Your message dated Sun, 30 Jun 2019 18:32:09 +0000
with message-id <[email protected]>
and subject line Bug#931031: fixed in expat 2.2.0-2+deb9u2
has caused the Debian Bug report #931031,
regarding expat: CVE-2018-20843
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
931031: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931031
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: expat
Version: 2.2.6-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/libexpat/libexpat/issues/186
Hi,
The following vulnerability was published for expat.
CVE-2018-20843[0]:
| In libexpat in Expat before 2.2.7, XML input including XML names that
| contain a large number of colons could make the XML parser consume a
| high amount of RAM and CPU resources while processing (enough to be
| usable for denial-of-service attacks).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-20843
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843
[1] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5226
[2] https://github.com/libexpat/libexpat/issues/186
[3] https://github.com/libexpat/libexpat/pull/262
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: expat
Source-Version: 2.2.0-2+deb9u2
We believe that the bug you reported is fixed in the latest version of
expat, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <[email protected]> (supplier of updated expat package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 27 Jun 2019 19:10:58 +0000
Source: expat
Binary: lib64expat1-dev lib64expat1 libexpat1-dev libexpat1 libexpat1-udeb expat
Architecture: source amd64
Version: 2.2.0-2+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
Changed-By: Laszlo Boszormenyi (GCS) <[email protected]>
Description:
expat - XML parsing C library - example application
lib64expat1 - XML parsing C library - runtime library (64bit)
lib64expat1-dev - XML parsing C library - development kit (64bit)
libexpat1 - XML parsing C library - runtime library
libexpat1-dev - XML parsing C library - development kit
libexpat1-udeb - XML parsing C library - runtime library (udeb)
Closes: 931031
Changes:
expat (2.2.0-2+deb9u2) stretch-security; urgency=high
.
* Fix extraction of namespace prefix from XML name (CVE-2018-20843)
(closes: #931031).
Checksums-Sha1:
3239bf55d7ebdc178ed9d9eddc1c83c45438598d 2295 expat_2.2.0-2+deb9u2.dsc
0844159986788fa69fd7b3e1e08c9e3811fd49da 11740
expat_2.2.0-2+deb9u2.debian.tar.xz
f6bfbcbd478c87f04a7f48f4ffd963b949aaf01d 23128
expat-dbgsym_2.2.0-2+deb9u2_amd64.deb
5cd091a8613b509c3f83789594cbe48aba91c152 7680
expat_2.2.0-2+deb9u2_amd64.buildinfo
c65871ed6dafe64bc46166dae6aa974639ba4c08 26038 expat_2.2.0-2+deb9u2_amd64.deb
d37ab3aae0ea9f7ecb750a5416080f0bd56b0c6b 209360
libexpat1-dbgsym_2.2.0-2+deb9u2_amd64.deb
007a35b17793a77ffd8ca748e2ea48127bc8adbc 134018
libexpat1-dev_2.2.0-2+deb9u2_amd64.deb
c46ef9c23b818fec98aa3f038fdbc1bd5c9a9601 53686
libexpat1-udeb_2.2.0-2+deb9u2_amd64.udeb
23d1278231043c99ab9e5b5092847265e51ccf50 83618
libexpat1_2.2.0-2+deb9u2_amd64.deb
Checksums-Sha256:
20e066f87a64bc5b1aa6c66fdbf042e651691aa758dc8eb9dfbb454cf78c4bb9 2295
expat_2.2.0-2+deb9u2.dsc
d15e1b691054dc44388d9fa3d9e93fa88244245037eb19e9b2201ac803226284 11740
expat_2.2.0-2+deb9u2.debian.tar.xz
a8cdbad622e7f20db719e798d8fe69c5f2a4768ec1cdefccd323b4c9b6e3200a 23128
expat-dbgsym_2.2.0-2+deb9u2_amd64.deb
c589a148a35f323fd907c868e2dd81e9393945f63474a2dba00099b32350c131 7680
expat_2.2.0-2+deb9u2_amd64.buildinfo
c6e38cf73cb66f5c0b92042de943bb27ea22bcea2053dceebdc3b1fe0cbfd5d0 26038
expat_2.2.0-2+deb9u2_amd64.deb
701fae5f25d897d1dfbc3e3ccb5af7e5cc01a93a5d2b28072a2a47ae31f42cac 209360
libexpat1-dbgsym_2.2.0-2+deb9u2_amd64.deb
55117aaa540e8575bb4a5e66acee679d364072ccb33ad7601c2af376d6ffde86 134018
libexpat1-dev_2.2.0-2+deb9u2_amd64.deb
f9959026b9c7a90ca0118dd84b449699addb6f417b6e0867a28f5de5cc153c1f 53686
libexpat1-udeb_2.2.0-2+deb9u2_amd64.udeb
79a8d4532fdd42a5f1900138c60e35a7fa157c17187560353b3a6aaecb434e6b 83618
libexpat1_2.2.0-2+deb9u2_amd64.deb
Files:
286813c0ff9ee7f8ef5880bbf39de175 2295 text optional expat_2.2.0-2+deb9u2.dsc
ac6202f79c394245c06bdac460c1ce38 11740 text optional
expat_2.2.0-2+deb9u2.debian.tar.xz
ef4c849f2df3681cd06cf689e94be841 23128 debug extra
expat-dbgsym_2.2.0-2+deb9u2_amd64.deb
5d99594ace0838ab577546e3ad9a079a 7680 text optional
expat_2.2.0-2+deb9u2_amd64.buildinfo
4a15e4af80a9e2ed034c07fcd5b06a70 26038 text optional
expat_2.2.0-2+deb9u2_amd64.deb
1fad2df41ab472b2ce629126aed1f455 209360 debug extra
libexpat1-dbgsym_2.2.0-2+deb9u2_amd64.deb
3861efce9d75510b3dca49c62a6086b5 134018 libdevel optional
libexpat1-dev_2.2.0-2+deb9u2_amd64.deb
5dd5f2044eb8b5e19b061e476a2dde5b 53686 debian-installer extra
libexpat1-udeb_2.2.0-2+deb9u2_amd64.udeb
91f4be32f558f6655df4dd619358f7a2 83618 libs optional
libexpat1_2.2.0-2+deb9u2_amd64.deb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAl0VNW4ACgkQ3OMQ54ZM
yL/ipRAAlam6jSW0ApgNDuH+NDes2M2v6CoquBHQtw4byRKIPrPlr1OSCkGoDF+r
c99NAZP4Xkqyj7VyWFL61eXHGPrw8QAeg9kspy7HfevWg6mgI4OW6933NNyPgws2
67eLouTxBVeC5WQB6n7c8EDuzPG6FH1VpH3jrALt82QhNH94oa/RG0jew6rKxwrM
q836RZxiLHoNrMcBorHesfaWZfqGLzLxXwweUQTe9k8ieTsMiLRrZ+MAy8HS7UkV
LjFY8a8d5/6Khfzg6PKPxEyBcGetGvRxZ/umceJoaerDSwgMIKTfBYnoptJgwDU/
VZpLKd0FT7fvg+C9ulKgxHApKKJIIIrOYtvlddjnqxumxP4rEhlJqwoX6hVGAApg
cFJVZHPsfvO2bcHzJIf+FS3ZSjAXdRsOlJf4svGl/nICeQUrE4hmJu5G8SHMF9lr
0Sdp8BhSi6nkPfhkCxZYnXMBMLN85TdkWdZmo++t+si76SE9o6t9KP+BbXNkiemT
Aj1Y7u8c7HIIXMouJG6X7hbFNkYFFZNwKF125jWXLyfHPHmuShXWYUaw3C0NoHFq
AveIpe+EsXumcTt5BwcrL/kMljgORz+iGZqDb9Urw1ydnhFTGsJZPe8yCV+INvCu
EJU3S4QVfH5AoAUxWMUG5G0vkCIyf3fP6/Xj7joxsdpVq1c/PD0=
=afit
-----END PGP SIGNATURE-----
--- End Message ---
