Your message dated Mon, 15 Aug 2016 17:37:21 +0000 with message-id <e1bzlpb-0007lm...@franck.debian.org> and subject line Bug#832959: fixed in xmlrpc-epi 0.54.2-1.2 has caused the Debian Bug report #832959, regarding xmlrpc-epi: CVE-2016-6296: Heap buffer overflow vulnerability in simplestring_addn in simplestring.c to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 832959: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832959 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: xmlrpc-epi Version: 0.54.2-1 Severity: grave Tags: security upstream patch Control: tags -1 fixed 0.54.2-1+deb7u1 Hi, the following vulnerability was published for xmlrpc-epi. AFAICS it is used by php7.0 in stretch from system. For stable this probably does not warrant a DSA, since nothing depending on it. CVE-2016-6296[0]: | Integer signedness error in the simplestring_addn function in | simplestring.c in xmlrpc-epi through 0.54.2, as used in PHP before | 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9, allows remote | attackers to cause a denial of service (heap-based buffer overflow) or | possibly have unspecified other impact via a long first argument to | the PHP xmlrpc_encode_request function. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-6296 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: xmlrpc-epi Source-Version: 0.54.2-1.2 We believe that the bug you reported is fixed in the latest version of xmlrpc-epi, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 832...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated xmlrpc-epi package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 13 Aug 2016 19:11:42 +0200 Source: xmlrpc-epi Binary: libxmlrpc-epi-dev libxmlrpc-epi0 libxmlrpc-epi0-dbg Architecture: source Version: 0.54.2-1.2 Distribution: unstable Urgency: medium Maintainer: Robin Cornelius <robin.cornel...@gmail.com> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 832959 Description: libxmlrpc-epi-dev - Development files for libxmlrpc-epi0, a XML-RPC request library libxmlrpc-epi0 - XML-RPC request serialisation/deserialisation library libxmlrpc-epi0-dbg - Debug symbols for libxmlrpc-epi0, a XML-RPC request library Changes: xmlrpc-epi (0.54.2-1.2) unstable; urgency=medium . * Non-maintainer upload. * CVE-2016-6296: Heap buffer overflow vulnerability in simplestring_addn (Closes: #832959) Checksums-Sha1: ae2305dbcaaf512e2e7e010455b079345e6f1201 2100 xmlrpc-epi_0.54.2-1.2.dsc 3ca1a91e42090bc552bbce07dfc6e8580fad2aa1 4644 xmlrpc-epi_0.54.2-1.2.diff.gz Checksums-Sha256: 6f100d957e13da826e034b2c0fe940b9bc32c29cab05b6e80a5eb0d68b2598d3 2100 xmlrpc-epi_0.54.2-1.2.dsc b83401db30bac8fa078fdb5dd2d0527a4c55a3a5ce08e1852451ad21cfddb052 4644 xmlrpc-epi_0.54.2-1.2.diff.gz Files: d754249bad45d7a7e995c7b1aa7cce6f 2100 libs extra xmlrpc-epi_0.54.2-1.2.dsc e3dcb31c6bea3033454ad1057be29808 4644 libs extra xmlrpc-epi_0.54.2-1.2.diff.gz -----BEGIN PGP SIGNATURE----- iQIvBAEBCgAZBQJXr1YbEhxjYXJuaWxAZGViaWFuLm9yZwAKCRAFTLjzE0PPRPcy D/9JeoZDmhPumdDDaPubToDpRwtHBLFPvw9alQQZ5r6oe3aQPk1xQE7S7SV1Jb6F s4KsFt5FGi+XcXbULT25eMR95JkrIO10Z84d61lHn/0SXz+wWYuJaPweYKHMHhbA bZr1xFmmrLIr4D2TWVIrEKvr/j4EZxhqGm34PSHjbzSgsWAiEJB7ulwRPFUfKWJM +QGJDkPGKsCMfVMUaO4qAMlwGDrCtt69Q2PwKuliDWplvMqXm6JeBAPRurKcXvDG cYBEPKke0Ggu2LWy0N6wlB94XUvusZvBqjxb20aWS5zVktHPSVXIbH/LUrG03qq8 VbzYcYGQbYfoCxQBOrLqskDNbRA13UGGtM8rLmKVr7GbC+54uE/jgcqT8Zmo1fXM kosGsBGa+Gw+eHFi3dhQPfktaHxQ0CEwz9+Z5jcfY80cV2N7UJm4E4RM4qvcKtWT P1x+GCVmwQfgGCGgSLBojFNdcT62j0JVZpKZRZWs3B+TQCTO/yk5ocGr3meXXg7i FUFSThUOI7p4HeVzrGGdzE9uwJZAbX8+8Uf8gttLnv25uSyf0kR55qzVO3dLpreA 1yM2iLiUqCUALuesvnNslFMUtSl7wu7BhUzsIJFE5O9buS0pz9tKgxEe11oKgzvU IvZENGf3BYS9PsKlVeMlfneLOuxvvgYR5t93IUdYfYvJrw== =MGJ+ -----END PGP SIGNATURE-----
--- End Message ---
