Your message dated Mon, 22 Feb 2010 13:35:05 +0000
with message-id <[email protected]>
and subject line Bug#560914: fixed in python-4suite 1.0.2-7.2
has caused the Debian Bug report #560914,
regarding CVE-2009-3560 and CVE-2009-3720 denial-of-services
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
560914: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560914
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
package: python-4suite
severity: serious
tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) ids were
published for expat. I have determined that this package embeds a
vulnerable copy of xmlparse.c and xmltok_impl.c. However, since this is
a mass bug filing (due to so many packages embedding expat), I have
not had time to determine whether the vulnerable code is actually
present in any of the binary packages derived from this source package.
Please determine whether this is the case. If the binary packages are
not affected, please feel free to close the bug with a message
containing the details of what you did to check.
CVE-2009-3560[0]:
| The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1,
| as used in the XML-Twig module for Perl, allows context-dependent
| attackers to cause a denial of service (application crash) via an XML
| document with malformed UTF-8 sequences that trigger a buffer
| over-read, related to the doProlog function in lib/xmlparse.c, a
| different vulnerability than CVE-2009-2625 and CVE-2009-3720.
CVE-2009-3720[1]:
| The updatePosition function in lib/xmltok_impl.c in libexpat in Expat
| 2.0.1, as used in Python, PyXML, w3c-libwww, and other software,
| allows context-dependent attackers to cause a denial of service
| (application crash) via an XML document with crafted UTF-8 sequences
| that trigger a buffer over-read, a different vulnerability than
| CVE-2009-2625.
These issues also affect old versions of expat, so this package in etch
and lenny is very likely affected. This is a low-severity security
issue, so DSAs will not be issued to correct these problems. However,
you can optionally submit a proposed-update to the release team for
inclusion in the next stable point releases. If you plan to do this,
please open new bugs and include the security tag so we are aware that
you are working on that.
For further information see [0],[1],[2],[3]. In particular, [2] and [3]
are links to the patches for CVE-2009-3560 and CVE-2009-3720
respectively. Note that the ideal solution would be to make use of the
system expat so only one package will need to be updated for future
security issues. Preferably in your update to unstable, alter your
package to make use of the system expat.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560
http://security-tracker.debian.org/tracker/CVE-2009-3560
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720
http://security-tracker.debian.org/tracker/CVE-2009-3720
[2]
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.165
[3]
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.13&r2=1.15&view=patch
--- End Message ---
--- Begin Message ---
Source: python-4suite
Source-Version: 1.0.2-7.2
We believe that the bug you reported is fixed in the latest version of
python-4suite, which is due to be installed in the Debian FTP archive:
python-4suite-doc_1.0.2-7.2_all.deb
to main/p/python-4suite/python-4suite-doc_1.0.2-7.2_all.deb
python-4suite-xml_1.0.2-7.2_i386.deb
to main/p/python-4suite/python-4suite-xml_1.0.2-7.2_i386.deb
python-4suite_1.0.2-7.2.diff.gz
to main/p/python-4suite/python-4suite_1.0.2-7.2.diff.gz
python-4suite_1.0.2-7.2.dsc
to main/p/python-4suite/python-4suite_1.0.2-7.2.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jakub Wilk <[email protected]> (supplier of updated python-4suite package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 20 Feb 2010 13:42:38 +0100
Source: python-4suite
Binary: python-4suite-xml python-4suite-doc
Architecture: source all i386
Version: 1.0.2-7.2
Distribution: unstable
Urgency: low
Maintainer: Raphael Bossek <[email protected]>
Changed-By: Jakub Wilk <[email protected]>
Description:
python-4suite-doc - Documentation for 4Suite
python-4suite-xml - An open-source platform for XML and RDF processing
Closes: 560078 560914 569821
Changes:
python-4suite (1.0.2-7.2) unstable; urgency=low
.
[ Luca Falavigna ]
* Non-maintainer upload.
* debian/patches/43-python2.6.dpatch:
- Python 2.6 compatibility patch provided by upstream developers,
fixes build failures on several architectures (Closes: #569821).
* debian/patches/44-kfreebsd.dpatch:
- Allow build on kFreeBSD, thanks Cyril Brulebois! (Closes: #560078).
.
[ Jakub Wilk ]
* Fix Expat vulnerabilities: CVE-2009-3560 and CVE-2009-3720.
(Closes: #560914)
Checksums-Sha1:
ea115b2791143d95e30561ff441a385109d22947 1777 python-4suite_1.0.2-7.2.dsc
4248e4502d23c15399f81fce33129496ff29fd32 20672 python-4suite_1.0.2-7.2.diff.gz
c8f21b41f5f212a68fcacd2244c5f0a705b76a36 937904
python-4suite-doc_1.0.2-7.2_all.deb
5c7348df60ff93b936692b4c547a230d6705ff35 1558028
python-4suite-xml_1.0.2-7.2_i386.deb
Checksums-Sha256:
14a27f49277871dff565228693e04088c5cba3e2b06d61744a46a37ac54a637a 1777
python-4suite_1.0.2-7.2.dsc
92da55169cbd3864d9fe28f6f95f3cc55d6098cf325c211b518e36cef0decd4c 20672
python-4suite_1.0.2-7.2.diff.gz
ad32f0787f08985bc61d38ae3fc8c950956a80c93ffc006dda9ddfb09306f67e 937904
python-4suite-doc_1.0.2-7.2_all.deb
9a7b3f78b06cb2a85d20b57bb4d6dfda8a62f152e5f29d9dfffb849abd6428d4 1558028
python-4suite-xml_1.0.2-7.2_i386.deb
Files:
084a42f4dd1b9e4c1fe7c4bb35d18d79 1777 python optional
python-4suite_1.0.2-7.2.dsc
77fa704984f106b2b54adf8c4fc3edbb 20672 python optional
python-4suite_1.0.2-7.2.diff.gz
62e55e183287aba5e2cee670b3282a3a 937904 doc optional
python-4suite-doc_1.0.2-7.2_all.deb
1ce141d577e633282ff5cf7f539dbb1c 1558028 python optional
python-4suite-xml_1.0.2-7.2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBCAAGBQJLf9w1AAoJEC1Os6YBVHX12kIP/ii6/+RiS/8oEKMTDjXBJPHQ
V3+eT/ehqD5Q3aTv3+FTdGeQhqfLdP35OE08lSdWGcZN3d9C7g81pkJGXKTG5tSZ
5MACax3s8vTyv1tqvd8FsM6xE3NfT9Ka4ToUumP7ivxIwbOTm57QnXBYjxXtj9X6
hBFM6DXwmFC+BOn9U0IthcmLXbVdLgnMDsEU1pSPFd3dXls6YaTJE1Ceg319ILm8
1EiwNQ3ScFMoxao2oleVyIxWL7Td3rLugxjm9K4C+RLTnU7+CDZpZrnW4cG7Qvr+
sa4Zpc0QpOriHEgfBags4gwAWJZ2V3VdVGqyJ+2GELLmTanZ8wQ4g8VpIih61Ex4
BMpIM6B0itQT3bVgnx4s+fHwOK0OOgGwJVc40Ho63asjsOpFbnt0QmOxrBPtiX5S
0ZnuQ7tNvXf7GGHMc+KVGyadnDtxh6GsZf219I2BVkNT5sWf5mEA8rbS+BhiXpdE
2Aczdkvfl58cmHxd3f/gUMrfWMl//PVxgvZihx65mrdEsQq+/VxWiToh2K5kVHdm
0mrLn3cosiOBJTyskv0Xo3JYljD+xeStlROg/bcfRvsJkynyf6MF7NtO9bH9U3Y0
y161g0Un1QmK8ntM0MXWP0v6rB4Amx7PI7Q0MWGiRqbGNM5Mg8yaRhlh8EtX0fKZ
JndsTK9CgkPgRbu8bqwf
=IpI8
-----END PGP SIGNATURE-----
--- End Message ---
