Bug#498768: marked as done (libxml2: does not correctly handle long entity names (CVE-2008-3529))

Thu, 23 Oct 2008 09:13:35 -0700 

Your message dated Thu, 23 Oct 2008 15:27:59 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#498768: fixed in libxml2 2.6.27.dfsg-5
has caused the Debian Bug report #498768,
regarding libxml2: does not correctly handle long entity names (CVE-2008-3529)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
498768: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=498768
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message --- 
Package: libxml2
Version: 2.6.32.dfsg-3
Severity: grave
Tags: security
Justification: user security hole

ubuntu just released a fix for a problem in libxml2 [1].  the issue appears
to currently be reserved [2], but since ubuntu has released a fix, other
distributions need to follow suit soon to limit the window of opportunity 
for attacks.  the description of the problem is

    It was discovered that libxml2 did not correctly handle long entity 
    names.   If a user were tricked into processing a specially crafted XML 
    document, a remote attacker could execute arbitrary code with user 
    privileges or cause the application linked against libxml2 to crash, 
    leading to a denial of service.

this likely affects all releases (stable, testing, and unstable).

thanks for the hard work.

[1] http://lwn.net/Articles/298282/
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3529

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 
'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.24-etchnhalf.1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libxml2 depends on:
ii  libc6                  2.7-13            GNU C Library: Shared libraries
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

Versions of packages libxml2 recommends:
ii  xml-core                      0.11       XML infrastructure and XML catalog

libxml2 suggests no packages.

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: libxml2
Source-Version: 2.6.27.dfsg-5

We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive:

libxml2-dbg_2.6.27.dfsg-5_amd64.deb
  to pool/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_amd64.deb
libxml2-dev_2.6.27.dfsg-5_amd64.deb
  to pool/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_amd64.deb
libxml2-doc_2.6.27.dfsg-5_all.deb
  to pool/main/libx/libxml2/libxml2-doc_2.6.27.dfsg-5_all.deb
libxml2-utils_2.6.27.dfsg-5_amd64.deb
  to pool/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_amd64.deb
libxml2_2.6.27.dfsg-5.diff.gz
  to pool/main/libx/libxml2/libxml2_2.6.27.dfsg-5.diff.gz
libxml2_2.6.27.dfsg-5.dsc
  to pool/main/libx/libxml2/libxml2_2.6.27.dfsg-5.dsc
libxml2_2.6.27.dfsg-5_amd64.deb
  to pool/main/libx/libxml2/libxml2_2.6.27.dfsg-5_amd64.deb
python-libxml2_2.6.27.dfsg-5_amd64.deb
  to pool/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Hommey <[EMAIL PROTECTED]> (supplier of updated libxml2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 19 Sep 2008 21:58:33 +0200
Source: libxml2
Binary: python-libxml2 libxml2-dbg libxml2-utils libxml2-doc libxml2-dev libxml2
Architecture: source amd64 all
Version: 2.6.27.dfsg-5
Distribution: stable-security
Urgency: low
Maintainer: Debian XML/SGML Group <[EMAIL PROTECTED]>
Changed-By: Mike Hommey <[EMAIL PROTECTED]>
Description: 
 libxml2    - GNOME XML library
 libxml2-dbg - Debugging symbols for the GNOME XML library
 libxml2-dev - Development files for the GNOME XML library
 libxml2-doc - Documentation for the GNOME XML library
 libxml2-utils - XML utilities
 python-libxml2 - Python bindings for the GNOME XML library
Closes: 498768
Changes: 
 libxml2 (2.6.27.dfsg-5) stable-security; urgency=low
 .
   * Fix regressions due to previous security fixes. Fixes: CVE-2008-3529.
     Closes: #498768.
Files: 
 0dc1f183dd20741e5b4e26a7f8e1c652 893 libs optional libxml2_2.6.27.dfsg-5.dsc
 48cafbb8d1bd2c6093339fea3f14e4a0 220443 libs optional 
libxml2_2.6.27.dfsg-5.diff.gz
 c1c5f0ceb391893a94e61c074b677ee9 1328144 doc optional 
libxml2-doc_2.6.27.dfsg-5_all.deb
 6019e59020269cca8fa8fea40f83c118 796194 libs optional 
libxml2_2.6.27.dfsg-5_amd64.deb
 8a0265229bebf9245dc7bb7cc6f41d36 36684 text optional 
libxml2-utils_2.6.27.dfsg-5_amd64.deb
 95bd39eb2818772c43c3351b22326fcd 745758 libdevel optional 
libxml2-dev_2.6.27.dfsg-5_amd64.deb
 606fc28448bead2709c39a1d3e529a25 891922 libdevel extra 
libxml2-dbg_2.6.27.dfsg-5_amd64.deb
 a13372752d162d0fb2ccd58da6b73e20 184130 python optional 
python-libxml2_2.6.27.dfsg-5_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFI1Aoc3kvaLFT9KlgRAsISAJ4vUFofsoYKf9b5TZQFnLkuXdgrSgCeOyv7
wbNwmQQnqhbOIyDiznKvoKI=
=ipjl
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to