Your message dated Tue, 21 Jan 2014 21:25:17 +0000 with message-id <e1w5iov-0005cp...@franck.debian.org> and subject line Bug#736275: fixed in libmarc-xml-perl 1.0.2-1 has caused the Debian Bug report #736275, regarding libmarc-xml-perl: XXE vulnerability fixed in 1.0.2 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 736275: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736275 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: libmarc-xml-perl Severity: grave Tags: security upstream fixed-upstream Justification: user security hole >From the CVe request on oss-security (CVE assignment is pending): ----cut---------cut---------cut---------cut---------cut---------cut----- I am the maintainer of the Perl module MARC::File::XML, which is used by various applications to manipulate a metadata format used by libraries, and would like to request the allocation of a CVE identifier for an XXE vulnerability that is fixed in version 1.0.2 of the module. I have evidence that the vulnerability can be used in at least one F/LOSS integrated library system, Koha, to perform an application-level privilege escalation, and another one, Evergreen, is likely vulnerable to disclosure of the contents of arbitrary files on the server. I am a committer to both of those projects. Fix: http://sourceforge.net/p/marcpm/code/ci/cf2d36597a56eeeffd53b38182b8557c7bf569ac/ ChangeLog: https://metacpan.org/changes/distribution/MARC-XML Announcements: http://www.nntp.perl.org/group/perl.perl4lib/2014/01/msg3073.html http://lists.katipo.co.nz/pipermail/koha/2014-January/038430.html http://libmail.georgialibraries.org/pipermail/open-ils-general/2014-January/009442.html ----cut---------cut---------cut---------cut---------cut---------cut----- See: http://www.openwall.com/lists/oss-security/2014/01/21/5 I have not checked the details, unstable having 1.0.1 is affected, not checked for the other versions. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libmarc-xml-perl Source-Version: 1.0.2-1 We believe that the bug you reported is fixed in the latest version of libmarc-xml-perl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 736...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. gregor herrmann <gre...@debian.org> (supplier of updated libmarc-xml-perl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 21 Jan 2014 21:44:08 +0100 Source: libmarc-xml-perl Binary: libmarc-xml-perl Architecture: source all Version: 1.0.2-1 Distribution: unstable Urgency: medium Maintainer: Debian Perl Group <pkg-perl-maintain...@lists.alioth.debian.org> Changed-By: gregor herrmann <gre...@debian.org> Description: libmarc-xml-perl - Perl library to access MARC data encoded as XML Closes: 736275 Changes: libmarc-xml-perl (1.0.2-1) unstable; urgency=medium . * Team upload. . * New upstream release. Fixes XXE vulnerability: - MARC::File::XML will now die upon parsing a record that declares an external entity and tries to use it. This prevents the potential unwanted disclosure of the contents of files on the server by applications that embed this module. Closes: #736275 * Update years of packaging copyright. * Declare compliance with Debian Policy 3.9.5. Checksums-Sha1: 8f5c6afbbd25c09b07cbc692ed3826aee5b3d9ac 2192 libmarc-xml-perl_1.0.2-1.dsc 0b4dd5b7b6a9065cc52220fc8e52ac7522a8239b 18057 libmarc-xml-perl_1.0.2.orig.tar.gz 8be9e893ad39e6c0c6a4399dee4931d6886b9674 3448 libmarc-xml-perl_1.0.2-1.debian.tar.xz c86154a35c1487c1ce41d6952a5c915911f27f22 21184 libmarc-xml-perl_1.0.2-1_all.deb Checksums-Sha256: 16b32a32030314498d7e5e5ae43196e7838deb16702a820672a17a70de1bfbf7 2192 libmarc-xml-perl_1.0.2-1.dsc 65705e0c0eb77b67a65937274f5ef4e2138c76b9ecdf6fcc1a44de241096c33e 18057 libmarc-xml-perl_1.0.2.orig.tar.gz f394b825321ecb954665fe848c87829fa9e8afc60b97f0249d7165afd914ecc3 3448 libmarc-xml-perl_1.0.2-1.debian.tar.xz a14e8cb3eb09eeab285fc24b285add804ab63de4514066cd5d67213a92908208 21184 libmarc-xml-perl_1.0.2-1_all.deb Files: 1dc5c136b52f00f9e329d9947009631c 2192 perl optional libmarc-xml-perl_1.0.2-1.dsc 86c2e1c7254f5f9388d541ae33318718 18057 perl optional libmarc-xml-perl_1.0.2.orig.tar.gz 4d5acf54353ebeeffbeb56c3c9a193ce 3448 perl optional libmarc-xml-perl_1.0.2-1.debian.tar.xz 75b17bdbc993e607d9027eeaa68e9eb0 21184 perl optional libmarc-xml-perl_1.0.2-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJS3ty0AAoJELs6aAGGSaoGpx4P/37JMCsX4zLhHCGt0UeKcxaJ IdAkHVGoQyTcRSrFCt9fuk/z8iDB1MjdQitTtjD6h7ibQc3kqcvb2l88awG/Zi/a S5WEoMLcUTcx9Ue5tXpYZChtdsfJfS75UlIdiyZCP2XS/q3SUP+j24VvL/FkzNiQ o/dnjenot7Nyx3o7iOKwGwjpN6EVVLyI2uFNtoFYvYd38CNTD4m7geFKcWeWvFIO LKVvur3vOcVvlPryWySdhiMPmQ4pci5EtqS8IOF5+Of29sWaFy8i7rLuvyQTdII0 CHHYe9sM4YIZAglYvqpNYuCfA5JvLKkCLuSylzIrLUN/Pu1JAY3XC76TXrX8RGlI 2QZfp+tQJBEJVZuAYyJfuqrKjgf0mgy4dq9lV3D9HSO4ZCUWs7hye7vq1Wz2o6+R 57iX3BdnNaIptANifRHxl7i9TdauXKsb1g5sR3CupF7T8yzbQz+RzVsOJTrEYzqx +/pM3zsRNPpi0p0oD/ET8IyXvPjkvRoT4ZhZAsSC1ZJBeHkGKi5wTMSCuQHA1Fnf yS9jKOah0ceg1k26d2AeXOgj05aTzotkYFT6Vw8J09WjMqtDdjAQDKAMxXPUS8QA t0nZXrpYPXsEcBxq2K2o5UDmhzvNV45A0EKf8zE+dOvJij5m9TZmJ1Un9o/5FGQc FvlrxcmxKmWPQv44uz3L =lFsq -----END PGP SIGNATURE-----
--- End Message ---
