Your message dated Sat, 24 Dec 2016 21:02:12 +0000 with message-id <e1cktsg-000f96...@fasolo.debian.org> and subject line Bug#840554: fixed in libxml2 2.9.1+dfsg1-5+deb8u4 has caused the Debian Bug report #840554, regarding libxml2: CVE-2016-5131 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 840554: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840554 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libxml2 Version: 2.9.4+dfsg1-2 Severity: grave Tags: security upstream patch fixed-upstream Hi, the following vulnerability was published for libxml2. CVE-2016-5131[0]: | Use-after-free vulnerability in libxml2 through 2.9.4, as used in | Google Chrome before 52.0.2743.82, allows remote attackers to cause a | denial of service or possibly have unspecified other impact via | vectors related to the XPointer range-to function. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-5131 [1] https://git.gnome.org/browse/libxml2/commit/?id=9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e [2] https://bugzilla.redhat.com/show_bug.cgi?id=1358641#c3 [3] https://bugzilla.gnome.org/show_bug.cgi?id=768428 (not public) Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libxml2 Source-Version: 2.9.1+dfsg1-5+deb8u4 We believe that the bug you reported is fixed in the latest version of libxml2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 840...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated libxml2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 17 Dec 2016 19:42:58 +0100 Source: libxml2 Binary: libxml2 libxml2-utils libxml2-utils-dbg libxml2-dev libxml2-dbg libxml2-doc python-libxml2 python-libxml2-dbg Architecture: all source Version: 2.9.1+dfsg1-5+deb8u4 Distribution: jessie-security Urgency: high Maintainer: Debian XML/SGML Group <debian-xml-sgml-p...@lists.alioth.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 840553 840554 Description: libxml2 - GNOME XML library libxml2-dbg - Debugging symbols for the GNOME XML library libxml2-dev - Development files for the GNOME XML library libxml2-doc - Documentation for the GNOME XML library libxml2-utils - XML utilities libxml2-utils-dbg - XML utilities (debug extension) python-libxml2 - Python bindings for the GNOME XML library python-libxml2-dbg - Python bindings for the GNOME XML library (debug extension) Changes: libxml2 (2.9.1+dfsg1-5+deb8u4) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix comparison with root node in xmlXPathCmpNodes * Fix XPointer paths beginning with range-to (CVE-2016-5131) (Closes: #840554) * Disallow namespace nodes in XPointer ranges (CVE-2016-4658) (Closes: #840553) * Fix more NULL pointer derefs in xpointer.c Checksums-Sha1: efa2de3e0b0661c49d703e910cbb6da3641e1e17 2760 libxml2_2.9.1+dfsg1-5+deb8u4.dsc e27c423442c4d8fc2aae872da630510e93fda912 66756 libxml2_2.9.1+dfsg1-5+deb8u4.debian.tar.xz 04dff14d8a76e6eee670540c854b8af236130901 814770 libxml2-doc_2.9.1+dfsg1-5+deb8u4_all.deb Checksums-Sha256: 23f9a9935227718fd2921abb484c129617325e1306d8525b3dcec1611df01096 2760 libxml2_2.9.1+dfsg1-5+deb8u4.dsc cda8374910db4e2a06b2515123dbe0b714f7f647532dc305f03c2a094175e706 66756 libxml2_2.9.1+dfsg1-5+deb8u4.debian.tar.xz 077cae3381c2ebfe6537190bf9204d953c3c96ce181474f4027cc8ead9ba8fc4 814770 libxml2-doc_2.9.1+dfsg1-5+deb8u4_all.deb Files: f98c7d9f59e95b354ac6c443f0df4425 2760 libs optional libxml2_2.9.1+dfsg1-5+deb8u4.dsc baae4e43fa95061a79014dd525078545 66756 libs optional libxml2_2.9.1+dfsg1-5+deb8u4.debian.tar.xz 3cb06339d607acd3d8a1e763ea3065d9 814770 doc optional libxml2-doc_2.9.1+dfsg1-5+deb8u4_all.deb -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlhViIdfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89E7pMQAJVMqx00hx6RhbQcovt/n1WQqXWPyVNC htgz3lSelGZFkDe8nyeHDzw6Br5Q/u+kJetD3A7IaHGMXNsTVDh9r6mGAmJhsd4O xx9snz2KcUmRwqMS53s78FRSlUjrO32klCD5x1kwPjcYwDSHMWerUU53I7n1enHj K/g96ARB1cVxelqy2to785iRt6NFfbRRUz3c2J/SMSMAVZv0/6zEhsE+r6ccNTWC X28mhmEC5wpD+MuLb/USyMp7uPt6SbvwSLX0dzQUaj/2yZ2b4eOxTgrQvmoxe1+8 3LQqep8FxlD0MBUp3pKbNsuMi6a6h7NV+jhbe0dovngNP+BjnTK+i+DZgwnO/9w3 vPvsRREBBvwrISZrTugB4zJazgaMfEI7+mo6EI49esV3qaPl+WZXz9azJZy6vI+0 3jQk6qNe40dtaWQCY3ZB/iaZpJF3K0xioBHVJwVF7sAiwGFq89l4nMp/8gGsL73i 2QcC9fSNj9MIjGTtfAle45jnY9oJU/oSKxzrKmNYY5pjzhNOs/8lGxgAi7bkSHBO JlQ7wldIYRt6wqXQpnKdxalh9q+E3AYTDRO+uOOZHpIUUOR+qa8TP1EzYozfuDka XWfJJioG4nnSkd9ySMZLIs+miorMih8SuZ3/q4XGpgcwCVDrx3YVeV0b/4TAj/2E 42EWYcTMuOzf =u5sF -----END PGP SIGNATURE-----
--- End Message ---
