Your message dated Sat, 05 Dec 2009 22:17:47 +0000
with message-id <e1nh2wl-0001fa...@ries.debian.org>
and subject line Bug#552531: fixed in libhtml-parser-perl 3.55-1+etch1
has caused the Debian Bug report #552531,
regarding libhtml-parser-perl: decode_entities confused by trailing incomplete
entity can lead to DoS attacks
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
552531: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=552531
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libhtml-parser-perl
Version: 3.62-1
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was published for
libhtml-parser-perl: CVE-2009-3627.
Quoting the commit fixing the bug[1]:
> decode_entities confused by trailing incomplete entity
>
> Mark Martinec reported crashed when running SpamAssassin, given a
> particular HTML junk mail to parse. The problem was caused by
> HTML::Parsers decode_entities function confusing itself when it
> encountered strings with incomplete entities at the end of the string.
If you fix the vulnerability please also make sure to include the CVE id in
your changelog entry. All the versions in the archive seem to be affected, as
per the test case provided by upstream.
For further information see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3627
http://security-tracker.debian.org/tracker/CVE-2009-3627
[1]http://github.com/gisle/html-parser/commit/b9aae1e43eb2c8e989510187cff0ba3e996f9a4c
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
--- End Message ---
--- Begin Message ---
Source: libhtml-parser-perl
Source-Version: 3.55-1+etch1
We believe that the bug you reported is fixed in the latest version of
libhtml-parser-perl, which is due to be installed in the Debian FTP archive:
libhtml-parser-perl_3.55-1+etch1.diff.gz
to main/libh/libhtml-parser-perl/libhtml-parser-perl_3.55-1+etch1.diff.gz
libhtml-parser-perl_3.55-1+etch1.dsc
to main/libh/libhtml-parser-perl/libhtml-parser-perl_3.55-1+etch1.dsc
libhtml-parser-perl_3.55-1+etch1_i386.deb
to main/libh/libhtml-parser-perl/libhtml-parser-perl_3.55-1+etch1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 552...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <salvatore.bonacco...@gmail.com> (supplier of updated
libhtml-parser-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 28 Oct 2009 09:03:59 +0100
Source: libhtml-parser-perl
Binary: libhtml-parser-perl
Architecture: source i386
Version: 3.55-1+etch1
Distribution: oldstable-security
Urgency: high
Maintainer: Debian Catalyst Maintainers
<pkg-catalyst-maintain...@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <salvatore.bonacco...@gmail.com>
Description:
libhtml-parser-perl - A collection of modules that parse HTML text documents
Closes: 552531
Changes:
libhtml-parser-perl (3.55-1+etch1) oldstable-security; urgency=high
.
* Fix decode_entities which can be confused by trailing incomplete entity
and leading to potential DoS attacks - CVE-2009-3627 (Closes: #552531).
Files:
0f38d699bda26190ea4764aa74eac2c8 882 perl optional
libhtml-parser-perl_3.55-1+etch1.dsc
75eb683f1fb7aa7c0ffa46ded4564b54 84746 perl optional
libhtml-parser-perl_3.55.orig.tar.gz
8c713a84e3df953ae77d83d9f2cff5bc 6136 perl optional
libhtml-parser-perl_3.55-1+etch1.diff.gz
b542502d5b1d4fff66c2d730e8c02790 108032 perl optional
libhtml-parser-perl_3.55-1+etch1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkros7IACgkQNxpp46476apcsgCdEs5BZ7f0ANDByeTL2BirBIv1
RAsAmwfCpb8xwNvR7kQVfTZQd+0PErhu
=vYMt
-----END PGP SIGNATURE-----
--- End Message ---
