Bug#1037534: marked as done (rust-xml-rs: CVE-2023-34411)

Thu, 22 Jun 2023 11:06:18 -0700 

Your message dated Thu, 22 Jun 2023 18:56:54 +0100
with message-id <[email protected]>
and subject line Re: Bug#1037534: rust-xml-rs: CVE-2023-34411
has caused the Debian Bug report #1037534,
regarding rust-xml-rs: CVE-2023-34411
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1037534: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037534
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: rust-xml-rs
Version: 0.8.3-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/netvl/xml-rs/pull/226
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for rust-xml-rs.

CVE-2023-34411[0]:
| The xml-rs crate before 0.8.14 for Rust and Crab allows a denial of
| service (panic) via an invalid <! token (such as <!DOCTYPEs/%<!A
| nesting) in an XML document. The earliest affected version is 0.8.9.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-34411
    https://www.cve.org/CVERecord?id=CVE-2023-34411
[1] https://github.com/netvl/xml-rs/pull/226
[2] 
https://github.com/netvl/xml-rs/commit/c09549a187e62d39d40467f129e64abf32efc35c

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Actually, the issue is introduced with
https://github.com/netvl/xml-rs/commit/014d808be900c85a0afc5ccdfe668be040d175aa
in 0.8.9 so no Debian version would be affected. 
If you can confirm, please close the bug!


It does look that way. Upstream say the versions we have are not affected and we
don't seem to have backported anything (neither of the two versions have a
debian/patches directory).

Closing.

--- End Message ---

Reply via email to