Your message dated Thu, 14 Mar 2019 15:20:27 +0000
with message-id <[email protected]>
and subject line Bug#924346: fixed in xmltooling 3.0.4-1
has caused the Debian Bug report #924346,
regarding xmltooling: CVE-2019-9628: XML parser class fails to trap exceptions
on malformed XML declaration
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
924346: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924346
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: xmltooling
Version: 3.0.3-1
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://issues.shibboleth.net/jira/browse/CPPXT-143
Control: found -1 1.6.0-4+deb9u1
Control: found -1 1.6.0-4
Hi,
The following vulnerability was published for xmltooling, filling for
tracking.
CVE-2019-9628[0]:
XML parser class fails to trap exceptions on malformed XML declaration
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-9628
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9628
[1] https://shibboleth.net/community/advisories/secadv_20190311.txt
[2] https://issues.shibboleth.net/jira/browse/CPPXT-143
[3]
https://git.shibboleth.net/view/?p=cpp-xmltooling.git;a=commit;h=af27c422f551e16989ff6f1722d83614c8550eb5
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: xmltooling
Source-Version: 3.0.4-1
We believe that the bug you reported is fixed in the latest version of
xmltooling, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ferenc Wágner <[email protected]> (supplier of updated xmltooling package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 14 Mar 2019 14:58:36 +0100
Source: xmltooling
Architecture: source
Version: 3.0.4-1
Distribution: unstable
Urgency: high
Maintainer: Debian Shib Team <[email protected]>
Changed-By: Ferenc Wágner <[email protected]>
Closes: 924346
Changes:
xmltooling (3.0.4-1) unstable; urgency=high
.
* [f185b26] New upstream security release: 3.0.4
DSA-4407-1, CVE-2019-9628: uncaught exception on malformed XML
declaration.
Invalid data in the XML declaration causes an exception of a type
that was not handled properly in the parser class and propagates an
unexpected exception type.
This generally manifests as a crash in the calling code, which in the
Service Provider software's case is usually the shibd daemon process,
but can be Apache in some cases. Note that the crash occurs prior to
evaluation of a message's authenticity, so can be exploited by an
untrusted attacker.
https://shibboleth.net/community/advisories/secadv_20190311.txt
https://issues.shibboleth.net/jira/browse/CPPXT-143
Thanks to Scott Cantor (Closes: #924346)
Checksums-Sha1:
5bae877c157e05c1161bc104f673c9a30cccfd32 2677 xmltooling_3.0.4-1.dsc
e0ef8e450c6517eca3273d9900777b354d3997bf 608437 xmltooling_3.0.4.orig.tar.bz2
ea9ddb61217250015760c11bf6f1a8641ad3e17b 833 xmltooling_3.0.4.orig.tar.bz2.asc
52ae2293d2f6d0e68c5db083a20cf7c1e35471e9 52912 xmltooling_3.0.4-1.debian.tar.xz
eb4243157a4eecc87bf4033922629fc4416d9b92 9832
xmltooling_3.0.4-1_amd64.buildinfo
Checksums-Sha256:
7597c2b1c21205527531648443586d4b32b6937652e72dedfbcdbb6be9e31bfc 2677
xmltooling_3.0.4-1.dsc
bb87febe730f97fc58f6f6b6782d7ab89bf240944dd6e5f1c1d9681254bb9a88 608437
xmltooling_3.0.4.orig.tar.bz2
d25e2b86fe37f1764ce6262bf6741f378164b1883d5438cd8c8ccc6e7bbd6948 833
xmltooling_3.0.4.orig.tar.bz2.asc
013d771ee9f5be8f1a7268a379e36bf2a5909172612d1314a3af3a90b0ad59e0 52912
xmltooling_3.0.4-1.debian.tar.xz
1778a5430e07a8866e0e0b16401119089b55efe831e863e30ed0617492aa074a 9832
xmltooling_3.0.4-1_amd64.buildinfo
Files:
308c3546142c7658a582a4c42acc1254 2677 libs optional xmltooling_3.0.4-1.dsc
b210bffe55ddaf8ded77af4ac8389639 608437 libs optional
xmltooling_3.0.4.orig.tar.bz2
c7858fa00afbaaf864c9b1f7c8c6908b 833 libs optional
xmltooling_3.0.4.orig.tar.bz2.asc
b67c62db4d85791052c1b92e5fb015b2 52912 libs optional
xmltooling_3.0.4-1.debian.tar.xz
a1e98c1b410ce9126748e118454dfce8 9832 libs optional
xmltooling_3.0.4-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAlyKYrcACgkQOsj3Fkd+
2yM2MBAAjoNmuufKDbPZJvlKFGnBuapwFpBu+TcVOH3j2uy9zHzVjcVM5CNDZ9Hr
vjbDwg050KG7AmunTeygi/d3/v/N+z4Q7DF5dCGbryyjBeKuy72gvhJdmigI1kay
cXzljhrWmiM1X58khjrLqBLqP0bpHXMzk+73qubf5wI4uRdPqE0xo95ygglINb6z
w57ZJODyT4RcDI/h5Fgk0iKo+4DrHE7M6r1h41HYXWja6Kxdgr45y6QVgljHjrEj
NR3Xl84CLdd/mDDbqp+n0y5F/ce3O6MINcU5EDAJOe2W4F+tt4AwcfV3SJWWgVwU
ewJ6bywX2wCiXFRl5z2lVeNVMPeg4Y04GVupStmb6PwzXcq79U85oLCBMrgu+fzk
W35nXD4XEcXTreRfD3tpHN8/Rbriohhq/EEwITBUD5njr/S2k2o9wzkbqOMRlj86
qhqGcAcDHTqboFWKX9VZLKNXXMFycJ/rJrneCNuhQL5j8fbJ6cbelpgsUYVv0Nhp
4qd88AquVGab6Ny5z/NcEAiyB7Gh5sNlPZjc18wZbDHkMSwLe9kJ3zuR9V6Ryms8
mzJjI1USPa64oPWMslyIgTSSXoBlqMnO5vtx1ELlDGizdAhpSwoX0surwj29NE1a
cvOD6zGOSVm7IZaDqgJalem6563V2bWflVJmVEs03fLflUof/CA=
=7hrA
-----END PGP SIGNATURE-----
--- End Message ---
