Your message dated Thu, 23 Feb 2012 22:47:11 +0000
with message-id <e1s0hrp-0005li...@franck.debian.org>
and subject line Bug#660846: fixed in libxml2 2.7.8.dfsg-2+squeeze3
has caused the Debian Bug report #660846,
regarding libxml2: CVE-2012-0841 computational DoS attack via hash collisions
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
660846: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=660846
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libxml2
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libxml2.
CVE-2012-0841[0]:
| Juraj Somorovsky reported that certain XML parsers/servers are affected by the
| same, or similar, flaw as the hash table collisions CPU usage denial of
| service. Sending a specially crafted message to an XML service can result in
| longer processing time, which could lead to a denial of service. It is
| reported that this attack on XML can be applied on different XML nodes (such
as
| entities, element attributes, namespaces, various elements in the XML
security,
| etc.).
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Patch:
http://git.gnome.org/browse/libxml2/commit/?id=8973d58b7498fa5100a876815476b81fd1a2412a
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0841
http://security-tracker.debian.org/tracker/CVE-2012-0841
--
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
pgp7cMsxyBnt4.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: libxml2
Source-Version: 2.7.8.dfsg-2+squeeze3
We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive:
libxml2-dbg_2.7.8.dfsg-2+squeeze3_amd64.deb
to main/libx/libxml2/libxml2-dbg_2.7.8.dfsg-2+squeeze3_amd64.deb
libxml2-dev_2.7.8.dfsg-2+squeeze3_amd64.deb
to main/libx/libxml2/libxml2-dev_2.7.8.dfsg-2+squeeze3_amd64.deb
libxml2-doc_2.7.8.dfsg-2+squeeze3_all.deb
to main/libx/libxml2/libxml2-doc_2.7.8.dfsg-2+squeeze3_all.deb
libxml2-utils_2.7.8.dfsg-2+squeeze3_amd64.deb
to main/libx/libxml2/libxml2-utils_2.7.8.dfsg-2+squeeze3_amd64.deb
libxml2_2.7.8.dfsg-2+squeeze3.diff.gz
to main/libx/libxml2/libxml2_2.7.8.dfsg-2+squeeze3.diff.gz
libxml2_2.7.8.dfsg-2+squeeze3.dsc
to main/libx/libxml2/libxml2_2.7.8.dfsg-2+squeeze3.dsc
libxml2_2.7.8.dfsg-2+squeeze3_amd64.deb
to main/libx/libxml2/libxml2_2.7.8.dfsg-2+squeeze3_amd64.deb
python-libxml2-dbg_2.7.8.dfsg-2+squeeze3_amd64.deb
to main/libx/libxml2/python-libxml2-dbg_2.7.8.dfsg-2+squeeze3_amd64.deb
python-libxml2_2.7.8.dfsg-2+squeeze3_amd64.deb
to main/libx/libxml2/python-libxml2_2.7.8.dfsg-2+squeeze3_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 660...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <n...@debian.org> (supplier of updated libxml2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 22 Feb 2012 11:17:27 +0000
Source: libxml2
Binary: libxml2 libxml2-utils libxml2-dev libxml2-dbg libxml2-doc
python-libxml2 python-libxml2-dbg
Architecture: source amd64 all
Version: 2.7.8.dfsg-2+squeeze3
Distribution: stable-security
Urgency: high
Maintainer: Debian XML/SGML Group <debian-xml-sgml-p...@lists.alioth.debian.org>
Changed-By: Nico Golde <n...@debian.org>
Description:
libxml2 - GNOME XML library
libxml2-dbg - Debugging symbols for the GNOME XML library
libxml2-dev - Development files for the GNOME XML library
libxml2-doc - Documentation for the GNOME XML library
libxml2-utils - XML utilities
python-libxml2 - Python bindings for the GNOME XML library
python-libxml2-dbg - Python bindings for the GNOME XML library (debug
extension)
Closes: 660846
Changes:
libxml2 (2.7.8.dfsg-2+squeeze3) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Apply upstream patch to add randomization to hashing with large
dictionaries to mitigate hash DoS (CVE-2012-0841; Closes: #660846).
Checksums-Sha1:
73b619ec0bfc82bb6133e5124d609c7ba017d152 1554 libxml2_2.7.8.dfsg-2+squeeze3.dsc
025c3809163020b3f474c1e2d056bc0252ae31ad 115560
libxml2_2.7.8.dfsg-2+squeeze3.diff.gz
4db63f7da57bfeb346d0717dba2df70a8bc25d68 873848
libxml2_2.7.8.dfsg-2+squeeze3_amd64.deb
839125aabe55da6222ac9667332e600968b09d34 93986
libxml2-utils_2.7.8.dfsg-2+squeeze3_amd64.deb
b82e22c67091acb3961c6be01289839b638601ab 831542
libxml2-dev_2.7.8.dfsg-2+squeeze3_amd64.deb
50c0f576dac8f0372a8643e7a33b3b8eb8d1051c 989320
libxml2-dbg_2.7.8.dfsg-2+squeeze3_amd64.deb
50a3ea8b29185967aaf33783ff923eee0acbf194 1377788
libxml2-doc_2.7.8.dfsg-2+squeeze3_all.deb
c308d7551f4daf415270e0c348ab1554c462f6f2 340116
python-libxml2_2.7.8.dfsg-2+squeeze3_amd64.deb
4b9d291a0f5bc6c7fd11f5d53217a5b60bb8b940 870856
python-libxml2-dbg_2.7.8.dfsg-2+squeeze3_amd64.deb
Checksums-Sha256:
ba6982be741fd3b9e27ca212a08eb9cf7cf256b2a35f6ee820b175b1f7021af6 1554
libxml2_2.7.8.dfsg-2+squeeze3.dsc
ff12f6d7fa621ddb9aa582e252fccad73a048b71de718ecd709c36a53682f94a 115560
libxml2_2.7.8.dfsg-2+squeeze3.diff.gz
332f1881d1f1c8d17fa121071ddd9c47f12f86939d0910b1ff72027826d88db5 873848
libxml2_2.7.8.dfsg-2+squeeze3_amd64.deb
c518a02e56a48cd4352b33c2fd1c57173e1b6be905d68ca7f0aeedb78c4e0058 93986
libxml2-utils_2.7.8.dfsg-2+squeeze3_amd64.deb
ab60c2c46cea9ca1a1d16cd2f90f3fc217660f72de5384e9281caf25322fbb56 831542
libxml2-dev_2.7.8.dfsg-2+squeeze3_amd64.deb
88ae025012802e27b2d308d71d7923bd6c0e31c19b6b0d37fad50c23805af188 989320
libxml2-dbg_2.7.8.dfsg-2+squeeze3_amd64.deb
3bcd84132bf634c89a9d1efbe554b9f96b9a1832229811c18e98adda49759057 1377788
libxml2-doc_2.7.8.dfsg-2+squeeze3_all.deb
b1e7036ba8be4307d5d523f80551cfc4bc781d684aee9b3853e48af6a59a3eda 340116
python-libxml2_2.7.8.dfsg-2+squeeze3_amd64.deb
6d3175e89d0e71586711e8788e30c1d6c9551b803cd3dcfd431b35f149cdb05f 870856
python-libxml2-dbg_2.7.8.dfsg-2+squeeze3_amd64.deb
Files:
648d6a433e3cae1b840b3e652f9b00f3 1554 libs optional
libxml2_2.7.8.dfsg-2+squeeze3.dsc
89e0ba2ed58ad5571d1a5bfd1fc2a107 115560 libs optional
libxml2_2.7.8.dfsg-2+squeeze3.diff.gz
ce56939b3c0ed6e9dfd72e492ce0a634 873848 libs standard
libxml2_2.7.8.dfsg-2+squeeze3_amd64.deb
62b8a6b7d2de80cf898e5e1a5c53c9d7 93986 text optional
libxml2-utils_2.7.8.dfsg-2+squeeze3_amd64.deb
666de2862e437adff10052e3a922bf62 831542 libdevel optional
libxml2-dev_2.7.8.dfsg-2+squeeze3_amd64.deb
086d317880f3bc8feac2e3937bf458dc 989320 debug extra
libxml2-dbg_2.7.8.dfsg-2+squeeze3_amd64.deb
68238890d91902a49205e2fe9d64554e 1377788 doc optional
libxml2-doc_2.7.8.dfsg-2+squeeze3_all.deb
ff47be0c80a754904cd03ae4252e227c 340116 python optional
python-libxml2_2.7.8.dfsg-2+squeeze3_amd64.deb
b6e775c41c15465e8a6b59c052a30d25 870856 debug extra
python-libxml2-dbg_2.7.8.dfsg-2+squeeze3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk9E1bUACgkQHYflSXNkfP+gnwCghECefXoZky+S+cZjdd8OG4u5
tc0An2kQ48rXwEy5sBvzY8c9tfDvmqKM
=Zqt0
-----END PGP SIGNATURE-----
--- End Message ---
