Debian Bug report logs -
#1001864
expat: CVE-2013-0340
Reported by: "Devalla, Manoj Raj" <ManojRaj.Devalla@Cerner.com>
Date: Fri, 17 Dec 2021 22:36:02 UTC
Severity: important
Tags: security, upstream
Found in version expat/2.2.10-2
Fixed in version expat/2.4.1-1
Done: Salvatore Bonaccorso <carnil@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#1001864; Package expat.
(Fri, 17 Dec 2021 22:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to "Devalla, Manoj Raj" <ManojRaj.Devalla@Cerner.com>:
New Bug report received and forwarded. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>.
Your message tried to set a usertag, but didn't have a valid
user set ('"Devalla' isn't valid)
(Fri, 17 Dec 2021 22:36:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: expat
Version: 2.2.10-2
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for expat.
CVE-2013-0340[0]:
| expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of
| service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because
| expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be
| REJECTed, and each affected application would need its own CVE.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
Current OS: Debian GNU/Linux 11
For further information see:
[0] https://nvd.nist.gov/vuln/detail/CVE-2013-0340
Please adjust the affected versions in the BTS as needed.
Regards,
Raj
CONFIDENTIALITY NOTICE This message and any included attachments are from Cerner Corporation and are intended only for the addressee. The information contained in this message is confidential and may constitute inside or non-public information under international, federal, or state securities laws. Unauthorized forwarding, printing, copying, distribution, or use of such information is strictly prohibited and may be unlawful. If you are not the addressee, please promptly delete this message and notify the sender of the delivery error by e-mail or you may call Cerner's corporate offices in Kansas City, Missouri, U.S.A at (+1) (816)221-1024.
[Message part 2 (text/html, inline)]
Marked as fixed in versions expat/2.4.1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 18 Dec 2021 08:57:02 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 18 Dec 2021 08:57:03 GMT) (full text, mbox, link).
Notification sent
to "Devalla, Manoj Raj" <ManojRaj.Devalla@Cerner.com>:
Bug acknowledged by developer.
(Sat, 18 Dec 2021 08:57:04 GMT) (full text, mbox, link).
Message sent on
to "Devalla, Manoj Raj" <ManojRaj.Devalla@Cerner.com>:
Bug#1001864.
(Sat, 18 Dec 2021 08:57:05 GMT) (full text, mbox, link).
Message #14 received at 1001864-submitter@bugs.debian.org (full text, mbox, reply):
close 1001864 2.4.1-1
thanks
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Dec 18 14:39:58 2021;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon