Debian Bug report logs -
#742577
libxalan2-java: CVE-2014-0107: Xalan-Java insufficient secure processing
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 25 Mar 2014 05:57:01 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Fixed in versions libxalan2-java/2.7.1-9, libxalan2-java/2.7.1-7+deb7u1
Done: Emmanuel Bourg <ebourg@apache.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#742577; Package src:libxalan2-java.
(Tue, 25 Mar 2014 05:57:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Tue, 25 Mar 2014 05:57:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libxalan2-java
Severity: grave
Tags: security upstream fixed-upstream
Hi,
the following vulnerability was published for libxalan2-java, could
you please verify.
CVE-2014-0107[0]:
Xalan-Java insufficient secure processing
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://security-tracker.debian.org/tracker/CVE-2014-0107
[1] https://issues.apache.org/jira/browse/XALANJ-2435
[2] https://svn.apache.org/viewvc?view=revision&revision=1581058
[3] http://www.ocert.org/advisories/ocert-2014-002.html
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Added tag(s) pending.
Request was from Emmanuel Bourg <ebourg@apache.org>
to control@bugs.debian.org.
(Tue, 25 Mar 2014 13:36:04 GMT) (full text, mbox, link).
Reply sent
to Emmanuel Bourg <ebourg@apache.org>:
You have taken responsibility.
(Tue, 25 Mar 2014 15:33:18 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 25 Mar 2014 15:33:18 GMT) (full text, mbox, link).
Message #12 received at 742577-close@bugs.debian.org (full text, mbox, reply):
Source: libxalan2-java
Source-Version: 2.7.1-9
We believe that the bug you reported is fixed in the latest version of
libxalan2-java, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 742577@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated libxalan2-java package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 25 Mar 2014 15:22:35 +0100
Source: libxalan2-java
Binary: libxalan2-java libxsltc-java libxalan2-java-doc
Architecture: source all
Version: 2.7.1-9
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
libxalan2-java - XSL Transformations (XSLT) processor in Java
libxalan2-java-doc - Documentation and examples for the Xalan-Java XSLT processor
libxsltc-java - XSL Transformations (XSLT) compiler from Xalan-Java
Closes: 742577
Changes:
libxalan2-java (2.7.1-9) unstable; urgency=high
.
* Team upload.
* Fix CVE-2014-0107: Strengthen the secure processing mode by disabling
external general entities, foreign attributes and access to the system
properties. This could be exploited to execute arbitrary code remotely.
(Closes: #742577)
* debian/control:
- Standards-Version updated to 3.9.5 (no changes)
- Use canonical URLs for the Vcs-* fields
- Updated the Homepage field
- Removed the duplicate Section fields
* Switch to debhelper level 9
* debian/rules: Improved the clean target
Checksums-Sha1:
8655db332b2764021935e18ed9f9978e31a86ab1 2369 libxalan2-java_2.7.1-9.dsc
b9ccda7cc0922f28ae8f3c22941ef50e0319d4c6 15292 libxalan2-java_2.7.1-9.debian.tar.xz
f24a7d22ee06927431b64e46f5645075a3fb695a 3168716 libxalan2-java_2.7.1-9_all.deb
9ac80e1e09493055e1ee9f4176ba4d753f69a206 1231910 libxsltc-java_2.7.1-9_all.deb
30f29bc5065bbf674149ef16991d448a9c84582f 2564952 libxalan2-java-doc_2.7.1-9_all.deb
Checksums-Sha256:
dc22e7fd2106cc937302ab6c02c302ad5c5cc80ed83c48166f2f2583cc983395 2369 libxalan2-java_2.7.1-9.dsc
d4f4d0b2a1e8b0aeba2b8ec7368ac89cb56fbb23efae16d43c8d1fbd89713293 15292 libxalan2-java_2.7.1-9.debian.tar.xz
b9b08638101bc2d5a84e84ce967208e4976f12b996a30cbd6ebad5f588fac518 3168716 libxalan2-java_2.7.1-9_all.deb
ac3ad41a60f3bbdea2a881bc1a1fedda8af01083c12694d303f090358a810bee 1231910 libxsltc-java_2.7.1-9_all.deb
6b20709ce1d6e627ecf878487e447b53ad2428ee63f5ede0f1039c47febe7f40 2564952 libxalan2-java-doc_2.7.1-9_all.deb
Files:
f7e23578c4902227a88c610cdb69a425 2369 java optional libxalan2-java_2.7.1-9.dsc
fc784a91fd612a17c6380d216de39fad 15292 java optional libxalan2-java_2.7.1-9.debian.tar.xz
e904eb7ee7e110c4cba441fbb50728ec 3168716 java optional libxalan2-java_2.7.1-9_all.deb
27e9ad3f3207425535f510691c3cd6bc 1231910 java optional libxsltc-java_2.7.1-9_all.deb
d9fe3ad2885dc8061ac3e1ffa1563434 2564952 doc optional libxalan2-java-doc_2.7.1-9_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJTMZJVAAoJEPUTxBnkudCsvaQQALZ+1+SYpr15fBgIDyBE+P//
SiWx388fB8XWBAe82Ogo2g6hzhV+qruhBWI6aFxlLK0bj/7Lt+tCSF6YFYimYMMO
PQzJMlXzcyPF7G+CoU+O0NCSzpsVMTUNXB685b6hTi60cTqJVivSfob3ikp4LQSo
8qKmm5Eg08/NIjsObuVYBTwqMA8D8XvIAN5j5tjvgpaAqRhuzJU/4bOOjsmFgmuh
hmXUYiqXNuObSkPY8VzCxwFYZ+qnRcWsGFDS267ORq3FvjgXcDMLy4F0do1jzoo7
T0Xkrwk95/yS/ZzJrv1XQo5uc3nIdeaC+ZbSxQwx5YBYCmR/jjAQHYf6my7UpUTR
hc/qKyL/2xrqyOFSVbMtOH9ahVCpgpc3h4BnmC/9FLZecFpQGzpiMPTJ7XvUMHsq
x3tKOMNOdipFDpAaDORRAo1MX+oWRYknMOcPHPvWno9BrmcBvcdcDSHqstlbgeze
XA3M1k7CxPNvRr9jeYn8y3/VKx/HQZO1PCYGrZDPZQR+6t1f1CLN98/mbFAzxpKs
Y0fBpTkRQAI/jmUdL/CjsIUWMP2eYgo5eGzGxvJ6PKzPEEs7cDrvItzaVmiAurJe
3jDS2KY/oTI+vi49Go5nc4YeaKaBgFvMITNJjvLbYz8MbiZWzfXm8OMsePoow0Hv
m9vXi1jhH4fAI/F7yKPt
=nDr9
-----END PGP SIGNATURE-----
Reply sent
to Emmanuel Bourg <ebourg@apache.org>:
You have taken responsibility.
(Tue, 01 Apr 2014 21:21:27 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 01 Apr 2014 21:21:27 GMT) (full text, mbox, link).
Message #17 received at 742577-close@bugs.debian.org (full text, mbox, reply):
Source: libxalan2-java
Source-Version: 2.7.1-7+deb7u1
We believe that the bug you reported is fixed in the latest version of
libxalan2-java, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 742577@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated libxalan2-java package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 25 Mar 2014 15:37:47 +0100
Source: libxalan2-java
Binary: libxalan2-java libxsltc-java libxalan2-java-doc
Architecture: source all
Version: 2.7.1-7+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
libxalan2-java - XSL Transformations (XSLT) processor in Java
libxalan2-java-doc - Documentation and examples for the Xalan-Java XSLT processor
libxsltc-java - XSL Transformations (XSLT) compiler from Xalan-Java
Closes: 742577
Changes:
libxalan2-java (2.7.1-7+deb7u1) wheezy-security; urgency=high
.
* Team upload.
* Fix CVE-2014-0107: Strengthen the secure processing mode by disabling
external general entities, foreign attributes and access to the system
properties. This could be exploited to execute arbitrary code remotely.
(Closes: #742577)
Checksums-Sha1:
2a87a9451f35672cfdf29c3ea86cb094d40402fe 2097 libxalan2-java_2.7.1-7+deb7u1.dsc
b90f75bcf925c93c882909a34bc2fdbe1154e38b 3781074 libxalan2-java_2.7.1.orig.tar.gz
f1e13246846d6a9801df7e274b4f30864c113a33 17889 libxalan2-java_2.7.1-7+deb7u1.debian.tar.gz
630d0f05741c2662631f72f624f35307cb1ccf5c 3342508 libxalan2-java_2.7.1-7+deb7u1_all.deb
6aefc830eaf620527ad1612bd89f4c22a2e1e1c6 1301044 libxsltc-java_2.7.1-7+deb7u1_all.deb
34f298fabae015c0384d15248b908e4617563dd5 4819132 libxalan2-java-doc_2.7.1-7+deb7u1_all.deb
Checksums-Sha256:
a58128ebd52a35081feceb4518d954e3d0770d45685807ef4c464e53dddf438d 2097 libxalan2-java_2.7.1-7+deb7u1.dsc
5a1213342047da146525c545b3fb71935617c2caf16c17ce9626df4606678501 3781074 libxalan2-java_2.7.1.orig.tar.gz
b253dcf323564c11fa38a5e10104ca94fa007148907b61cec2bc7436553d1374 17889 libxalan2-java_2.7.1-7+deb7u1.debian.tar.gz
22ab6709fea5e48c18d07d07a2272b8d7c48b05602abf77d69674f540e44c291 3342508 libxalan2-java_2.7.1-7+deb7u1_all.deb
d281bc93aa85765507ca64f0c34bab5d9ab84d8db0bac3598672376ebc645b59 1301044 libxsltc-java_2.7.1-7+deb7u1_all.deb
7a1711440135a00c52fb0bccec9917098c1f8f70ec1e7038ea1a743a9d847c56 4819132 libxalan2-java-doc_2.7.1-7+deb7u1_all.deb
Files:
20978867aff0a19d56b5e3f0a25fac2e 2097 java optional libxalan2-java_2.7.1-7+deb7u1.dsc
fb936695fff53e4d8c685913f0577719 3781074 java optional libxalan2-java_2.7.1.orig.tar.gz
3b3641b826d61347aecf1d250b25d088 17889 java optional libxalan2-java_2.7.1-7+deb7u1.debian.tar.gz
3ed8f27cdb6b7521577a8e10c987abfb 3342508 java optional libxalan2-java_2.7.1-7+deb7u1_all.deb
6c1a4a59ec0ba0023176e73690d07d4d 1301044 java optional libxsltc-java_2.7.1-7+deb7u1_all.deb
ea02da29e438601ce68f4e3c47e0c338 4819132 doc optional libxalan2-java-doc_2.7.1-7+deb7u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJTMzaDAAoJEL97/wQC1SS+oR4IALRNdIMENJXHLVelG2wF+sYj
OTWPI0qNAo5Qw+a5Z2x5Lb9IU094NFgPGgRVFnHj9ebIi5/1TIO1WhYzQDWw1W/I
18TQpf+3p2/kznSD3zwS5xcjYpOV8jyn67bD7QD3WCMC2OXW4KVkMPHZfcYrYKIH
0drJB1Tlqa+sG/6XDBkeWi0Ly+BEN3Xv2kfZqCiV1TlVIcmI4R1l9L37MeT08CD3
AANON2eNZlAzgPTUyjF6G9Gjaz79i/9Ag8LWAPkfe2Nh+ZSupisiPlvo3fNRWwXC
Yq6sRZTMzCZle5ewsMqBmuTxQNOUtdw9A8Q+usabLpuMQSrvfm8a4b1jSctdAXs=
=cJc5
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 30 Apr 2014 07:32:28 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:05:47 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon