Your message dated Sat, 12 Jun 2021 10:47:08 +0000 with message-id <e1ls1as-0004jf...@fasolo.debian.org> and subject line Bug#988603: fixed in libxml2 2.9.4+dfsg1-7+deb10u2 has caused the Debian Bug report #988603, regarding libxml2: CVE-2021-3541: Exponential entity expansion attack bypasses all existing protection mechanisms to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 988603: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988603 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libxml2 Version: 2.9.10+dfsg-6.6 Severity: important Tags: security upstream Forwarded: https://gitlab.gnome.org/GNOME/libxml2/-/issues/228 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for libxml2. CVE-2021-3541[0]: | Exponential entity expansion attack bypasses all existing protection | mechanisms Technical details for the vulnerability are unfortunately not public, but it looks that the flaw is essentially a variant of the billion laughts attack (CVE-2003-1564) which can lead to denial of service for applications using libxml2. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-3541 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3541 [1] https://gitlab.gnome.org/GNOME/libxml2/-/issues/228 [2] https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libxml2 Source-Version: 2.9.4+dfsg1-7+deb10u2 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of libxml2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 988...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated libxml2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 11 Jun 2021 18:57:11 +0200 Source: libxml2 Architecture: source Version: 2.9.4+dfsg1-7+deb10u2 Distribution: buster Urgency: medium Maintainer: Debian XML/SGML Group <debian-xml-sgml-p...@lists.alioth.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 969529 987737 987738 987739 988123 988603 Changes: libxml2 (2.9.4+dfsg1-7+deb10u2) buster; urgency=medium . * Non-maintainer upload. * Fix out-of-bounds read with 'xmllint --htmlout' (CVE-2020-24977) (Closes: #969529) * Fix use-after-free with `xmllint --html --push` (CVE-2021-3516) (Closes: #987739) * Validate UTF8 in xmlEncodeEntities (CVE-2021-3517) (Closes: #987738) * Fix user-after-free with `xmllint --xinclude --dropdtd` (CVE-2021-3518) (Closes: #987737) * Propagate error in xmlParseElementChildrenContentDeclPriv (CVE-2021-3537) (Closes: #988123) * Patch for security issue CVE-2021-3541 (Closes: #988603) Checksums-Sha1: e0ab02c6bd72fb80884e48f3ba3923e2b50b1826 3163 libxml2_2.9.4+dfsg1-7+deb10u2.dsc 31e832a9276ec98b3129ddcd9f0bf15bc93fb4ec 40924 libxml2_2.9.4+dfsg1-7+deb10u2.debian.tar.xz Checksums-Sha256: 1a5189b5c4238d4d833ad7b18e56e23e50252b62dddc90b3aff67018bce1f3aa 3163 libxml2_2.9.4+dfsg1-7+deb10u2.dsc 07d0f31c11472f5a3407db92d363c30ad26100a11b5a181a6cf664af531f43fd 40924 libxml2_2.9.4+dfsg1-7+deb10u2.debian.tar.xz Files: 1a213dcb74e4eaa253423defae3febb8 3163 libs optional libxml2_2.9.4+dfsg1-7+deb10u2.dsc 612a4ec53f88c5e53b5eef26fc419650 40924 libs optional libxml2_2.9.4+dfsg1-7+deb10u2.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmDDlxxfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EHvUP/RlWf3ZpXBz3YSfm0botLNAKOJoltaDK hpMv4wuwm2ZuXOx6iJ6uVYSG0l/2ybIatUEe0AS4wz3qfLiJpalHjUvRq8Rh6l4W sAZV2HqVIpwmJo4LX23Mh0uX6Xwvx4Nt0aeJVCZnn3laVBeLjRZrDU9Kyw54OAUE 4GLpzCJ4Zn7iKIvN2nk8B4NkAdb2W4YShj/XuS8SD+uCkVogT353neQGWlE4Bm+5 WZjpV6+WHzrZvbrUkoeuQdLqRQ2n1FKZGbKA2wt2HXpoi+MzJOY3/7GiNvpg/ZLY T1A7zOJ3GJPigI4J21XlTTM8PRMC3OJYGMU++0JTiOTdkLhC7Dd/DSGp3/KKyOIm r84/zeNUz9RFQiRC3SC9e1slQOgc0kEC+SGP+U6pPFeEgI1+eZ2KAB7s4V1QLLo1 mSmNEfntlqCg7GMD9AERNiT9dCEQUe4loOb60bL3yMpMZ378QA4ALJTgTiqaWIib pEgfqsdAuSaNIbQHTGQKRp6lIy8KY8bxvP4f+3ucm9fysWeCKp8r75WhfZ0Pcdi7 7KsXDW7aoAS/jJbxSJh9/mcDQ1mPLZFXrVOxNlGZBpTuaKC0tuMZZl2B5B8iT6o2 xyObzULaL6FdattI9fll4ajR4/HIxaSZ5ANA/63JaD5cjE0Yw9GVByDFSbxe5wU1 V0KjLyr7jLce =S47g -----END PGP SIGNATURE-----
--- End Message ---
