bd6 1965 libs optional xerces-c_3.1.1-5.1+deb8u2.dsc
4386583b1ec44de4e6f6a02b0fe78abc 8928 libs optional xerces-c_3.1.1-5.1+deb8u2.debian.tar.xz
320c873a10cc33c6b726b3c09490d61c 1294914 doc optional libxerces-c-doc_3.1.1-5.1+deb8u2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJXNqXLAAoJEAVMuPMTQ89EwLwP/A6aCdyxxM9+LesScJVheW8y
mUS9FLfZCkH7BO62bE1OYC0bCWTSRbW2SbhSJTtUaEKv2ig+UZrjMw+EIBW+tn6u
VParYsopzKljbeueWh43lP3wtlKtj5q914FeogJvy86dYzLHhovHZjhSDUgaujqw
uC19ve5h6VjrPjpdlcW2AeankrUDsBYNe32LJrSLcjAGlrF05WolEyAb0ARwuhJW
m1CfAiEfdFGVC87w/W5r2BEqDwRDEzvTD2zQx8cTtjlX+Z4prIvk7JbhN5P7JiPe
GnsjBjXmSCtaxzB3vF2g9DRUHNCXehfVPF4MvzjhoJbYNffaIypdk3z1kLzJ4PML
SMm11170MPmTqnLmj9SVHuPnq9F2FZqZG1iErkxI8HlxVcHFMRTEeq/EpPCEAAL7
82to3F2lVSp0TM/4J09fPajqkti7ARGcH8NgNxzV/FEZlk3Tb5nmvRlopTlWUtLJ
vlTTzarD/Y7P8xYCXlAFHMFxvL3MXrPc++vhqhqvWXuGeKhQ10DBA1u58hhGlY2r
TmGTFwja574nLoNsOZrhPcRKkf1mwDkX+f74rkcEurCKNc591eMMQXxIa1d0AGSt
wobDCTRWcpENLbXfPYcfth/mHwEV61gEYt3IhbMPyCKGnYZ/1A/oyyuQGlcW+mIH
EaMuPzQjcXr01HK9LBtZ
=hdlY
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 16 Jun 2016 07:33:50 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 12:56:45 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon