Your message dated Wed, 16 Dec 2009 23:50:11 +0000
with message-id <[email protected]>
and subject line Bug#560901: fixed in expat 2.0.1-4+lenny2
has caused the Debian Bug report #560901,
regarding expat: CVE-2009-3560
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
560901: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560901
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
package: expat
version: 1.95.8-3.4
Severity: serious
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for xpat.
CVE-2009-3560[0]:
| The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1,
| as used in the XML-Twig module for Perl, allows context-dependent
| attackers to cause a denial of service (application crash) via an XML
| document with malformed UTF-8 sequences that trigger a buffer
| over-read, related to the doProlog function in lib/xmlparse.c, a
| different vulnerability than CVE-2009-2625 and CVE-2009-3720.
I've checked etch and lenny. They are both affected by this issue.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560
http://security-tracker.debian.org/tracker/CVE-2009-3560
--- End Message ---
--- Begin Message ---
Source: expat
Source-Version: 2.0.1-4+lenny2
We believe that the bug you reported is fixed in the latest version of
expat, which is due to be installed in the Debian FTP archive:
expat_2.0.1-4+lenny2.diff.gz
to main/e/expat/expat_2.0.1-4+lenny2.diff.gz
expat_2.0.1-4+lenny2.dsc
to main/e/expat/expat_2.0.1-4+lenny2.dsc
expat_2.0.1-4+lenny2_i386.deb
to main/e/expat/expat_2.0.1-4+lenny2_i386.deb
lib64expat1-dev_2.0.1-4+lenny2_i386.deb
to main/e/expat/lib64expat1-dev_2.0.1-4+lenny2_i386.deb
lib64expat1_2.0.1-4+lenny2_i386.deb
to main/e/expat/lib64expat1_2.0.1-4+lenny2_i386.deb
libexpat1-dev_2.0.1-4+lenny2_i386.deb
to main/e/expat/libexpat1-dev_2.0.1-4+lenny2_i386.deb
libexpat1-udeb_2.0.1-4+lenny2_i386.udeb
to main/e/expat/libexpat1-udeb_2.0.1-4+lenny2_i386.udeb
libexpat1_2.0.1-4+lenny2_i386.deb
to main/e/expat/libexpat1_2.0.1-4+lenny2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Leidert (dale) <[email protected]> (supplier of updated expat
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 13 Dec 2009 12:01:05 +0100
Source: expat
Binary: lib64expat1-dev lib64expat1 libexpat1-dev libexpat1 libexpat1-udeb expat
Architecture: source i386
Version: 2.0.1-4+lenny2
Distribution: stable-security
Urgency: medium
Maintainer: Debian XML/SGML Group <[email protected]>
Changed-By: Daniel Leidert (dale) <[email protected]>
Description:
expat - XML parsing C library - example application
lib64expat1 - XML parsing C library - runtime library (64bit)
lib64expat1-dev - XML parsing C library - development kit (64bit)
libexpat1 - XML parsing C library - runtime library
libexpat1-dev - XML parsing C library - development kit
libexpat1-udeb - XML parsing C library - runtime library (udeb)
Closes: 560901
Changes:
expat (2.0.1-4+lenny2) stable-security; urgency=medium
.
* Upload to stable to fix security issues.
* debian/patches/560901_CVE_2009_3560.dpatch: Added.
- lib/xmlparse.c (doProlog): Fix DoS vulnerability CVE-2009-3560 (closes:
#560901).
* debian/patches/00list: Adjusted.
Checksums-Sha1:
3db045f46d3f112072c548f98ef0e89e0d68228c 1438 expat_2.0.1-4+lenny2.dsc
9ea9530b00abdeec86f4d1ee75d0f21adcf08f75 133845 expat_2.0.1-4+lenny2.diff.gz
7935bbdb01015523ef035f85739554710cee2b98 168162
lib64expat1-dev_2.0.1-4+lenny2_i386.deb
9eba01ca55fe438a2d8731111400d48efda24710 136330
lib64expat1_2.0.1-4+lenny2_i386.deb
90c9c8b887cdfb5e92dad16dfc229762a755cde7 210542
libexpat1-dev_2.0.1-4+lenny2_i386.deb
899a4136998dff3ff9279868a98de61266c6b3db 131876
libexpat1_2.0.1-4+lenny2_i386.deb
6721f4e278312a6bf2ccd0708a3aaf8b14edeefb 60816
libexpat1-udeb_2.0.1-4+lenny2_i386.udeb
d363f1687d0bba72885c681ad2ab90d1f64bd5ff 23288 expat_2.0.1-4+lenny2_i386.deb
Checksums-Sha256:
858382c592ab7fc7834fe9fc562a6c874df3cfb48072f31a6d0f00b6db89464e 1438
expat_2.0.1-4+lenny2.dsc
48547d1ff7cadad059c15dcd5aea5d8776a4329a2e3681d667e1baa43c725d4e 133845
expat_2.0.1-4+lenny2.diff.gz
f670f95316c9aa90f652a53b053263c42ef96da562cbd3b811a9a6d3f558cf7b 168162
lib64expat1-dev_2.0.1-4+lenny2_i386.deb
935d495b2ae6d6b62e2a4c85b436646ce0c72afa45d59e56cd272fe44da863f2 136330
lib64expat1_2.0.1-4+lenny2_i386.deb
3bae1d27e8635f421c3c441d23f92e2b1b8b3cb922ba84a352f512c5488cdf6d 210542
libexpat1-dev_2.0.1-4+lenny2_i386.deb
49a958e259be96ca80eecf4645113889e54f2a510ebbb77f7b1035455e2d89a5 131876
libexpat1_2.0.1-4+lenny2_i386.deb
718856730e417820861a924bc5251fbf674b0dc3260a549d77b78890be0159dd 60816
libexpat1-udeb_2.0.1-4+lenny2_i386.udeb
09a5839679469cb1e37472b2a13fe90c7091aba5373bdc82ad3495e3b9fc43e8 23288
expat_2.0.1-4+lenny2_i386.deb
Files:
556771752cdeb9b854aae0ecd060e1c5 1438 text optional expat_2.0.1-4+lenny2.dsc
424badd53b1147b260c2dfd3b7c5f153 133845 text optional
expat_2.0.1-4+lenny2.diff.gz
01b2166f38485842aab660f0a397487a 168162 libdevel optional
lib64expat1-dev_2.0.1-4+lenny2_i386.deb
11942d4c9c36b25882db662b9edf1981 136330 libs optional
lib64expat1_2.0.1-4+lenny2_i386.deb
54ea496b626a1875b6d7cf7519008ec3 210542 libdevel optional
libexpat1-dev_2.0.1-4+lenny2_i386.deb
8c8a91854bf5ee9eec30fda926519bef 131876 libs optional
libexpat1_2.0.1-4+lenny2_i386.deb
009c3b55eeeaa87476ff658c5c654791 60816 debian-installer extra
libexpat1-udeb_2.0.1-4+lenny2_i386.udeb
529f392c091e9e09f74e21e77da69f0c 23288 text optional
expat_2.0.1-4+lenny2_i386.deb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFLJWXFbxelr8HyTqQRArGMAJ0ZPmDkT3u25Qea3fFz6beADACkcQCgmsXW
BsCrmpUFxPua70aBzclgjek=
=yN+K
-----END PGP SIGNATURE-----
--- End Message ---
