Your message dated Mon, 24 Aug 2009 17:07:01 +0000
with message-id <[email protected]>
and subject line Bug#541986: fixed in xerces-c2 2.8.0+deb1-2
has caused the Debian Bug report #541986,
regarding CVE-2009-1885: DoS vulnerability (by simply nested DTD structures)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
541986: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=541986
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: xerces-c
Severity: important
Tags: patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It seems, there is a DoS vulnerability in xerces-c (very probably in the
2.x version too):

http://svn.apache.org/viewvc?view=rev&revision=781488
http://www.cert.fi/en/reports/2009/vulnerability2009085.html
http://www.codenomicon.com/labs/xml/

Regards, Daniel


- -- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (850, 'unstable'), (700, 'testing'), (550, 'stable'), (110, 
'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.29-2-686 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkp7a78ACgkQm0bx+wiPa4z8OwCfUcfA/e/9K06YPMiyGUL39Gku
7RsAoJ+gPOJk68PRvxUi2OpQ/Qf+OuoR
=2K6i
-----END PGP SIGNATURE-----



--- End Message ---
--- Begin Message ---
Source: xerces-c2
Source-Version: 2.8.0+deb1-2

We believe that the bug you reported is fixed in the latest version of
xerces-c2, which is due to be installed in the Debian FTP archive:

libxerces-c2-dev_2.8.0+deb1-2_i386.deb
  to pool/main/x/xerces-c2/libxerces-c2-dev_2.8.0+deb1-2_i386.deb
libxerces-c2-doc_2.8.0+deb1-2_all.deb
  to pool/main/x/xerces-c2/libxerces-c2-doc_2.8.0+deb1-2_all.deb
libxerces-c28_2.8.0+deb1-2_i386.deb
  to pool/main/x/xerces-c2/libxerces-c28_2.8.0+deb1-2_i386.deb
xerces-c2_2.8.0+deb1-2.diff.gz
  to pool/main/x/xerces-c2/xerces-c2_2.8.0+deb1-2.diff.gz
xerces-c2_2.8.0+deb1-2.dsc
  to pool/main/x/xerces-c2/xerces-c2_2.8.0+deb1-2.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jay Berkenbilt <[email protected]> (supplier of updated xerces-c2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 24 Aug 2009 11:04:38 -0400
Source: xerces-c2
Binary: libxerces-c28 libxerces-c2-dev libxerces-c2-doc
Architecture: source all i386
Version: 2.8.0+deb1-2
Distribution: unstable
Urgency: low
Maintainer: Jay Berkenbilt <[email protected]>
Changed-By: Jay Berkenbilt <[email protected]>
Description: 
 libxerces-c2-dev - validating XML parser library for C++ (development files)
 libxerces-c2-doc - validating XML parser library for C++ (documentation)
 libxerces-c28 - validating XML parser library for C++
Closes: 541986
Changes: 
 xerces-c2 (2.8.0+deb1-2) unstable; urgency=low
 .
   * Apply patch to correct CVE-2009-1885: DoS attack from nested DTDs.
     (Closes: #541986)
Checksums-Sha1: 
 5c57eaae8ba7eb9b519fcfb8342127dcbf5c4050 1076 xerces-c2_2.8.0+deb1-2.dsc
 cb0499d658f3ddac5ba019b2181b1bff37e6150c 10168 xerces-c2_2.8.0+deb1-2.diff.gz
 e1e15a72752bef0b2589a7cd0e1d88e4c86f60bd 5126202 
libxerces-c2-doc_2.8.0+deb1-2_all.deb
 48a915038558062a74d70f375069786f63962028 1396640 
libxerces-c28_2.8.0+deb1-2_i386.deb
 d87782fff37c0ab77153a45981352f47ff58be19 773360 
libxerces-c2-dev_2.8.0+deb1-2_i386.deb
Checksums-Sha256: 
 552dce69dcf519e611756181e6e7a051412e19b9068fcc73351a924267bb4c49 1076 
xerces-c2_2.8.0+deb1-2.dsc
 39bf525f30f706c41c590bd311384a2ebb7de9fa6ea944da4faf765c7d662420 10168 
xerces-c2_2.8.0+deb1-2.diff.gz
 f86aa104a2a94d4913227edaa5af4277768cc67925d8270529354ed8e238e641 5126202 
libxerces-c2-doc_2.8.0+deb1-2_all.deb
 8db67813fbfdfcea3fb8670a0fa95706ffc31e8e48a652eefa48a2414dedc054 1396640 
libxerces-c28_2.8.0+deb1-2_i386.deb
 980cfe6d2c01de0fcc15eca3117c9f830fb78691ad25d2c9d576e96d38afb7c6 773360 
libxerces-c2-dev_2.8.0+deb1-2_i386.deb
Files: 
 c1e731dd31bba731890dff70823b1021 1076 libs optional xerces-c2_2.8.0+deb1-2.dsc
 0a514bab385416ffb026d0a47cf6fe0c 10168 libs optional 
xerces-c2_2.8.0+deb1-2.diff.gz
 4544d6f28bd733ad14188976b275eb7c 5126202 doc optional 
libxerces-c2-doc_2.8.0+deb1-2_all.deb
 985e720252580cd4e84f7a7f60ac41fd 1396640 libs optional 
libxerces-c28_2.8.0+deb1-2_i386.deb
 6afe21660b6ab53f0af49fc176ce1917 773360 libdevel optional 
libxerces-c2-dev_2.8.0+deb1-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqSrfkACgkQEBVk6taI4KfqLwCdF38ZkCIy1HBH5cIHjVLKLj6Z
QdQAn0nSY682QJ3FMwrn1NLTNyUc3VvN
=6i4n
-----END PGP SIGNATURE-----



--- End Message ---

Reply via email to