Your message dated Thu, 27 Jun 2013 21:05:34 +0000 with message-id <e1usjnm-0000sn...@franck.debian.org> and subject line Bug#714241: fixed in xml-security-c 1.7.2-1 has caused the Debian Bug report #714241, regarding xml-security-c: CVE-2013-2210 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 714241: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714241 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: xml-security-c Severity: grave Tags: security patch Justification: user security hole Hi Russ, the following vulnerability was published for xml-security-c. It looks the fix for CVE-2013-2154 introduced the possibility of a heap overflow. CVE-2013-2210[0]: heap overflow during XPointer evaluation If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2210 http://security-tracker.debian.org/tracker/CVE-2013-2210 [1] http://santuario.apache.org/secadv.data/CVE-2013-2210.txt [2] http://svn.apache.org/viewvc?view=revision&revision=r1496703 Could you double check this, and prepare packages for squeeze and wheezy too? Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: xml-security-c Source-Version: 1.7.2-1 We believe that the bug you reported is fixed in the latest version of xml-security-c, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 714...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Russ Allbery <r...@debian.org> (supplier of updated xml-security-c package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 27 Jun 2013 13:00:54 -0700 Source: xml-security-c Binary: libxml-security-c17 libxml-security-c-dev xml-security-c-utils Architecture: source i386 Version: 1.7.2-1 Distribution: experimental Urgency: high Maintainer: Debian Shib Team <pkg-shibboleth-de...@lists.alioth.debian.org> Changed-By: Russ Allbery <r...@debian.org> Description: libxml-security-c-dev - C++ library for XML Digital Signatures (development) libxml-security-c17 - C++ library for XML Digital Signatures (runtime) xml-security-c-utils - C++ library for XML Digital Signatures (utilities) Closes: 714241 Changes: xml-security-c (1.7.2-1) experimental; urgency=high . * New upstream release. - The attempted fix to address CVE-2013-2154 introduced the possibility of a heap overflow, possibly leading to arbitrary code execution, in the processing of malformed XPointer expressions in the XML Signature Reference processing code. Fix that heap overflow. (Closes: #714241, CVE-2013-2210) Checksums-Sha1: eea2280cf4b9542193e1ec78af1736e700168355 1841 xml-security-c_1.7.2-1.dsc fee59d5347ff0666802c8e5aa729e0304ee492bc 875465 xml-security-c_1.7.2.orig.tar.gz 37f7cecc570e7f0e83a09c1a1c301a62b53f4140 12024 xml-security-c_1.7.2-1.debian.tar.xz 7d9a425c3fae7bd8d7b193be726ee4af383ac969 279102 libxml-security-c17_1.7.2-1_i386.deb 87a7de0704530cc794b8e86643dbd3091274fa2a 110818 libxml-security-c-dev_1.7.2-1_i386.deb 449e2a02058dc840e04a85e81d144d05d8249d25 120508 xml-security-c-utils_1.7.2-1_i386.deb Checksums-Sha256: c22ae064be9b7b681cf4c6497ad6ef3649f24c5497d698ea9d07ac5f35a26710 1841 xml-security-c_1.7.2-1.dsc d576b07bb843eaebfde3be01301db40504ea8e8e477c0ad5f739b07022445452 875465 xml-security-c_1.7.2.orig.tar.gz 50e9ce850a35457602edbaddee58b0ecccfdabee2515f1a2ecb6655752da667c 12024 xml-security-c_1.7.2-1.debian.tar.xz 7b0ce19c4e77d366754dbb8cb814db3d967884e61b0a0b9730c2e999126cb809 279102 libxml-security-c17_1.7.2-1_i386.deb bd5f0d2acabed65cd24fa22d26f9e5c07ab074d2dd95344119ee39da89bee967 110818 libxml-security-c-dev_1.7.2-1_i386.deb aec9ba52f52837a02fc469e5036bf2c2b82d29aaf25cc315ad198c3ef7b64b86 120508 xml-security-c-utils_1.7.2-1_i386.deb Files: f142b0bd9081ecc5cdd50007410ef9cf 1841 libs extra xml-security-c_1.7.2-1.dsc 2487e00569f6465f7070389e40a3d84f 875465 libs extra xml-security-c_1.7.2.orig.tar.gz 0672e72dce6d315bdda2a1bb34fc8a08 12024 libs extra xml-security-c_1.7.2-1.debian.tar.xz 473dfed2707bd4a2569991fc66321ac6 279102 libs extra libxml-security-c17_1.7.2-1_i386.deb 1fd67612c8653987583d6d4282843596 110818 libdevel extra libxml-security-c-dev_1.7.2-1_i386.deb 8b391edddc3e08cd1af8fd82ca5a854b 120508 utils extra xml-security-c-utils_1.7.2-1_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBCAAGBQJRzJ5BAAoJEH2AMVxXNt51kZ8H+wR6GrybFrKzrYyh9UQ0pacr QZFq5fAEyNtcoCt2eIkYFzNQIWuV4CWxvmok/+I65t3exrfFd3ZfJQ9lA1I3SKPL zTWRGYkU6T3hovEO4fzTX8LoxUsDCrIeYhzDsD3j9pYj7yK4SikVs7zVfIyrL5lv yr5iLzcmr/I0TqFmGwjzK3NhkKCYCBHdAHIFCIjv+81vl6PNpo/NPZl26em+KmHA JTMhO08Sae1/xwYuxgLEhJvTEK1dMhN7vAPPzcGN/UxHzvsjHE7HTSkWbKaNfXwM WYbnqvAa9l0kv9V8sQOUBnXPk2W2RROZwIJgt9OmCNCBZ4jOWbRECHoiPiSG5L8= =YXbC -----END PGP SIGNATURE-----
--- End Message ---
