Debian Bug report logs -
#866676
libxml-libxml-perl: CVE-2017-10672: Use-after-free in XML::LibXML::Node::replaceChild
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 30 Jun 2017 19:09:01 UTC
Severity: grave
Tags: security, upstream
Found in versions libxml-libxml-perl/2.0128+dfsg-3, libxml-libxml-perl/2.0116+dfsg-1
Fixed in versions libxml-libxml-perl/2.0128+dfsg-4, libxml-libxml-perl/2.0128+dfsg-1+deb9u1, libxml-libxml-perl/2.0116+dfsg-1+deb8u2
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Forwarded to https://rt.cpan.org/Ticket/Display.html?id=122246
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#866676; Package src:libxml-libxml-perl.
(Fri, 30 Jun 2017 19:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>.
(Fri, 30 Jun 2017 19:09:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libxml-libxml-perl
Version: 2.0116+dfsg-1
Severity: grave
Tags: security upstream
Forwarded: https://rt.cpan.org/Ticket/Display.html?id=122246
Hi,
the following vulnerability was published for libxml-libxml-perl.
Filling this one for now as severity grave, but we might adjust later
the severity if not appropriate.
CVE-2017-10672[0]:
| Use-after-free in the XML-LibXML module through 2.0129 for Perl allows
| remote attackers to execute arbitrary code by controlling the arguments
| to a replaceChild call.
There is no upstream fix yet.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-10672
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10672
[1] https://rt.cpan.org/Ticket/Display.html?id=122246
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#866676; Package src:libxml-libxml-perl.
(Thu, 03 Aug 2017 20:12:03 GMT) (full text, mbox, link).
Message #8 received at 866676@bugs.debian.org (full text, mbox, reply):
tag 866676 + pending
thanks
Some bugs in the libxml-libxml-perl package are closed in revision
0700a409b364370343bb6aff1a1ad91e11de973e in branch 'master' by
Salvatore Bonaccorso
The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-perl/packages/libxml-libxml-perl.git/commit/?id=0700a40
Commit message:
CVE-2017-10672: Use-after-free by controlling the arguments to a replaceChild call
Closes: #866676
Added tag(s) pending.
Request was from pkg-perl-maintainers@lists.alioth.debian.org
to control@bugs.debian.org.
(Thu, 03 Aug 2017 20:12:04 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#866676.
(Thu, 03 Aug 2017 20:12:06 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Thu, 03 Aug 2017 20:57:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 03 Aug 2017 20:57:03 GMT) (full text, mbox, link).
Message #18 received at 866676-close@bugs.debian.org (full text, mbox, reply):
Source: libxml-libxml-perl
Source-Version: 2.0128+dfsg-2
We believe that the bug you reported is fixed in the latest version of
libxml-libxml-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 866676@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libxml-libxml-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 02 Aug 2017 21:42:27 +0200
Source: libxml-libxml-perl
Binary: libxml-libxml-perl
Architecture: source
Version: 2.0128+dfsg-2
Distribution: unstable
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 866676
Description:
libxml-libxml-perl - Perl interface to the libxml2 library
Changes:
libxml-libxml-perl (2.0128+dfsg-2) unstable; urgency=high
.
* Team upload.
.
[ gregor herrmann ]
* Remove Chris Butler from Uploaders. Thanks for your work!
* Remove Jonathan Yu from Uploaders. Thanks for your work!
.
[ Salvatore Bonaccorso ]
* CVE-2017-10672: Use-after-free by controlling the arguments to a
replaceChild call (Closes: #866676)
* Declare compliance with Debian policy 4.0.0
Checksums-Sha1:
dc0384bae272083197a1342d4ffade5c6d325b16 2407 libxml-libxml-perl_2.0128+dfsg-2.dsc
e138d9a633b0a69e31da44e9d9abff3ebdb81458 11972 libxml-libxml-perl_2.0128+dfsg-2.debian.tar.xz
Checksums-Sha256:
67dcd0eb96fa27d846b70ccb3ccff176fc15e44380645a93e49d6048789a3ac5 2407 libxml-libxml-perl_2.0128+dfsg-2.dsc
676cc9b61fee51ba159cf06d4df4184723eb1c306bddbbc534e2f95dbf0ccae1 11972 libxml-libxml-perl_2.0128+dfsg-2.debian.tar.xz
Files:
daf0f8e8022e78fcf1ba2769c9266b8e 2407 perl optional libxml-libxml-perl_2.0128+dfsg-2.dsc
dce2de6e68df3539ee46f00b478b62b4 11972 perl optional libxml-libxml-perl_2.0128+dfsg-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlmDgmNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EHboP/RpAGTfsvssFkRnNpJWax5dJkp0LZ7fR
VEoEiKBuPInFkWSgiFJT3fnjZMLC2uKVafdWxO2kG1ARmel84N9I4iGVVOvD0z/c
/tiwNnWBaR7dj+Wtu11X8nvMGStxT9uA06Lj/tDg49JfDnkopEHWpzMwxgRcsE/X
BNhWMMTZPKYWzZKE7eR5JSuhBU+zQQ0UyLThHl3qkRQUF0sC6uA57NR20x6jR2fO
saU7pCPc2fjAgEJeZRcirWmmG/xXQPiJkiTCO/lZkKcZ/DoBamxfvMI+xSh4Gn3n
i/ldP0nhYGF2qqYuSMxSj+9hGLcfjq9zWuadKY+yrl83J2OkNIIoECNe6ERVGGhX
f6ai9fvwlSrg3IvyYhNG8ehWORgJ/CW6ynz6raKzzGCdu5UFiVJQsMAzY630MC+w
wQV2A7hzerpthHYS7u4frY73J5T5BgvvDLyDVDp+PsJX6MvMV8HrQEuElYZCTZ/1
+pH4DWKiW9MdxzDN6LUAfVNKkXyWJOD6izM9bDmBW52jEge5Lt+ncHEf0oH1oj8x
u26rBIhdny56CS1+3J+HerHD5tFBoZ3q7xZ3A1bqV8VlwCAn62spvFRpN9aV9pOM
Qa99ExlFzptl+gJ4qHfxg2+Fjw+j/aEvoXGWJWux/zNK4kou/YMipbf0/N2qODIT
4dZ7pbKJU6xn
=uUUy
-----END PGP SIGNATURE-----
Bug reopened
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 04 Aug 2017 10:51:03 GMT) (full text, mbox, link).
No longer marked as fixed in versions libxml-libxml-perl/2.0128+dfsg-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 04 Aug 2017 10:51:03 GMT) (full text, mbox, link).
Marked as found in versions libxml-libxml-perl/2.0128+dfsg-3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 04 Aug 2017 10:51:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#866676; Package src:libxml-libxml-perl.
(Fri, 04 Aug 2017 10:54:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>.
(Fri, 04 Aug 2017 10:54:03 GMT) (full text, mbox, link).
Message #29 received at 866676@bugs.debian.org (full text, mbox, reply):
Hi
I backed out the commit again for now. There were several FTBFS on
release architectures after that upload (not sure if all are related
to the fix), but this might need a proper investigation first.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#866676; Package src:libxml-libxml-perl.
(Sun, 29 Oct 2017 12:45:03 GMT) (full text, mbox, link).
Message #32 received at 866676@bugs.debian.org (full text, mbox, reply):
tag 866676 + pending
thanks
Some bugs in the libxml-libxml-perl package are closed in revision
d67c556fe52a3c76c6105491cc4c546b408f44ed in branch 'master' by
Salvatore Bonaccorso
The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-perl/packages/libxml-libxml-perl.git/commit/?id=d67c556
Commit message:
CVE-2017-10672: Use-after-free by controlling the arguments to a replaceChild call
Closes: #866676
Added tag(s) pending.
Request was from pkg-perl-maintainers@lists.alioth.debian.org
to control@bugs.debian.org.
(Sun, 29 Oct 2017 12:45:07 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#866676.
(Sun, 29 Oct 2017 12:45:12 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sun, 29 Oct 2017 12:51:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 29 Oct 2017 12:51:03 GMT) (full text, mbox, link).
Message #42 received at 866676-close@bugs.debian.org (full text, mbox, reply):
Source: libxml-libxml-perl
Source-Version: 2.0128+dfsg-4
We believe that the bug you reported is fixed in the latest version of
libxml-libxml-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 866676@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libxml-libxml-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 29 Oct 2017 13:26:40 +0100
Source: libxml-libxml-perl
Binary: libxml-libxml-perl
Architecture: source
Version: 2.0128+dfsg-4
Distribution: experimental
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 866676
Description:
libxml-libxml-perl - Perl interface to the libxml2 library
Changes:
libxml-libxml-perl (2.0128+dfsg-4) experimental; urgency=medium
.
* Team upload.
* CVE-2017-10672: Use-after-free by controlling the arguments to a
replaceChild call (Closes: #866676)
* Declare compliance with Debian policy 4.1.1
Checksums-Sha1:
384d5fe88a73ec0041f1624c54e2f6a6dc3b8223 2407 libxml-libxml-perl_2.0128+dfsg-4.dsc
472878aa3a79bf6637924e2f387511318ed83e0e 12244 libxml-libxml-perl_2.0128+dfsg-4.debian.tar.xz
Checksums-Sha256:
1ff0c573ff9cb0179181aba6083e3021519f08d49ae818166e145bd9df3315aa 2407 libxml-libxml-perl_2.0128+dfsg-4.dsc
a99898bc20c87515c8b905cb92302b7a8ba7169745e4eb0333b21981a5a1ca82 12244 libxml-libxml-perl_2.0128+dfsg-4.debian.tar.xz
Files:
0ab1c9033a849657d3a7c656a5fdc0c8 2407 perl optional libxml-libxml-perl_2.0128+dfsg-4.dsc
3935707b074554dfa464dc45ace1a966 12244 perl optional libxml-libxml-perl_2.0128+dfsg-4.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAln1zIBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E+ZIP/1wunU7OcsNfs8no84u3WraArZMOyT9Q
LD45vTtAXX0mvnC8rpVVxwO2TiOYsv5joGobO2SU+mYu4jOAjkUHJuSkQZA2SzXp
BHmzLRQmjhf16fgqSccnmPxETn3hmEOWudeGW+QBDAA2PX63xak9CZBAtk0QS9Cw
aEE/FRZ2ZLDLBXVuTp8yghnQ6CYJZeKfOo0sM+oVyYl7vdUk7tthuZyaStTub8U/
ntbgasgBlKqXS4bTdEhvbkeGRLBfFHnUD91pG80/8kQgfd5bLSg+roHBSh4w8dhv
7YFTC0kNB5OczJgjeHlhn5gFfc0iv6wjb55LC1KMk74BHLM0Wj8eTHKn8qN12JD3
WPofHPuF2ZaZDYvqJvvIn/qCzLutF87z1l4nFWrDt1KjLmS4LC09s6PpUdUKoB2+
KDV3e7JiJZT+QVQPPKq2CmsmvOre1iiIUsfU3/SAC1fphshP9IXHXMrWjGoNm+Qg
8DPO5pW0RE+L9LfFTVGpv/pp0YvgY6rgh7gcGpli09mgBAyXgrd78UK4l6e6wS++
AHKZzYN5ku0fGnNv5yDk4s1RRcer+YDcyzLbS3d4PY6k8YvpHa08v+FasnkP3a4f
Q9+7LMt32D/YUOr9WFcmk9RMxCsgdK6izoEUBLcw+njJaJxz3q4EvzHy/AEjKFjR
Tw8GY5bZkdPy
=b4Ys
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#866676; Package src:libxml-libxml-perl.
(Tue, 14 Nov 2017 17:09:02 GMT) (full text, mbox, link).
Message #45 received at 866676@bugs.debian.org (full text, mbox, reply):
tag 866676 + pending
thanks
Some bugs in the libxml-libxml-perl package are closed in revision
4275f5bfdfa543ceb7e92a6382a7725600ef304b in branch ' wheezy' by
Salvatore Bonaccorso
The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-perl/packages/libxml-libxml-perl.git/commit/?id=4275f5b
Commit message:
CVE-2017-10672: Use-after-free by controlling the arguments to a replaceChild call
Closes: #866676
Added tag(s) pending.
Request was from pkg-perl-maintainers@lists.alioth.debian.org
to control@bugs.debian.org.
(Tue, 14 Nov 2017 17:09:06 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#866676.
(Tue, 14 Nov 2017 17:09:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#866676; Package src:libxml-libxml-perl.
(Sat, 18 Nov 2017 08:24:03 GMT) (full text, mbox, link).
Message #53 received at 866676@bugs.debian.org (full text, mbox, reply):
tag 866676 + pending
thanks
Some bugs in the libxml-libxml-perl package are closed in revision
852fef98034bebcb843007234f03c31d06fccc7d in branch ' stretch' by
Salvatore Bonaccorso
The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-perl/packages/libxml-libxml-perl.git/commit/?id=852fef9
Commit message:
CVE-2017-10672: Use-after-free by controlling the arguments to a replaceChild call
Closes: #866676
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#866676.
(Sat, 18 Nov 2017 08:24:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#866676; Package src:libxml-libxml-perl.
(Sat, 18 Nov 2017 13:33:03 GMT) (full text, mbox, link).
Message #59 received at 866676@bugs.debian.org (full text, mbox, reply):
tag 866676 + pending
thanks
Some bugs in the libxml-libxml-perl package are closed in revision
e8045d7ace37ba952f0fa3cc8ca6281a9d20b8a5 in branch '
jessie-security' by Salvatore Bonaccorso
The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-perl/packages/libxml-libxml-perl.git/commit/?id=e8045d7
Commit message:
CVE-2017-10672: Use-after-free by controlling the arguments to a replaceChild call
Closes: #866676
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#866676.
(Sat, 18 Nov 2017 13:33:06 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sun, 19 Nov 2017 22:51:33 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 19 Nov 2017 22:51:33 GMT) (full text, mbox, link).
Message #67 received at 866676-close@bugs.debian.org (full text, mbox, reply):
Source: libxml-libxml-perl
Source-Version: 2.0128+dfsg-1+deb9u1
We believe that the bug you reported is fixed in the latest version of
libxml-libxml-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 866676@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libxml-libxml-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 18 Nov 2017 09:16:17 +0100
Source: libxml-libxml-perl
Binary: libxml-libxml-perl
Architecture: source
Version: 2.0128+dfsg-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 866676
Description:
libxml-libxml-perl - Perl interface to the libxml2 library
Changes:
libxml-libxml-perl (2.0128+dfsg-1+deb9u1) stretch-security; urgency=high
.
* Team upload.
* CVE-2017-10672: Use-after-free by controlling the arguments to a
replaceChild call (Closes: #866676)
Checksums-Sha1:
0a4403d0df991228b4adbb756514044dcdbb4b71 2500 libxml-libxml-perl_2.0128+dfsg-1+deb9u1.dsc
ef0a0c31f71e50109cf9e459edf9db79ba587a01 402453 libxml-libxml-perl_2.0128+dfsg.orig.tar.gz
82e3c055c743dfc886871285dbc6b9d8f1f738e2 12152 libxml-libxml-perl_2.0128+dfsg-1+deb9u1.debian.tar.xz
Checksums-Sha256:
85e95fe670faeae8193e0d2490b637280488aa7caa82ed61707117fde73edce1 2500 libxml-libxml-perl_2.0128+dfsg-1+deb9u1.dsc
6c2aaeb77669f2de7a167d320233f9626002e4c6de06145edbe76d5e280e5e5a 402453 libxml-libxml-perl_2.0128+dfsg.orig.tar.gz
03aee0b82f700595e2b05e36ce4ebe55542e23e21c2ee23225d1728ec7fb0964 12152 libxml-libxml-perl_2.0128+dfsg-1+deb9u1.debian.tar.xz
Files:
03b661a7d12134ede3100cb1378ca254 2500 perl optional libxml-libxml-perl_2.0128+dfsg-1+deb9u1.dsc
c0887cdb42acb06324e01e71704b521f 402453 perl optional libxml-libxml-perl_2.0128+dfsg.orig.tar.gz
2b8205203be1ad2535dd176e42b80316 12152 perl optional libxml-libxml-perl_2.0128+dfsg-1+deb9u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAloP7O1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EqFMP/R9VrZTOmKI8txvYxySywPUIvePCQXN/
DJD9iDrvP19KWCuCBcqj0/WzQbFh4ioVl6iDrEuU1o5FAw2X8lkHWm6Mes9+dwZj
IUOakJifVYG0n4g/CYVdfbSJPc4N7T7BZ8A+aUYoYWYID9qsM6ckwLp1jhgthxMR
D9bSnktgtdZ+nGYDIXHUkm9OYb0NAH4ps5aUS2pZDEvzixCuZvDUgs4E3nyucLx6
LnowU4U1M63+umvcQJAZgkkkLHfKeLPkAEfcIcJPDFpRs7YIa9awkIvB7A/EKpT/
/HSkmXizCG/UmcCKCNsvimB5IM81tffayLXlwT+hjAyBh6p/VI3Jcf+10uuI4Wmp
TYUjq7R3/KyOPGqGDeKXf8jQGC0OM1rS3xN1+2Z2iMsnrgD2Fo8jEt5j3RsHy18A
HS0MT9pAPERJQ94RBUSROanYYQFvdWuVFgUyan+60e1qifF5c8CbYGRWk4dcLRqr
K0HxtIvAm3TXoD4vBqrH+A0nIYlLWez2QhKus2W3LAghThMpY7K1et2DEpWjXlPX
VThL8Uou5tTFNCHyUj2IylunQqCth45uNR/D2ZyZdWVTEyNRge/gIIsS67ZmCxD/
QaK/J6vKW3lIl/cmM1o5T9BTwwuGgzpOgpEKsxXc3OeEDKb77Ho1uHtvu3qHGRLk
buXhXPupxov5
=NH/n
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sun, 19 Nov 2017 22:51:35 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 19 Nov 2017 22:51:35 GMT) (full text, mbox, link).
Message #72 received at 866676-close@bugs.debian.org (full text, mbox, reply):
Source: libxml-libxml-perl
Source-Version: 2.0116+dfsg-1+deb8u2
We believe that the bug you reported is fixed in the latest version of
libxml-libxml-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 866676@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libxml-libxml-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 18 Nov 2017 14:14:08 +0100
Source: libxml-libxml-perl
Binary: libxml-libxml-perl
Architecture: source
Version: 2.0116+dfsg-1+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 866676
Description:
libxml-libxml-perl - Perl interface to the libxml2 library
Changes:
libxml-libxml-perl (2.0116+dfsg-1+deb8u2) jessie-security; urgency=high
.
* Team upload.
* CVE-2017-10672: Use-after-free by controlling the arguments to a
replaceChild call (Closes: #866676)
Checksums-Sha1:
4fc8c11dd496c49b199d74e1c6456fc3421484a2 2452 libxml-libxml-perl_2.0116+dfsg-1+deb8u2.dsc
9747a0c2bba0dba29d22fa2cecdfdd5f1662040d 12560 libxml-libxml-perl_2.0116+dfsg-1+deb8u2.debian.tar.xz
Checksums-Sha256:
372a6f3c98276ab476ff4583bd1f9d6af1c9aece4f3ba7851310178195ce4374 2452 libxml-libxml-perl_2.0116+dfsg-1+deb8u2.dsc
96398255de715e0d767a28d2f92adbff14803cf85c16df0fe04a0e198d6b832f 12560 libxml-libxml-perl_2.0116+dfsg-1+deb8u2.debian.tar.xz
Files:
4efd990005b09f5236dfefdcf11c1677 2452 perl optional libxml-libxml-perl_2.0116+dfsg-1+deb8u2.dsc
7ac528ad38c2e15fa3f32d9423f4a459 12560 perl optional libxml-libxml-perl_2.0116+dfsg-1+deb8u2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAloQNHFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EP8YP/idtszIfYkOLfTiG2elvS+93dji3rytz
uTCUlUzc9FrAf/YOTOnymcqbf5jhJ/2PK8o5IbwUvrB+QUrSKNo2gm1JdFzy2+cX
G+NHaH3O0YgKLqSczoZto/fWpLr8cpJ3IvlRCoXrIzmQz2LkuSluqXGeMoIkiurs
nTel3PKhE7w00e7koV7xc5IG7unfQoj+R+zYbqeL6MEuSetv4/BADZk0dfkBP6pp
9W88qUPxsVB/QyXJKFSp/v5521CzS9XAQM5FK56jEXRynGf8lH/ow9YKXo7ELeK8
oOgBI15bDZFJPNcX1ka/eJW3KvgfOgtsUGiXdoVuY5ePXTAWS2gHSIdeVkRvpO6M
SXT7l4wUvkHyYuNfUybLbdspY9qgEfQ7Xzi1LG4QhNIlqjA/JR6b4A9YwTpSp8yy
/N/4kx3pxuw6ZHfh6EAU2Jvtnqdx8PVJRLl1aFr6eNdyd5xqnmjGXl0USp7pVpDM
oIDhYBarBZsm/7y8Nn90zezeld1bbwGeNfYPjfauq2hrCGPK5BJAeM9gBs04v3y6
BIcMDKvGs7X01dujVzJqyL36KWsXJTTuX30u+xd+yN27MszFSgSOiNlFwE78eA51
33V78KXinTDBOW0IJfj+dUzpLISezXOr8ysm0OKz4lIwET1FKAb3wunQENMqWfoG
5kTob+pDCtq5
=ZzgN
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 18 Dec 2017 07:30:44 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:37:31 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon