Debian Bug report logs -
#660650
CVE-2011-3970: Denial of Service
Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>
Date: Mon, 20 Feb 2012 16:24:02 UTC
Severity: important
Tags: security
Fixed in version libxslt/1.1.26-11
Done: Michael Gilbert <mgilbert@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#660650; Package libxslt.
(Mon, 20 Feb 2012 16:24:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
New Bug report received and forwarded. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>.
(Mon, 20 Feb 2012 16:24:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libxslt
Severity: important
Tags: security
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3970
Fix:
http://git.gnome.org/browse/libxslt/commit/?id=fe5a4fa33eb85bce3253ed3742b1ea6c4b59b41b
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#660650; Package libxslt.
(Sun, 29 Apr 2012 05:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>.
(Sun, 29 Apr 2012 05:45:05 GMT) (full text, mbox, link).
Message #10 received at 660650@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
I've uploaded the attached patch as an NMU to delayed/10 fixing these
three bugs. Please let me know if I should delay differently.
Best wishes,
Mike
[libxslt.patch (application/octet-stream, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#660650; Package libxslt.
(Sun, 06 May 2012 10:03:12 GMT) (full text, mbox, link).
Acknowledgement sent
to Aron Xu <happyaron.xu@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>.
(Sun, 06 May 2012 10:03:18 GMT) (full text, mbox, link).
Message #15 received at 660650@bugs.debian.org (full text, mbox, reply):
Hi Michael,
It seems the QA uploading which meant to fix #666333 has taken the
revision number -9, so your 10-day NMU will get rejected by ftp-master
unfortunately.
--
Regards,
Aron Xu
Reply sent
to Michael Gilbert <mgilbert@debian.org>:
You have taken responsibility.
(Mon, 07 May 2012 01:57:13 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer.
(Mon, 07 May 2012 01:57:13 GMT) (full text, mbox, link).
Message #20 received at 660650-close@bugs.debian.org (full text, mbox, reply):
Source: libxslt
Source-Version: 1.1.26-11
We believe that the bug you reported is fixed in the latest version of
libxslt, which is due to be installed in the Debian FTP archive:
libxslt1-dbg_1.1.26-11_amd64.deb
to main/libx/libxslt/libxslt1-dbg_1.1.26-11_amd64.deb
libxslt1-dev_1.1.26-11_amd64.deb
to main/libx/libxslt/libxslt1-dev_1.1.26-11_amd64.deb
libxslt1.1_1.1.26-11_amd64.deb
to main/libx/libxslt/libxslt1.1_1.1.26-11_amd64.deb
libxslt_1.1.26-11.diff.gz
to main/libx/libxslt/libxslt_1.1.26-11.diff.gz
libxslt_1.1.26-11.dsc
to main/libx/libxslt/libxslt_1.1.26-11.dsc
python-libxslt1-dbg_1.1.26-11_amd64.deb
to main/libx/libxslt/python-libxslt1-dbg_1.1.26-11_amd64.deb
python-libxslt1_1.1.26-11_amd64.deb
to main/libx/libxslt/python-libxslt1_1.1.26-11_amd64.deb
xsltproc_1.1.26-11_amd64.deb
to main/libx/libxslt/xsltproc_1.1.26-11_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 660650@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Gilbert <mgilbert@debian.org> (supplier of updated libxslt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 06 May 2012 20:35:38 -0400
Source: libxslt
Binary: libxslt1.1 libxslt1-dev libxslt1-dbg xsltproc python-libxslt1 python-libxslt1-dbg
Architecture: source amd64
Version: 1.1.26-11
Distribution: unstable
Urgency: low
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Michael Gilbert <mgilbert@debian.org>
Description:
libxslt1-dbg - XSLT 1.0 processing library - debugging symbols
libxslt1-dev - XSLT 1.0 processing library - development kit
libxslt1.1 - XSLT 1.0 processing library - runtime library
python-libxslt1 - Python bindings for libxslt1
python-libxslt1-dbg - Python bindings for libxslt1 (debug extension)
xsltproc - XSLT 1.0 command line processor
Closes: 643034 655601 660650 670799
Changes:
libxslt (1.1.26-11) unstable; urgency=low
.
* QA upload.
* Bump standards version to 3.9.3.
* Apply Steve Langasek's patch to enable multiarch (closes: 643034).
* Fix cve-2011-3970: out-of-bounds array access issue (closes: #660650).
* Bump debian/compat to 9 and enable hardened build flags (closes: #655601).
* Eliminate system config.sub and config.guess from the debian diff
(closes: #670799).
Checksums-Sha1:
b8dc114d897d8844c5b16aebe4b483cdcd29327b 2887 libxslt_1.1.26-11.dsc
2c932b1f015dc01d1125b4f762bed557060fa4ec 92660 libxslt_1.1.26-11.diff.gz
1a5a9587a81062380133fd9ec6add4d8426dc5d1 251556 libxslt1.1_1.1.26-11_amd64.deb
b4878031c607760b20c7b5b40fd87296b3a18fcd 684368 libxslt1-dev_1.1.26-11_amd64.deb
c7bc822a0716c6688534c39d1413c158fad5465c 413846 libxslt1-dbg_1.1.26-11_amd64.deb
ebb4308e47753991fb2e1485ab66141e8132f403 116840 xsltproc_1.1.26-11_amd64.deb
bdae7cd7e4c6a783c9e2c5fd83165e139e3e59ec 184338 python-libxslt1_1.1.26-11_amd64.deb
811e5c62e9246c3d36f867408478561b5aafe3e1 381174 python-libxslt1-dbg_1.1.26-11_amd64.deb
Checksums-Sha256:
5d3218fb697cb5d6a8e5e1d7efae4619f48c4ab66d09c28c23bfc3ab90b47d48 2887 libxslt_1.1.26-11.dsc
ce52525ac78ef92a47de7081af56e453bf6db75f9d9f68225c5347245fa3bf91 92660 libxslt_1.1.26-11.diff.gz
57d7f0ac99f22f1b08847b79a4a27ec3c0963cd7dfa0ea9aaf5ed0c119b50797 251556 libxslt1.1_1.1.26-11_amd64.deb
7edaa963a56c043dcc5f53c5e44709f2efd7da772961df02056dbd1522b1d15b 684368 libxslt1-dev_1.1.26-11_amd64.deb
a16fb9da6769b4e2e57361b20c3b4eeeb7f2c2dccd293ccbfef242cc240d4a8f 413846 libxslt1-dbg_1.1.26-11_amd64.deb
6e507cb2e657c5a2ef332620db8d10fb6617332d7525d349b05df720b98c3c96 116840 xsltproc_1.1.26-11_amd64.deb
b3306959d3f62774b85ac99835d7188db0aa8b9e11a0fa2b1fe4e201ea748b5d 184338 python-libxslt1_1.1.26-11_amd64.deb
aff693c164d09fc974ef380ce3a53ec9e6c54c944fbcf7342255cbcf19f5d7d4 381174 python-libxslt1-dbg_1.1.26-11_amd64.deb
Files:
87d8e38288965be99c5ada278fe3e23c 2887 text optional libxslt_1.1.26-11.dsc
dad441bc98abaf3319ec896d8ec087b1 92660 text optional libxslt_1.1.26-11.diff.gz
dc333185cfda52b8bf875c794e290959 251556 libs optional libxslt1.1_1.1.26-11_amd64.deb
00cc6712544bfb1702ca2b27e10b8183 684368 libdevel optional libxslt1-dev_1.1.26-11_amd64.deb
4a284a8350466fb392a739d88bb0bc73 413846 debug extra libxslt1-dbg_1.1.26-11_amd64.deb
520e977bff7fcf0045709d87a108664e 116840 text optional xsltproc_1.1.26-11_amd64.deb
225efd3e4cf0a98117f76238c7b6f9ed 184338 python optional python-libxslt1_1.1.26-11_amd64.deb
feee208a4f119489cb842ffadb07eaa0 381174 debug extra python-libxslt1-dbg_1.1.26-11_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQQcBAEBCAAGBQJPpybGAAoJELjWss0C1vRzo+sgAKOmCUHTz1HunFmHwrLsC7RE
YfuNA1dBOYHv8TTK8Q+xP+gR1ZNquGysBzq2EBg0luh0XOmormvVbp2FQf1ZmeZy
7oO3pliSLjR72sQYfyozTR8EQwq47lSq5uo7D4KsdKsv2Oy4glZNR72sa7R/7z4w
fMXJkNvFp/pDZb5JP2RA8LnNVLCSghqbVmAdMr150sx29UJdnkYwAoZzt8SqXQJo
kc2+hlx8Cuv8alkQqWU4K2sT0OrMca7JJlCzR2PmP/i1qjfKOGvIH3gQviTUIrDF
g6F4c7+7hfn5rlUsmvdXIDIrb8iV9iNyUn98+y5SPLWvbzC6g8UPReQ7jsNmRKT4
2JOJWQYLmn7R63b8TmMKIM7OPQfjWZuAAB16KHNzIKB9byj+I1oHp0Skb71lRNqv
vmLGaPuQqNLoUGbGFQrSaHQIdne3J2x7XDUqLynVC/I42rX0HSn24oXLmE8gsIJc
GepTAsj/jd00wY7frUqPG1qbT065Beyg2TVyoTxQr/p0RBKosnYlrvu9YBIpcELB
2qxIz0ZzOvCkaB/NKlWLt0W7XkqhoXTpZf74oHgDr3PNqWH5gZlcuyl5YHgeicl5
GHOTyDWxlAWqB0mP/krSqSLp073AUsxvdNWBEmBZd/P5fb7X8nKXPX2Dq42/okAh
Kk+jFymgL1L/HXuAl2krF0EqUxVUyqnIlUbIfhOOHFwSLsFf799StBD5Hpv+z0Sl
wtYikg5KgspwBgM46mq25f9NI2uKAOfoxczwXiYHoOOn+qBdk/D6xojSQl7FqBP8
B6anQqIg0KyqIC98qVyOnRdI6WqscNcM4kPI2/sZr9aFNybAdKDhuc0W67uEjvPf
ZEEGx74J+Qu44vEjiDgynqC8y4QfaiwVbMbgM255zu/poAQ2tKx9obWVMatb0qbX
nHRNm72Du3XUL+K5M/nPJXTcTvdITr2XDkWKTHJF7yBc84miEo3V8gtQUENH6TGH
jL3ravsU5NlHSjOGrG7u1KvM4kYAv+cdsi1RpwhCJXn56rszndPtPeBlUy7XmLg6
qnxsZVFGInSvcvCMKVn88c2JalL2yXCx6+RAT3Q+qgHjGmg3eIxxGXJcT8cNZFZ5
kIR4Fc4oHa0y2mZywcJxZLlwGP2tKUr8/a05Z2m47vHShXbQxPrE3pYXFwWbNVvL
1yYk7ReAXPYp/mkMK51M6SA2F6TuHAGQQ/H7PQlemLT8ZcdJvbDeYpiNDU4BAlMh
0mxlTla+/1zmAvK/HALv9/0pqjvLCyBAq6lwiucreyHaWEm8Q1OxlKCRAYWwkZRj
wOkO1PsFG/0+bN1Ab/6yNRHU/iVw1T/zcd/eDIHaAQ02ZfVHXKl7YIFvLaGjWS8=
=GsbN
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 14 Jun 2012 07:41:11 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:51:05 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon