Your message dated Mon, 05 Oct 2009 01:54:31 +0000
with message-id <[email protected]>
and subject line Bug#534590: fixed in icu 3.6-2etch3
has caused the Debian Bug report #534590,
regarding does not properly handle invalid byte sequences during Unicode
conversion
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
534590: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534590
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: icu
Version: 3.8.1-3+lenny1
Severity: normal
Tags: security
Hi!
There is a security issue with the stable release of icu (it was fixed in
4.0.1, IIUC):
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0153
"International Components for Unicode (ICU) 4.0, 3.6, and other 3.x
versions, as used in Apple Mac OS X 10.5 before 10.5.7, iPhone OS 1.0
through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1, Fedora 9 and 10,
and possibly other operating systems, does not properly handle invalid byte
sequences during Unicode conversion, which might allow remote attackers to
conduct cross-site scripting (XSS) attacks."
More details are here:
https://bugzilla.redhat.com/show_bug.cgi?id=503071
Thanks!
-Kees
--
Kees Cook @debian.org
--- End Message ---
--- Begin Message ---
Source: icu
Source-Version: 3.6-2etch3
We believe that the bug you reported is fixed in the latest version of
icu, which is due to be installed in the Debian FTP archive:
icu-doc_3.6-2etch3_all.deb
to pool/main/i/icu/icu-doc_3.6-2etch3_all.deb
icu_3.6-2etch3.diff.gz
to pool/main/i/icu/icu_3.6-2etch3.diff.gz
icu_3.6-2etch3.dsc
to pool/main/i/icu/icu_3.6-2etch3.dsc
libicu36-dev_3.6-2etch3_i386.deb
to pool/main/i/icu/libicu36-dev_3.6-2etch3_i386.deb
libicu36_3.6-2etch3_i386.deb
to pool/main/i/icu/libicu36_3.6-2etch3_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jay Berkenbilt <[email protected]> (supplier of updated icu package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 07 Sep 2009 20:21:59 -0400
Source: icu
Binary: libicu36-dev libicu36 icu-doc
Architecture: source all i386
Version: 3.6-2etch3
Distribution: oldstable-security
Urgency: high
Maintainer: Jay Berkenbilt <[email protected]>
Changed-By: Jay Berkenbilt <[email protected]>
Description:
icu-doc - API documentation for ICU classes and functions
libicu36 - International Components for Unicode (libraries)
libicu36-dev - International Components for Unicode (development files)
Closes: 534590
Changes:
icu (3.6-2etch3) oldstable-security; urgency=high
.
* Apply patch CVE-2009-0153.patch to fix problem handling invalid byte
sequences during Unicode conversion. Thanks to Red Hat for
backporting the patch to ICU version 3.6. Applying this patch to the
debian package required pulling in three additional Red Hat patches
for tickets 5483, 5797, 6001, and 6002 in ICU's issue tracking system
as well as adjusting offsets in CVE-2008-1036.patch. (Closes:
#534590)
Files:
8b600075600533ce08c9801ffa571a19 592 libs optional icu_3.6-2etch3.dsc
601af38fe10a27e08e40985c409bc6c4 45190 libs optional icu_3.6-2etch3.diff.gz
8bf16fb7db375fb14de7082bcb814733 3239572 doc optional
icu-doc_3.6-2etch3_all.deb
f5d9e50ecb224df9ae4f0c7057097f54 5470148 libs optional
libicu36_3.6-2etch3_i386.deb
d8e1c31e6f1d238353340a9b82da1ed8 6466444 libdevel optional
libicu36-dev_3.6-2etch3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFKr8TrXm3vHE4uyloRAtbEAJ9FHPzNYtHX8cuG3Xf8mpD1+bP39wCgndMb
pIx4vAu9EHFoerZ+8wRn4Rs=
=xhfn
-----END PGP SIGNATURE-----
--- End Message ---
