Your message dated Mon, 24 Jun 2019 23:19:27 +0000
with message-id <[email protected]>
and subject line Bug#931031: fixed in expat 2.2.6-2
has caused the Debian Bug report #931031,
regarding expat: CVE-2018-20843
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
931031: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931031
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: expat
Version: 2.2.6-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/libexpat/libexpat/issues/186
Hi,
The following vulnerability was published for expat.
CVE-2018-20843[0]:
| In libexpat in Expat before 2.2.7, XML input including XML names that
| contain a large number of colons could make the XML parser consume a
| high amount of RAM and CPU resources while processing (enough to be
| usable for denial-of-service attacks).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-20843
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843
[1] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5226
[2] https://github.com/libexpat/libexpat/issues/186
[3] https://github.com/libexpat/libexpat/pull/262
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: expat
Source-Version: 2.2.6-2
We believe that the bug you reported is fixed in the latest version of
expat, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <[email protected]> (supplier of updated expat package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 24 Jun 2019 21:18:31 +0000
Source: expat
Architecture: source
Version: 2.2.6-2
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
Changed-By: Laszlo Boszormenyi (GCS) <[email protected]>
Closes: 931031
Changes:
expat (2.2.6-2) unstable; urgency=high
.
* Fix extraction of namespace prefix from XML name (CVE-2018-20843)
(closes: #931031).
Checksums-Sha1:
cac5269f06cf8c3601248c464d766246879951ed 1949 expat_2.2.6-2.dsc
812d2b99af7787a00563a157b634c4659810b965 11108 expat_2.2.6-2.debian.tar.xz
a499c87f5d6315a5c5dec78458705546b37441d0 9116 expat_2.2.6-2_amd64.buildinfo
Checksums-Sha256:
50fb4a3159f1aeb91e23caa1d329579df956514dc42866b4c3fef0e66cb0915e 1949
expat_2.2.6-2.dsc
678c073cecab66cc5ea0feaf02626db4300008d9c20df9ebe81958944af31673 11108
expat_2.2.6-2.debian.tar.xz
999a22bf3a1cdc63cfd271c167190e1a6c4d4ef2edb4ff2ac2a02730e72b13af 9116
expat_2.2.6-2_amd64.buildinfo
Files:
b4e611eafffd359a8a352381c579e171 1949 text optional expat_2.2.6-2.dsc
b1606df0dc20bff98ea616169130c48b 11108 text optional
expat_2.2.6-2.debian.tar.xz
144a2d346b628b48273514c6cbc1f8c8 9116 text optional
expat_2.2.6-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAl0RSa4ACgkQ3OMQ54ZM
yL8pew//TjET5LXStbtipVyvdeiLSOvLDDvOo9JmBuHB4ebzLjEod3rASXMUaHWh
ZSPyTohmjnI/OFvDZkRYytktGsDMAGKyHBQkFJqd66c83/RIvLuFdLu/M3qNfONQ
JDpvDiaqFbmVb9EctqTBgC3vp37Y6LQzhBZHhz6Je8PcWVWm7fGwCy+2W7B+L3nM
NzS3/fG3pvyPs9/ew6ZmU5chJwjZQyeMYoOu/ZKeENQaqsZhpXVGVK45ji1ogG7x
Sll94RYmLUaq73Q93bmemNlx3xcDRvwh0JXOu5BMDI618Oe73orUM6L4VyGAzF3X
RigMTPLzB9vxSr12Y6OC2BaCxeF1M0rPOF6SscBqLCShD4kYCtIgZrkuGCA4HrXt
jSlfF5Sq6Ngojt/942OCFPPORUfd4yno4d/K3I8TMEfY2J4cTS0fp0dqmNW39Gy1
EM+VNwABIAV9MJ0DfOBYDPqpdYs4Y/YSznK4R71Z7Am6Q9VkbTcplU11c4VBP6e+
EzNbNUBiR5j9+N5vlOi0sFt6AXRapFN/RW1WM5P2pHpNpenEV3XXQjfw7/k0Lh1H
dRRtAvLaAN8zxLm1ZIJUq1M+8iczM8xLVq4erhlZPI4TIWwLR44KGU1QRplUnGhm
Y6Tu7JIyCxVxHZabTlksqzMvA4224Z+b4aAS3U1epgTUemt953I=
=qqe2
-----END PGP SIGNATURE-----
--- End Message ---
