Your message dated Sun, 30 Oct 2016 15:47:56 +0000 with message-id <e1c0sky-00080f...@fasolo.debian.org> and subject line Bug#842570: fixed in libxslt 1.1.29-2 has caused the Debian Bug report #842570, regarding libxslt: CVE-2016-4738: possible heap overread to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 842570: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842570 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libxslt Version: 1.1.28-2 Severity: grave Tags: security upstream patch Hi, the following vulnerability was published for libxslt. CVE-2016-4738[0]: | libxslt in Apple iOS before 10, OS X before 10.12, tvOS before 10, and | watchOS before 3 allows remote attackers to execute arbitrary code or | cause a denial of service (memory corruption) via a crafted web site. Unfortunately as for many libxml2 issues, the above is not very specific and there is upstream bug referenced. But the fix is mentioned as [1]. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-4738 [1] https://git.gnome.org/browse/libxslt/commit/?id=eb1030de31165b68487f288308f9d1810fed6880 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libxslt Source-Version: 1.1.29-2 We believe that the bug you reported is fixed in the latest version of libxslt, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 842...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Mattia Rizzolo <mat...@debian.org> (supplier of updated libxslt package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 30 Oct 2016 14:01:00 +0000 Source: libxslt Binary: libxslt1.1 libxslt1-dev libxslt1-dbg xsltproc python-libxslt1 python-libxslt1-dbg Architecture: source Version: 1.1.29-2 Distribution: unstable Urgency: high Maintainer: Debian XML/SGML Group <debian-xml-sgml-p...@lists.alioth.debian.org> Changed-By: Mattia Rizzolo <mat...@debian.org> Description: libxslt1-dbg - XSLT 1.0 processing library - debugging symbols libxslt1-dev - XSLT 1.0 processing library - development kit libxslt1.1 - XSLT 1.0 processing library - runtime library python-libxslt1 - Python bindings for libxslt1 python-libxslt1-dbg - Python bindings for libxslt1 (debug extension) xsltproc - XSLT 1.0 command line processor Closes: 842570 Changes: libxslt (1.1.29-2) unstable; urgency=high . * Team upload. * Bump debhelper compat level to 10. + --parallel is now default + --with autoreconf is now default * Add patch from upstream to fix a heap overread which could cause remote arbitrary code execution or denial of service. Closes: #842570 — CVE-2016-4738 Checksums-Sha1: 5d433d7ee06ef9805b0b588be91296c3cbcc43b2 2368 libxslt_1.1.29-2.dsc 0c9a27255fbff85efa011b577810e59889978c3b 27884 libxslt_1.1.29-2.debian.tar.xz Checksums-Sha256: dcedd2cbe791c0053253181fc71cfae5a7e9babe081c80eb65e05b64efe5287e 2368 libxslt_1.1.29-2.dsc c206efbcc3bd857316e9f01059b1095e42552b3321b398168ff4bfcc0b01910c 27884 libxslt_1.1.29-2.debian.tar.xz Files: ae68aff650760e797559f99686a69b76 2368 text optional libxslt_1.1.29-2.dsc 94cf8bdb259f8248564061786b31be6e 27884 text optional libxslt_1.1.29-2.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIvBAEBCgAZBQJYFgCUEhxtYXR0aWFAZGViaWFuLm9yZwAKCRAIFrnhjHYrraUl D/sHhUDwRpr1PvD20yYcOSOk7Xjf6lj1rkqG+OPfna6sijPv3xFXvSyHQlrWyF7Q kcevAN/2K4MM6UhNDkWClXanrAon1qCSaEQTXY8oCkZNUFO/pE5oXiWqbhO57J1Q 2NCCcDVxllFWcAHphy41wQlYFXKLziYm2kZNJaqF7THo0lfXEsHW3XIGb5MYCf7t w0sDrT9obrNgzf9j2v+1qhrRCh6kwGm29mteXZvd84cOmWgpcM/6sLAbjyOlglTu Qj540vx8xcakp3IcQbIx8xGMsTc7zoB6dEEOvQl4yOfcjKIxD0EVKIr23EYZCRab 5fijbVJkYQ7ZNa4BoAtPYbRzN74ca4o/LdmnWuHujZM0ibRua/GLMlhk8LV3Sivk AMHCckmij0sjShpYhpIR5q+DUa0Se5zm6w4SNZp6CWMu4mqpErVRNq8fogF5l1JF Sp/HhuHxANJaZrag8OCMF4wEaIYDxtDLFrPqGFncRwBrvFCAqH7ylYQ5aMks7udg FeEsdEAIOWWOaz0U+I5rz/oPPkK32/PK5rMvjP+87hTNW9pEgZmAxz6YhVS5NIVo r881kM6oPjzwDTOtvVl+B1yX7ep4EEnUkzO3wN60tDmEm5V++Bod4+ilg72bDSiM /PEf4nPnOEsH9eIvYIpHVukf0PllbWkw0blpFVldBBYLtw== =O0So -----END PGP SIGNATURE-----
--- End Message ---
