Your message dated Fri, 29 Mar 2019 01:21:02 +0000 with message-id <e1h9gcc-0007gg...@fasolo.debian.org> and subject line Bug#924346: fixed in xmltooling 1.6.0-4+deb9u2 has caused the Debian Bug report #924346, regarding xmltooling: CVE-2019-9628: XML parser class fails to trap exceptions on malformed XML declaration to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 924346: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924346 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: xmltooling Version: 3.0.3-1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://issues.shibboleth.net/jira/browse/CPPXT-143 Control: found -1 1.6.0-4+deb9u1 Control: found -1 1.6.0-4 Hi, The following vulnerability was published for xmltooling, filling for tracking. CVE-2019-9628[0]: XML parser class fails to trap exceptions on malformed XML declaration If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-9628 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9628 [1] https://shibboleth.net/community/advisories/secadv_20190311.txt [2] https://issues.shibboleth.net/jira/browse/CPPXT-143 [3] https://git.shibboleth.net/view/?p=cpp-xmltooling.git;a=commit;h=af27c422f551e16989ff6f1722d83614c8550eb5 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: xmltooling Source-Version: 1.6.0-4+deb9u2 We believe that the bug you reported is fixed in the latest version of xmltooling, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 924...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ferenc Wágner <wf...@debian.org> (supplier of updated xmltooling package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 12 Mar 2019 13:40:20 +0100 Source: xmltooling Binary: libxmltooling7 libxmltooling-dev xmltooling-schemas libxmltooling-doc Architecture: source Version: 1.6.0-4+deb9u2 Distribution: stretch-security Urgency: high Maintainer: Debian Shib Team <pkg-shibboleth-de...@lists.alioth.debian.org> Changed-By: Ferenc Wágner <wf...@debian.org> Description: libxmltooling-dev - C++ XML parsing library with encryption support (development) libxmltooling-doc - C++ XML parsing library with encryption support (API docs) libxmltooling7 - C++ XML parsing library with encryption support (runtime) xmltooling-schemas - XML schemas for XMLTooling Closes: 924346 Changes: xmltooling (1.6.0-4+deb9u2) stretch-security; urgency=high . * [2f0c065] New patch fixing CVE-2019-9628: uncaught exception on malformed XML declaration. Invalid data in the XML declaration causes an exception of a type that was not handled properly in the parser class and propagates an unexpected exception type. This generally manifests as a crash in the calling code, which in the Service Provider software's case is usually the shibd daemon process, but can be Apache in some cases. Note that the crash occurs prior to evaluation of a message's authenticity, so can be exploited by an untrusted attacker. https://shibboleth.net/community/advisories/secadv_20190311.txt https://issues.shibboleth.net/jira/browse/CPPXT-143 Thanks to Scott Cantor (Closes: #924346) Checksums-Sha1: bf6bf956fc3012b0acee1bac4f013f951e7b9dac 2491 xmltooling_1.6.0-4+deb9u2.dsc e6d3e6d474b1bcb75456d1a042ac0eb18bcc67be 73544 xmltooling_1.6.0-4+deb9u2.debian.tar.xz a006286edf5829d2664ff81ed2a86c53726f406d 10312 xmltooling_1.6.0-4+deb9u2_amd64.buildinfo Checksums-Sha256: b43977f04b17fa63da1bb6bf49cbb241e1043c4ad38f4983f97caa2038e52ae8 2491 xmltooling_1.6.0-4+deb9u2.dsc 729e06f8429c4793deb28188e5138ac2a74df7025c685ab0b45557a0af93d2cd 73544 xmltooling_1.6.0-4+deb9u2.debian.tar.xz f1661f18a4d5778fa535e131ce502126934841ad5351b3e5333ea2f33f7d54ea 10312 xmltooling_1.6.0-4+deb9u2_amd64.buildinfo Files: b0b91ca7c4c4d15a0d6d5a4b053e5864 2491 libs extra xmltooling_1.6.0-4+deb9u2.dsc 036129e212c16c33c148d3cf158402c7 73544 libs extra xmltooling_1.6.0-4+deb9u2.debian.tar.xz f1d8254ce793b1b469696c3b02673108 10312 libs extra xmltooling_1.6.0-4+deb9u2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAlyHtpAACgkQOsj3Fkd+ 2yMl0hAAui9s2tTJw6y+fSEReZt7Q3zZsAMKD0gjWtNl+nJNVXgxnRv4ULZKru8u GkIZyGRenz9aoLpLJVWr/+A8lM3fS97E7+qbEaPgm8j9BQ3WQlDxB3O/8RAo6iyM osujQ/PiFWoxI0W4CDdDaQZF8VeBBMK8Ly1BJodeRllNLMOj9vOkpO6n4eVdP5Rq 0wJwSjGMitR3iWY2LeGKuHPSWyERoaMVdn3aDRzkbkponizTa8/Z0V2P31nLZ/8q Fwml7BHdTfnKckAG0Vv1wq7o3e/A6XmpUvDHGyF4hsCe8x48sUn6x3tOML9+FcNe pnQcv6T8IDrAfOqj8EFL/Sa38IYom9JbC5U7jKtRLiPjuf34lFHmrKb6MC+kiF0L 1YMu3l185+ekdHLQknSNotOK3S8Ds7Tej+1BwQk2SAkpkGDIhPa2Vdp2epF64sFx O3+pJFiAjkB827acyipESgkep4DNhhkZ8S5wjhMIqNDeANYZIRZ4UGDbeKVVUhU5 XfO7zIHR+j10Ms57977IyD7abc5mnJ6VSKS7xX2/z9Grbs9jjLb7d9q0F9WtDRCT ZWW7nPYlg6H67zhirjPY3xgnVNIgkoDt7iGH+koM893nmHfGHfJ5KuKWtYENPauJ 4Szd8pmhXg8HbBupE2TaZq5OTMhwUlhPZx0JmrznWG0HE1OIkH8= =POhM -----END PGP SIGNATURE-----
--- End Message ---
