Debian Bug report logs -
#783443
libxml-libxml-perl: XEE vulnerability; expand_entities set to 0 is not preserved after a _clone() call (CVE-2015-3451)
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 27 Apr 2015 04:57:02 UTC
Owned by: Salvatore Bonaccorso <carnil@debian.org>
Severity: important
Tags: fixed-upstream, security, upstream
Found in versions libxml-libxml-perl/1.70.ds-1, libxml-libxml-perl/2.0116+dfsg-1, libxml-libxml-perl/2.0001+dfsg-1
Fixed in versions libxml-libxml-perl/1.70.ds-1+deb6u1, libxml-libxml-perl/2.0116+dfsg-2, libxml-libxml-perl/2.0116+dfsg-1+deb8u1, libxml-libxml-perl/2.0001+dfsg-1+deb7u1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#783443; Package src:libxml-libxml-perl.
(Mon, 27 Apr 2015 04:57:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>.
(Mon, 27 Apr 2015 04:57:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libxml-libxml-perl
Version: 2.0116+dfsg-1
Severity: important
Tags: security upstream fixed-upstream
Hi
See http://www.openwall.com/lists/oss-security/2015/04/25/2 and
https://bitbucket.org/shlomif/perl-xml-libxml/commits/5962fd067580767777e94640b129ae8930a68a30/raw/
After a _clone() call unset options are not preserved, e.g.
expand_entities and external entities are processed.
Regards,
Salvatore
Owner recorded as Salvatore Bonaccorso <carnil@debian.org>.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 27 Apr 2015 05:09:05 GMT) (full text, mbox, link).
Marked as found in versions libxml-libxml-perl/2.0001+dfsg-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 27 Apr 2015 18:51:08 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Mon, 27 Apr 2015 19:12:36 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 27 Apr 2015 19:12:36 GMT) (full text, mbox, link).
Message #14 received at 783443-close@bugs.debian.org (full text, mbox, reply):
Source: libxml-libxml-perl
Source-Version: 2.0116+dfsg-2
We believe that the bug you reported is fixed in the latest version of
libxml-libxml-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 783443@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libxml-libxml-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 27 Apr 2015 20:34:33 +0200
Source: libxml-libxml-perl
Binary: libxml-libxml-perl
Architecture: source
Version: 2.0116+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
libxml-libxml-perl - Perl interface to the libxml2 library
Closes: 783443
Changes:
libxml-libxml-perl (2.0116+dfsg-2) unstable; urgency=medium
.
* Team upload.
* Update Vcs-Browser URL to cgit web frontend
* Add Preserve-unset-options-after-a-_clone-call.patch patch.
Preserve unset options after a _clone() call (e.g: in load_xml()).
(Closes: #783443)
* Declare compliance with Debian policy 3.9.6
Checksums-Sha1:
b870000849a36728a1ebedeae52b25a80b546804 2251 libxml-libxml-perl_2.0116+dfsg-2.dsc
7bda50b04466dde20b056e6f8ae5708f116ba87b 10420 libxml-libxml-perl_2.0116+dfsg-2.debian.tar.xz
Checksums-Sha256:
f8f9cce2b0d6783a4249846b1820818984748bb65bef3c2c4e83f6e5e80e60b4 2251 libxml-libxml-perl_2.0116+dfsg-2.dsc
63bb05f5e7fc6be45c5cb607307d81cbd83a6bf7881d715144ccb2cc96e5c104 10420 libxml-libxml-perl_2.0116+dfsg-2.debian.tar.xz
Files:
d7947d85227fc7074f434f6bb76ee0a7 2251 perl optional libxml-libxml-perl_2.0116+dfsg-2.dsc
6770dbca9192a07401000615278e31cf 10420 perl optional libxml-libxml-perl_2.0116+dfsg-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVPoJ3AAoJEAVMuPMTQ89E4Y0P/AnPtPedSWEqGxy1yz06Wv1h
cTqiLYkXxxPPlDgiYojZiEtsdxHFDFwc6VjUIwCWzZmycwLwOTUoSBO9489TMjcN
xl7XwzUSzKRAFAgKMwqf3iBQuEVorAKMtnorFnwBzwyr0RdyAYKu0UzlTTRS82o2
BF1oEsj79oSNE6vC5x6c0vYengHZ31rsrBnHd+C8XtzjMEUz0G+UQ0ExL4BiLEOf
JPtU7pnwORuAD+dtRxRgwI4zfba6b6XbU9DAPyyf1ZNMGidE5e4nmQo84mAE1Pq0
45hJGYQMIdFO/d9Br8uOwRuBvEF8NiHvrNVqm89CVHn/vZ8dYFznt91JLVg2BQCa
r4RlzNAvhxGEGTLNQNJfRJ25HGelF04iUnohIxa0BSdJGYtMBmN2wCh87ljwvVtP
ONo/b0n/ryRxDtExnTKyYKaH6t0QewoKh4I6g2TmKu9nioWrjwXMq/BUkdluBcM0
gZPqu5v0tG0cjkUGOTtF46RdSNRMobQqsBf9TrXlBgOuTvYwexuywwszetEtCglC
nEAfUZG31hXc+j7g99SVZCcaFMAow1mjeeyptaCnkwOHxbgF9xX4M+1MPvhkVDHK
m7DGlmlQZoKztSET0YjeuxeUWOA3qVxifDXFnLyFn4APmhAQK3h4Cqq7+TRUs2Nd
45L173CW/XnoTMG42k1M
=xv+f
-----END PGP SIGNATURE-----
Changed Bug title to 'libxml-libxml-perl: XEE vulnerability; expand_entities set to 0 is not preserved after a _clone() call (CVE-2015-3451)' from 'libxml-libxml-perl: XEE vulnerability; expand_entities set to 0 is not preserved after a _clone() call'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 30 Apr 2015 05:12:04 GMT) (full text, mbox, link).
Marked as found in versions libxml-libxml-perl/1.70.ds-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 30 Apr 2015 12:09:11 GMT) (full text, mbox, link).
Marked as fixed in versions libxml-libxml-perl/1.70.ds-1+deb6u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 30 Apr 2015 14:15:04 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sun, 03 May 2015 13:09:25 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 03 May 2015 13:09:25 GMT) (full text, mbox, link).
Message #25 received at 783443-close@bugs.debian.org (full text, mbox, reply):
Source: libxml-libxml-perl
Source-Version: 2.0116+dfsg-1+deb8u1
We believe that the bug you reported is fixed in the latest version of
libxml-libxml-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 783443@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libxml-libxml-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 01 May 2015 12:57:49 +0200
Source: libxml-libxml-perl
Binary: libxml-libxml-perl
Architecture: source
Version: 2.0116+dfsg-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
libxml-libxml-perl - Perl interface to the libxml2 library
Closes: 783443
Changes:
libxml-libxml-perl (2.0116+dfsg-1+deb8u1) jessie-security; urgency=high
.
* Team upload.
* Add CVE-2015-3451.patch patch.
CVE-2015-3451: expand_entities set to 0 is not preserved after a
_clone() call. (Closes: #783443)
Checksums-Sha1:
0e4e3f1e8d7bc82e754e128dd22f8ee31f98e9af 2283 libxml-libxml-perl_2.0116+dfsg-1+deb8u1.dsc
2d5568004614739f5637e1678e7f7b6a02886515 392366 libxml-libxml-perl_2.0116+dfsg.orig.tar.gz
31280d659729e8f004d9bfd45427489f2f307007 10412 libxml-libxml-perl_2.0116+dfsg-1+deb8u1.debian.tar.xz
Checksums-Sha256:
b2b00eb82191b2afb55e37d5e8f3eebc3942efa73e5b73fdebecd822756dc1e9 2283 libxml-libxml-perl_2.0116+dfsg-1+deb8u1.dsc
2dc02a0367e7cb820f9a0be6d3d7b6b28bc9dab6b828d7a5a520d7afcf8d224a 392366 libxml-libxml-perl_2.0116+dfsg.orig.tar.gz
e3ccc557779b5311d8263615a33393f913606cd3467ef2680e1fb885da6a28e8 10412 libxml-libxml-perl_2.0116+dfsg-1+deb8u1.debian.tar.xz
Files:
791e7efa22f7f71781137d0fb1b66514 2283 perl optional libxml-libxml-perl_2.0116+dfsg-1+deb8u1.dsc
6c9fc6e9054ff3b9ee139b38354f8f0f 392366 perl optional libxml-libxml-perl_2.0116+dfsg.orig.tar.gz
f430d2ad3e3e8f86390beb578619716c 10412 perl optional libxml-libxml-perl_2.0116+dfsg-1+deb8u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVQ2MwAAoJEAVMuPMTQ89EI/QP/0ZnnNsVIfrUMkwSbf9CM8HF
h0qc0ps6rHo5ZUhTshMpZ417beHCzw/YJgB2aoNseHYxtDl8xRIpysMrIgPzphHb
0hRt8T2SFTDto7sy6Q3vGTQ+wg8G23gHVZVsX/MtTlgUZo4q9Oa5qcfegCSKOC93
bRnWgO0WsL2RurybIvnaI8eGdmxWvLoIrzZkGGuWUCYXffrmVoO0sWpQ7X/gTgCS
+amkyC+l3pHGRb6vmuct4ALTRnx1/N89EHEtzIsdmzHSn5fkiu/tDgMbwCTipRL1
ScdPRnDFIVPO5IT0iKw7xBXtUIjOE046SWnZnerKeV8Q7Tv5KH65rWFI1iX9PG+A
IUhO2PrbWGd5uxWPY4S3cqkbzctc48hmotwjgjITb6Zb9bvbrGZNikCpT3nWAafs
BVvF8J4Hz024XJbjDzcTd6XIcmbO2DB5gRu2kXRavdgZhdQxFrzXSTp+whN12zsv
l8Q3YKShMusjj4402BwBYaoTnZk50HwhOJhDtbKoLYCVppkekIfekzbboIy0kWgS
h41kjn15MOvGkUroY0M/gJPHPo/ZIb08bNpzgTiUoraNmKgtiXu33sQrqT5iqVI/
NLqsDR9pACLHHCL71deA/rpZLTDrRvSEpoE474WJbHBPckv7XDZJge/HbGhkWyox
KKSZ7eTm/jG90LIZbMlM
=wHs7
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Tue, 05 May 2015 19:51:22 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 05 May 2015 19:51:22 GMT) (full text, mbox, link).
Message #30 received at 783443-close@bugs.debian.org (full text, mbox, reply):
Source: libxml-libxml-perl
Source-Version: 2.0001+dfsg-1+deb7u1
We believe that the bug you reported is fixed in the latest version of
libxml-libxml-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 783443@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libxml-libxml-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 01 May 2015 13:48:42 +0200
Source: libxml-libxml-perl
Binary: libxml-libxml-perl
Architecture: source amd64
Version: 2.0001+dfsg-1+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
libxml-libxml-perl - Perl interface to the libxml2 library
Closes: 783443
Changes:
libxml-libxml-perl (2.0001+dfsg-1+deb7u1) wheezy-security; urgency=high
.
* Team upload.
* Add CVE-2015-3451.patch patch.
CVE-2015-3451: expand_entities set to 0 is not preserved after a
_clone() call. (Closes: #783443)
Checksums-Sha1:
1e4851a94d60d4f634c7da81b1b2c35dcbb64d28 2324 libxml-libxml-perl_2.0001+dfsg-1+deb7u1.dsc
4b1f54f9998b78354548d0b9fb68ebfdc9cbb3a3 374428 libxml-libxml-perl_2.0001+dfsg.orig.tar.gz
18d2d64dd73f2fd142750714fc2ddb311d6b5869 12049 libxml-libxml-perl_2.0001+dfsg-1+deb7u1.debian.tar.gz
23d12633599ff0a713364a38367d7c7188c23b81 412830 libxml-libxml-perl_2.0001+dfsg-1+deb7u1_amd64.deb
Checksums-Sha256:
d006f54ebd45e3a396d317420f91ad1ee1dc04be6c056586e5a96d3f5fe11264 2324 libxml-libxml-perl_2.0001+dfsg-1+deb7u1.dsc
cc6d7f54400ec945f8b3985d17ffa682a32402b808a0f9f7a2c75b6463a05cd5 374428 libxml-libxml-perl_2.0001+dfsg.orig.tar.gz
dc0741cefec9351ba5c447a5860a9dd898ec83a65cf829bee93f382ee190ca8c 12049 libxml-libxml-perl_2.0001+dfsg-1+deb7u1.debian.tar.gz
931baaa1fa77ee6af8d5b55014d958e3b216d2fc4838a879b89053eb4ac171a3 412830 libxml-libxml-perl_2.0001+dfsg-1+deb7u1_amd64.deb
Files:
147ccacaea18d73bb8dea8ee91339568 2324 perl optional libxml-libxml-perl_2.0001+dfsg-1+deb7u1.dsc
5f8ae31cd0c09c014d9029adf055fe4a 374428 perl optional libxml-libxml-perl_2.0001+dfsg.orig.tar.gz
ac778ada894bcbd225b07d973cca66c7 12049 perl optional libxml-libxml-perl_2.0001+dfsg-1+deb7u1.debian.tar.gz
2911ccd1739f5ba7f51ab1276a72528a 412830 perl optional libxml-libxml-perl_2.0001+dfsg-1+deb7u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVQ3U2AAoJEAVMuPMTQ89E+t4P/2r8MH+WCrmXG6uDq55eFkg1
a3fXytIJonENdsJxVEtZ3lXzo0YyFkEAXg0bcaDXPYBEiEhutilof03uLyOCFZ2p
qK/r39urLVZ4aMms8OUX58yCbNpNWiJCgeXq9dxlld4AmSmkpLwRlPyC0DRABNsI
5QRrts29pEXw/pz0E3+a55aG2KZlshQxyykns0gnUClTC0QvUtiIE0wsj7JrVqGB
dLa6hBuUx2Suhebxobyqxb4YNYa4n0YkXTKKqOhZ7fa3piGaFH3GnYEsnxevzjxZ
7shQ3sa4ct/JRWRIg2M6N6NtM/O4K4UyJCjvFdB4/C/GO03h7MtZQbniG9vx5+mm
3mQjxzBbFxGjLUAi4midhF8dY8VKxJdG5ioYRZUhpbzPCWkG7QzYScmF70kO4pbk
FZOFg47pYiPbDR1u0trAq2eMi5vBVIIgKc08RxXNEP50cWicyVzC+90V64l1NarP
xQZfnEf7dLaMYVsvbNe3in1j3CDCOSHHSl7TuiYvI0xyIJB4p98gbkIcsrvKg8Aw
F7NOdwiudhyx8E+BJCaEkw6R60PuTAc0+G5WahdZqbLQuZwqNA7FLZngB/+ZVVnb
sxYb5p9JqrS5V58Hv0KD3cwojXKiSZQ2Qp7psqDX0DOhECx6qkfaEt0nZlgGtSqb
f6x4WYFyuvsskJpb1nLf
=36+H
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 03 Jun 2015 07:28:48 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:03:33 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon