Your message dated Thu, 27 Jun 2013 21:05:23 +0000 with message-id <e1usjnb-0000la...@franck.debian.org> and subject line Bug#714241: fixed in xml-security-c 1.6.1-7 has caused the Debian Bug report #714241, regarding xml-security-c: CVE-2013-2210 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 714241: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714241 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: xml-security-c Severity: grave Tags: security patch Justification: user security hole Hi Russ, the following vulnerability was published for xml-security-c. It looks the fix for CVE-2013-2154 introduced the possibility of a heap overflow. CVE-2013-2210[0]: heap overflow during XPointer evaluation If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2210 http://security-tracker.debian.org/tracker/CVE-2013-2210 [1] http://santuario.apache.org/secadv.data/CVE-2013-2210.txt [2] http://svn.apache.org/viewvc?view=revision&revision=r1496703 Could you double check this, and prepare packages for squeeze and wheezy too? Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: xml-security-c Source-Version: 1.6.1-7 We believe that the bug you reported is fixed in the latest version of xml-security-c, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 714...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Russ Allbery <r...@debian.org> (supplier of updated xml-security-c package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 27 Jun 2013 13:44:56 -0700 Source: xml-security-c Binary: libxml-security-c16 libxml-security-c-dev Architecture: source i386 Version: 1.6.1-7 Distribution: unstable Urgency: high Maintainer: Debian Shib Team <pkg-shibboleth-de...@lists.alioth.debian.org> Changed-By: Russ Allbery <r...@debian.org> Description: libxml-security-c-dev - C++ library for XML Digital Signatures (development) libxml-security-c16 - C++ library for XML Digital Signatures (runtime) Closes: 714241 Changes: xml-security-c (1.6.1-7) unstable; urgency=high . * The attempted fix to address CVE-2013-2154 introduced the possibility of a heap overflow, possibly leading to arbitrary code execution, in the processing of malformed XPointer expressions in the XML Signature Reference processing code. Apply upstream patch to fix that heap overflow. (Closes: #714241, CVE-2013-2210) Checksums-Sha1: 00bfb2fe2d2610247399a92d25be1b6741fb1894 1785 xml-security-c_1.6.1-7.dsc 88bab9e767cbba07ad789b245547fcfcc461a096 12009 xml-security-c_1.6.1-7.debian.tar.gz 7fc0b8e1da45668cfc87100eb5217643a3a8bfca 359686 libxml-security-c16_1.6.1-7_i386.deb 58f871c561ee58e67ccfa167404bf9d4bc641917 151294 libxml-security-c-dev_1.6.1-7_i386.deb Checksums-Sha256: 2b9323dc02ceb2705fc22395dcd4e170f72c8cc3bea321689c69d86c02a09774 1785 xml-security-c_1.6.1-7.dsc dc9308b535a57592ae450c8374be2eb6081d539c1f64d44c79ab11095153555b 12009 xml-security-c_1.6.1-7.debian.tar.gz 82342fc3a0982d62e5fbf0a2a2eb089747f9ae4a8dc1dde7cbbcceb83fdce1be 359686 libxml-security-c16_1.6.1-7_i386.deb a9530bad8d09482a79ea7322bd1c422fd6156e4c0480b6893a2f27cdb6e9eab7 151294 libxml-security-c-dev_1.6.1-7_i386.deb Files: 094bf36076fe14078fe156029ec8a981 1785 libs extra xml-security-c_1.6.1-7.dsc 2818b708f8525ede455dfa57f768c2a5 12009 libs extra xml-security-c_1.6.1-7.debian.tar.gz 2526c149389b0d418653aaf56036cd2e 359686 libs extra libxml-security-c16_1.6.1-7_i386.deb 153a8eee6ee8d937e6a66ae331b579cf 151294 libdevel extra libxml-security-c-dev_1.6.1-7_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBCAAGBQJRzKYiAAoJEH2AMVxXNt51WL0H/jG3B/qEKrDXDtuViCeU/7ke ez8KhhY7gmTojUl+qY0X5xkjnH50dpCBh+0HmmPwDodyRjAeHH+vnVmbOX/Sfaea 5DBLHuq6+eF0f/9Zlwxx6/xkO5z/wzjpxA9aOiTOKK99WO145PBshvVacmK2vt4I vblFWXr3Cmo7i1YMqbqXNhAGFGm8mvFUI5/+X9KjquqkOHzw8gupsy5nN7TxWOep Dmvuen9GC+ce+8U1AONZJ1ZcOGqFk+rd264BkpgqQCsr4CetJ5Qlr5x0gD6Q9419 tvEf36pE0oRI1wdLmMhuSzOroaTSuPY4XrOd4c0adYXwXKhNu3OfcHodtERwcT8= =c4fI -----END PGP SIGNATURE-----
--- End Message ---
