Your message dated Sat, 29 Jun 2013 10:48:03 +0000 with message-id <e1usshh-0000ax...@franck.debian.org> and subject line Bug#714241: fixed in xml-security-c 1.5.1-3+squeeze3 has caused the Debian Bug report #714241, regarding xml-security-c: CVE-2013-2210 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 714241: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714241 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: xml-security-c Severity: grave Tags: security patch Justification: user security hole Hi Russ, the following vulnerability was published for xml-security-c. It looks the fix for CVE-2013-2154 introduced the possibility of a heap overflow. CVE-2013-2210[0]: heap overflow during XPointer evaluation If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2210 http://security-tracker.debian.org/tracker/CVE-2013-2210 [1] http://santuario.apache.org/secadv.data/CVE-2013-2210.txt [2] http://svn.apache.org/viewvc?view=revision&revision=r1496703 Could you double check this, and prepare packages for squeeze and wheezy too? Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: xml-security-c Source-Version: 1.5.1-3+squeeze3 We believe that the bug you reported is fixed in the latest version of xml-security-c, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 714...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Russ Allbery <r...@debian.org> (supplier of updated xml-security-c package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 27 Jun 2013 15:15:18 -0700 Source: xml-security-c Binary: libxml-security-c15 libxml-security-c-dev Architecture: source i386 Version: 1.5.1-3+squeeze3 Distribution: oldstable-security Urgency: high Maintainer: Debian Shib Team <pkg-shibboleth-de...@lists.alioth.debian.org> Changed-By: Russ Allbery <r...@debian.org> Description: libxml-security-c-dev - C++ library for XML Digital Signatures (development) libxml-security-c15 - C++ library for XML Digital Signatures (runtime) Closes: 714241 Changes: xml-security-c (1.5.1-3+squeeze3) oldstable-security; urgency=high . * The attempted fix to address CVE-2013-2154 introduced the possibility of a heap overflow, possibly leading to arbitrary code execution, in the processing of malformed XPointer expressions in the XML Signature Reference processing code. Apply upstream patch to fix that heap overflow. (Closes: #714241, CVE-2013-2210) Checksums-Sha1: 8ab33f3e4f2f86f2400a900d97850dc11b0b2b67 1670 xml-security-c_1.5.1-3+squeeze3.dsc 0baa3d982be6e10174b3c44ec6fdbe5844ccefd4 11620 xml-security-c_1.5.1-3+squeeze3.diff.gz d6ad35760bc00e601e1f57b2dcccde1b9279c716 353922 libxml-security-c15_1.5.1-3+squeeze3_i386.deb 40f1e58a8c278dacca0a9f6ccbb2499aad20148c 141932 libxml-security-c-dev_1.5.1-3+squeeze3_i386.deb Checksums-Sha256: b631057a640a9df2bfe292e971ce064028acfe4bc6cdb17e670408c9f4b43dde 1670 xml-security-c_1.5.1-3+squeeze3.dsc b1e4d83a267a40316e30f1b961b51e7cb7a9b2b7fb82929f2cfb396136936b1f 11620 xml-security-c_1.5.1-3+squeeze3.diff.gz 887e28919a86e19cbdd6a496ed06c9b366366374ae00a78a8637da7f1b2397d3 353922 libxml-security-c15_1.5.1-3+squeeze3_i386.deb 956a172a4debd28ef6cc61b7b3803a72f65bf9357fb4c4f9eec7b5444f254e66 141932 libxml-security-c-dev_1.5.1-3+squeeze3_i386.deb Files: 844929bf53f34c0ebc97c54bcd9f484b 1670 libs extra xml-security-c_1.5.1-3+squeeze3.dsc d224b034021957819fa8f08f3058a971 11620 libs extra xml-security-c_1.5.1-3+squeeze3.diff.gz 7e60f8d3ffe67987d98a773986d985b2 353922 libs extra libxml-security-c15_1.5.1-3+squeeze3_i386.deb c0fc7af171374aa6e1ba762d797460ff 141932 libdevel extra libxml-security-c-dev_1.5.1-3+squeeze3_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBCAAGBQJRzRfJAAoJEH2AMVxXNt51a0MH/3kUSswfHZwIVkDc9hLbsjgV 2MGL2/K0kPyUSahax86julJCT/flNFlalve3baSlSKW+0bxCz+LEvwdf3Kn2za1g j5K/eNtr4U6M4CeUXV0aPydyRK3NymsPUBim30mTSTLHFCLXfbGCAicnzb99A7LD iaX8Pt2PVkefRm7kcw3BZx/ukPtcb/CKiZf9BeFuDkiWcKQGNyDcI2Z4uEiT+hKj jBZEZICkvnF70oVd286PlHyuThLwXHAj4bJZgRONGZr2RXAomDP6BqYTfak1cQeZ wOO5/qMpnq8pgIV070tFEy6Nb6O1rJpw9ReJu+rMp4RDggBQE+bQld7a7IZNcVA= =vUUF -----END PGP SIGNATURE-----
--- End Message ---
