Your message dated Fri, 22 Jan 2010 11:03:47 +0000
with message-id <[email protected]>
and subject line Bug#566233: fixed in python2.6 2.6.4-4
has caused the Debian Bug report #566233,
regarding CVE-2009-3560 and CVE-2009-3720 denial-of-services
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
566233: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566233
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
package: python2.5
severity: serious
tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) ids were
published for expat. I have determined that this package embeds a
vulnerable copy of xmlparse.c and xmltok_impl.c. However, since this is
a mass bug filing (due to so many packages embedding expat), I have
not had time to determine whether the vulnerable code is actually
present in any of the binary packages derived from this source package.
Please determine whether this is the case. If the binary packages are
not affected, please feel free to close the bug with a message
containing the details of what you did to check.
CVE-2009-3560[0]:
| The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1,
| as used in the XML-Twig module for Perl, allows context-dependent
| attackers to cause a denial of service (application crash) via an XML
| document with malformed UTF-8 sequences that trigger a buffer
| over-read, related to the doProlog function in lib/xmlparse.c, a
| different vulnerability than CVE-2009-2625 and CVE-2009-3720.
CVE-2009-3720[1]:
| The updatePosition function in lib/xmltok_impl.c in libexpat in Expat
| 2.0.1, as used in Python, PyXML, w3c-libwww, and other software,
| allows context-dependent attackers to cause a denial of service
| (application crash) via an XML document with crafted UTF-8 sequences
| that trigger a buffer over-read, a different vulnerability than
| CVE-2009-2625.
These issues also affect old versions of expat, so this package in etch
and lenny is very likely affected. This is a low-severity security
issue, so DSAs will not be issued to correct these problems. However,
you can optionally submit a proposed-update to the release team for
inclusion in the next stable point releases. If you plan to do this,
please open new bugs and include the security tag so we are aware that
you are working on that.
For further information see [0],[1],[2],[3]. In particular, [2] and [3]
are links to the patches for CVE-2009-3560 and CVE-2009-3720
respectively. Note that the ideal solution would be to make use of the
system expat so only one package will need to be updated for future
security issues. Preferably in your update to unstable, alter your
package to make use of the system expat.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560
http://security-tracker.debian.org/tracker/CVE-2009-3560
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720
http://security-tracker.debian.org/tracker/CVE-2009-3720
[2]
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.165
[3]
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.13&r2=1.15&view=patch
--- End Message ---
--- Begin Message ---
Source: python2.6
Source-Version: 2.6.4-4
We believe that the bug you reported is fixed in the latest version of
python2.6, which is due to be installed in the Debian FTP archive:
idle-python2.6_2.6.4-4_all.deb
to main/p/python2.6/idle-python2.6_2.6.4-4_all.deb
libpython2.6_2.6.4-4_i386.deb
to main/p/python2.6/libpython2.6_2.6.4-4_i386.deb
python2.6-dbg_2.6.4-4_i386.deb
to main/p/python2.6/python2.6-dbg_2.6.4-4_i386.deb
python2.6-dev_2.6.4-4_i386.deb
to main/p/python2.6/python2.6-dev_2.6.4-4_i386.deb
python2.6-doc_2.6.4-4_all.deb
to main/p/python2.6/python2.6-doc_2.6.4-4_all.deb
python2.6-examples_2.6.4-4_all.deb
to main/p/python2.6/python2.6-examples_2.6.4-4_all.deb
python2.6-minimal_2.6.4-4_i386.deb
to main/p/python2.6/python2.6-minimal_2.6.4-4_i386.deb
python2.6_2.6.4-4.diff.gz
to main/p/python2.6/python2.6_2.6.4-4.diff.gz
python2.6_2.6.4-4.dsc
to main/p/python2.6/python2.6_2.6.4-4.dsc
python2.6_2.6.4-4_i386.deb
to main/p/python2.6/python2.6_2.6.4-4_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matthias Klose <[email protected]> (supplier of updated python2.6 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 22 Jan 2010 11:10:41 +0100
Source: python2.6
Binary: python2.6 python2.6-minimal libpython2.6 python2.6-examples
python2.6-dev idle-python2.6 python2.6-doc python2.6-dbg
Architecture: source all i386
Version: 2.6.4-4
Distribution: unstable
Urgency: low
Maintainer: Matthias Klose <[email protected]>
Changed-By: Matthias Klose <[email protected]>
Description:
idle-python2.6 - An IDE for Python (v2.6) using Tkinter
libpython2.6 - Shared Python runtime library (version 2.6)
python2.6 - An interactive high-level object-oriented language (version 2.6)
python2.6-dbg - Debug Build of the Python Interpreter (version 2.6)
python2.6-dev - Header files and a static library for Python (v2.6)
python2.6-doc - Documentation for the high-level object-oriented language
Python
python2.6-examples - Examples for the Python language (v2.6)
python2.6-minimal - A minimal subset of the Python language (version 2.6)
Closes: 565693 566233
Changes:
python2.6 (2.6.4-4) unstable; urgency=low
.
* Update to 20100122, taken from the 2.6 release branch.
- Fix DoS via XML document with malformed UTF-8 sequences (CVE_2009_3560).
Closes: #566233.
* Hurd fixes (Pino Toscano). Closes: #565693:
- hurd-broken-poll.dpatch: ported from 2.5.
- hurd-disable-nonworking-constants.dpatch: disable a few constants from
the public API whose C counterparts are not implemented, so using them
either always blocks or always fails (caused issues in the test suite).
- Exclude the profiled build for hurd.
- Disable four blocking tests from the test suite.
Checksums-Sha1:
773147bb63ce510dd7687b9088310d5fd4f0db3a 1714 python2.6_2.6.4-4.dsc
681ef5e9e01112db21920f5a712abf92403f152b 528211 python2.6_2.6.4-4.diff.gz
b4032ae80cbc14882f4262c6d2f926a690932840 671910
python2.6-examples_2.6.4-4_all.deb
7fd36d11b25b68833231addfcdaadf3413eb0867 286766 idle-python2.6_2.6.4-4_all.deb
a441de884db0bf8000040ce540ed1819b8afab48 5638730 python2.6-doc_2.6.4-4_all.deb
bbbc940c46df8f9c887641c20ef18d2077716fa8 2454906 python2.6_2.6.4-4_i386.deb
a23623c7ba62dfff3fc5398c8d68ac5761fa8e39 1358328
python2.6-minimal_2.6.4-4_i386.deb
1e7887a09baa7f7e72691b5fbe683f237b8a1b1b 975836 libpython2.6_2.6.4-4_i386.deb
0b85cb0a5d80760f76226085584bdc45c83560fd 4335970 python2.6-dev_2.6.4-4_i386.deb
ec82b2a59521820cd7e134a5454d332191261648 11002068
python2.6-dbg_2.6.4-4_i386.deb
Checksums-Sha256:
7597c2d6cfb4d15fa7ed4caf1a598c9e5e554a595b3776acb95019260556ddbd 1714
python2.6_2.6.4-4.dsc
d136eaf9c24be3d36fb8491be9b5fb330063c4d7fa7aa66c1d6094c0df0eda2b 528211
python2.6_2.6.4-4.diff.gz
76ae13682e36df3a91c400d58a1d35738c83e776451dbc7fc7456c28bf49b86f 671910
python2.6-examples_2.6.4-4_all.deb
3d72a3502be488dd68165093d227dd7a4130e66333d92d231d140fd47145f580 286766
idle-python2.6_2.6.4-4_all.deb
5e51f8b08eed538a5af9948de2d8872236cb0c8770c8c1a56e15dde6a61815dc 5638730
python2.6-doc_2.6.4-4_all.deb
0bc4f6a059fbbff9af7c02173d91ae3db21d4ca09461ad59c3a3acd004cadb51 2454906
python2.6_2.6.4-4_i386.deb
34f601bea65a905c5fb8f1368a38387d4519120f09d8363ae13c174fc91780df 1358328
python2.6-minimal_2.6.4-4_i386.deb
3cf8ab3c61de56e97880735e96c246a98585afab162da86cdb962ca28dac4fcb 975836
libpython2.6_2.6.4-4_i386.deb
3fadc61f7d39e84546e9e57a683d63b7ea786f691b90b7632f2b5479cce8e0cd 4335970
python2.6-dev_2.6.4-4_i386.deb
3618755477ecd5b4846fadec724baaaecbdfbdc5183c78bcd300713b4a4cc9df 11002068
python2.6-dbg_2.6.4-4_i386.deb
Files:
573c6fc8c9fe86c9a4238c9903b70059 1714 python optional python2.6_2.6.4-4.dsc
295edb096ee224171fb1c7867684ad2f 528211 python optional
python2.6_2.6.4-4.diff.gz
af6cb0724484c6fdf1b6e00f5548b18e 671910 python optional
python2.6-examples_2.6.4-4_all.deb
b6161a4dc4f64fab358651a3838f091e 286766 python optional
idle-python2.6_2.6.4-4_all.deb
10e82639ed438c83d14785f08d6304f3 5638730 doc optional
python2.6-doc_2.6.4-4_all.deb
7e66eb1078f6390fce92f88eeb9dfc7a 2454906 python optional
python2.6_2.6.4-4_i386.deb
9e9e1d74340601de127510815439f27c 1358328 python optional
python2.6-minimal_2.6.4-4_i386.deb
15d907b2c599e1c881f9f68e543cb70f 975836 libs optional
libpython2.6_2.6.4-4_i386.deb
eafe6a30c87403112decd03f698b9721 4335970 python optional
python2.6-dev_2.6.4-4_i386.deb
1b192228e389557073f9f9c797d0e8cc 11002068 debug extra
python2.6-dbg_2.6.4-4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktZgr0ACgkQStlRaw+TLJz5bwCfWkgHeQT+lEsxhYkhkgEXvqWH
i6EAnjDhQlD1/KWNjNjr5b1mdxfUxR2P
=6wVI
-----END PGP SIGNATURE-----
--- End Message ---
