Your message dated Fri, 22 Jan 2010 13:05:09 +0000
with message-id <e1nyjch-0002lf...@ries.debian.org>
and subject line Bug#560935: fixed in paraview 3.6.2-1
has caused the Debian Bug report #560935,
regarding CVE-2009-3560 and CVE-2009-3720 denial-of-services
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
560935: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560935
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
package: paraview
severity: serious
tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) ids were
published for expat. I have determined that this package embeds a
vulnerable copy of xmlparse.c and xmltok_impl.c. However, since this is
a mass bug filing (due to so many packages embedding expat), I have
not had time to determine whether the vulnerable code is actually
present in any of the binary packages derived from this source package.
Please determine whether this is the case. If the binary packages are
not affected, please feel free to close the bug with a message
containing the details of what you did to check.
CVE-2009-3560[0]:
| The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1,
| as used in the XML-Twig module for Perl, allows context-dependent
| attackers to cause a denial of service (application crash) via an XML
| document with malformed UTF-8 sequences that trigger a buffer
| over-read, related to the doProlog function in lib/xmlparse.c, a
| different vulnerability than CVE-2009-2625 and CVE-2009-3720.
CVE-2009-3720[1]:
| The updatePosition function in lib/xmltok_impl.c in libexpat in Expat
| 2.0.1, as used in Python, PyXML, w3c-libwww, and other software,
| allows context-dependent attackers to cause a denial of service
| (application crash) via an XML document with crafted UTF-8 sequences
| that trigger a buffer over-read, a different vulnerability than
| CVE-2009-2625.
These issues also affect old versions of expat, so this package in etch
and lenny is very likely affected. This is a low-severity security
issue, so DSAs will not be issued to correct these problems. However,
you can optionally submit a proposed-update to the release team for
inclusion in the next stable point releases. If you plan to do this,
please open new bugs and include the security tag so we are aware that
you are working on that.
For further information see [0],[1],[2],[3]. In particular, [2] and [3]
are links to the patches for CVE-2009-3560 and CVE-2009-3720
respectively. Note that the ideal solution would be to make use of the
system expat so only one package will need to be updated for future
security issues. Preferably in your update to unstable, alter your
package to make use of the system expat.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560
http://security-tracker.debian.org/tracker/CVE-2009-3560
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720
http://security-tracker.debian.org/tracker/CVE-2009-3720
[2]
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.165
[3]
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.13&r2=1.15&view=patch
--- End Message ---
--- Begin Message ---
Source: paraview
Source-Version: 3.6.2-1
We believe that the bug you reported is fixed in the latest version of
paraview, which is due to be installed in the Debian FTP archive:
paraview_3.6.2-1.diff.gz
to main/p/paraview/paraview_3.6.2-1.diff.gz
paraview_3.6.2-1.dsc
to main/p/paraview/paraview_3.6.2-1.dsc
paraview_3.6.2-1_amd64.deb
to main/p/paraview/paraview_3.6.2-1_amd64.deb
paraview_3.6.2.orig.tar.gz
to main/p/paraview/paraview_3.6.2.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 560...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christophe Prud'homme <prudh...@debian.org> (supplier of updated paraview
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 14 Jan 2010 10:23:56 +0100
Source: paraview
Binary: paraview
Architecture: source amd64
Version: 3.6.2-1
Distribution: unstable
Urgency: low
Maintainer: Debian Scientific Computing Team
<pkg-scicomp-de...@lists.alioth.debian.org>
Changed-By: Christophe Prud'homme <prudh...@debian.org>
Description:
paraview - dynamic libraries for Paraview
Closes: 549211 550407 550415 558329 560935
Changes:
paraview (3.6.2-1) unstable; urgency=low
.
[Christophe Prud'homme]
* New upstream release
* debian/control: updated Standards-Version to 3.8.3 (no changes)
* added patch to fix build for hdf5
* Bug fix: "Package is uninstallable", thanks to Boris Pek (Closes:
#558329).
* Bug fix: "CVE-2009-3560 and CVE-2009-3720 denial-of-services", thanks
to Michael Gilbert (Closes: #560935).
* Bug fix: "Paraview 3.6.1 update", thanks to Mathieu Malaterre (Closes:
#549211).
* Bug fix: "patch for NMU 3.4.0-4.1", thanks to Francesco P. Lovergine
(Closes: #550407).
* Bug fix: "Updating the paraview Maintainer/Uploaders list", thanks to
Sandro Tosi (Closes: #550415).
Checksums-Sha1:
2a88f5055fa0755ad2a08ec306699a408be91939 1696 paraview_3.6.2-1.dsc
5a2fad2bd2eaa39dbcbd3f592edfaedb780f63ff 28323172 paraview_3.6.2.orig.tar.gz
07c9723381c9dd34bc946eaca01d9894fb16774e 18971 paraview_3.6.2-1.diff.gz
440e9453aa3001dddf721c5112d262f4d9995dbd 33854006 paraview_3.6.2-1_amd64.deb
Checksums-Sha256:
4ff0a4880f1550c6fa3a80984376abd6a08159971a949a5f07c2d445616400fa 1696
paraview_3.6.2-1.dsc
062f581a6f3fda5cead647fb32b0fab6d9bb3be38aace5e4080dab38a9eaea04 28323172
paraview_3.6.2.orig.tar.gz
695fc7d72e8e277873c028fadd678e880c9de224c2a4fc07ced6b787438881a7 18971
paraview_3.6.2-1.diff.gz
986f6f061c6f50e2e7acfd2a8f93db5510a0ecf32e244827870633a228790828 33854006
paraview_3.6.2-1_amd64.deb
Files:
148db4128e0602c7b0440c63d3cd9ddf 1696 science extra paraview_3.6.2-1.dsc
1c004eb82e291452efb45527745a78e4 28323172 science extra
paraview_3.6.2.orig.tar.gz
d1b35c89f88be61c7fd598625deb53d8 18971 science extra paraview_3.6.2-1.diff.gz
c33737296a707ba9bdbdd2cfa15b5f08 33854006 science extra
paraview_3.6.2-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFLWZ2ToY+0C9S+FFARAvY+AJ9O/x+Onk4hMtAg/7VgmWfQusE8QACfU2bz
FFlwOWwFQB68Wv5KHnLg6hs=
=yY3p
-----END PGP SIGNATURE-----
--- End Message ---
