Your message dated Sat, 22 May 2021 06:48:27 +0000
with message-id <e1lklqx-0005z7...@fasolo.debian.org>
and subject line Bug#988603: fixed in libxml2 2.9.10+dfsg-6.7
has caused the Debian Bug report #988603,
regarding libxml2: CVE-2021-3541: Exponential entity expansion attack bypasses
all existing protection mechanisms
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
988603: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988603
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libxml2
Version: 2.9.10+dfsg-6.6
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/libxml2/-/issues/228
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for libxml2.
CVE-2021-3541[0]:
| Exponential entity expansion attack bypasses all existing protection
| mechanisms
Technical details for the vulnerability are unfortunately not public,
but it looks that the flaw is essentially a variant of the billion
laughts attack (CVE-2003-1564) which can lead to denial of service for
applications using libxml2.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-3541
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3541
[1] https://gitlab.gnome.org/GNOME/libxml2/-/issues/228
[2]
https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libxml2
Source-Version: 2.9.10+dfsg-6.7
Done: Salvatore Bonaccorso <car...@debian.org>
We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 988...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated libxml2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 22 May 2021 08:21:29 +0200
Source: libxml2
Architecture: source
Version: 2.9.10+dfsg-6.7
Distribution: unstable
Urgency: medium
Maintainer: Debian XML/SGML Group <debian-xml-sgml-p...@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 988603
Changes:
libxml2 (2.9.10+dfsg-6.7) unstable; urgency=medium
.
* Non-maintainer upload.
* Patch for security issue CVE-2021-3541 (Closes: #988603)
Checksums-Sha1:
dbc9eff5f1290280d61468281eb704df0d623331 2827 libxml2_2.9.10+dfsg-6.7.dsc
dc09c4803026d15ce28f7dbc4e7acdefb179f7f4 32424
libxml2_2.9.10+dfsg-6.7.debian.tar.xz
Checksums-Sha256:
0ef7db7f4b70a320c3410ab32e9070cecd3db8c47a78e8afea396101a9aa0c61 2827
libxml2_2.9.10+dfsg-6.7.dsc
6d451dbca1b82a055efa616acaa023665e33dac22f5304a24b49ac48c302790b 32424
libxml2_2.9.10+dfsg-6.7.debian.tar.xz
Files:
b4058922cadd6d0a8d1781df94f748ee 2827 libs optional libxml2_2.9.10+dfsg-6.7.dsc
aa01d12e96c66d4b5ef4013b7f84d295 32424 libs optional
libxml2_2.9.10+dfsg-6.7.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmCopt1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EK1gP/iDsBzAMGHCTI1/dCAI0MKEZ39oroZQp
N4uFrf7nhOmIi2PvLYnpLotvIHAL+hsZguTqqk9vJLkYazIZVhWfqEdPCuLtUmj0
uHPAnohHmSNvUr8te/N3/wTITeng8DTbGk4ECV0pB3PGCx+ClUhEosQdn8KbAOmM
HYsRtwdMyq5jvgGATuYp0zOQcdi1CJvfDLQA6ZvK5/y7QgaNzYkRO/V/RPhL2XBz
l+TaoWY6k6/8vRWvhH73vu0/KltECVxqpuXajnRmRAyrpXj1Oix7gPKIat/PS4CW
EBxUUswhxU5Dtomxyn7O3SHPHnhxL2X+RmlF5g+g+kTaGuFzEi70mzcJsM8+z53R
5x9/k3NerilLoPTpcgHjyDpk2tT6dJZZTZr0lVH4t1qquTS89OxLerlxGDB1oyD5
2YYZARyqCK6PwNP2wI2x8xU1pLrIG5xBbx5nT07EC7z8qIOT+Yzs8uWkVgWVW3eI
FWDkrhBUBWPi+C4wh3pqd0QfbPZbJV+SkJUBU5wc5cbbx1XNEFNnU1Uwk7P24cWH
loNuu68p1P3h+F8HqBgIY2G4tMnhdX97YVN0mfhiwKDx+kAWSFsTgweDVo4SEzPQ
S09WPrp642gC7sABlQD+pHwOEJSJZwH1vWjBlETWNzMhm2T1zKQuzuY267ZWAKe/
DArEHgQ+gu7D
=Bwkm
-----END PGP SIGNATURE-----
--- End Message ---
