Your message dated Sat, 13 Mar 2010 13:54:11 +0000
with message-id <[email protected]>
and subject line Bug#560913: fixed in python2.4 2.4.6-1+lenny1
has caused the Debian Bug report #560913,
regarding CVE-2009-3560 and CVE-2009-3720 denial-of-services
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
560913: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560913
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
package: python2.4
severity: serious
tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) ids were
published for expat. I have determined that this package embeds a
vulnerable copy of xmlparse.c and xmltok_impl.c. However, since this is
a mass bug filing (due to so many packages embedding expat), I have
not had time to determine whether the vulnerable code is actually
present in any of the binary packages derived from this source package.
Please determine whether this is the case. If the binary packages are
not affected, please feel free to close the bug with a message
containing the details of what you did to check.
CVE-2009-3560[0]:
| The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1,
| as used in the XML-Twig module for Perl, allows context-dependent
| attackers to cause a denial of service (application crash) via an XML
| document with malformed UTF-8 sequences that trigger a buffer
| over-read, related to the doProlog function in lib/xmlparse.c, a
| different vulnerability than CVE-2009-2625 and CVE-2009-3720.
CVE-2009-3720[1]:
| The updatePosition function in lib/xmltok_impl.c in libexpat in Expat
| 2.0.1, as used in Python, PyXML, w3c-libwww, and other software,
| allows context-dependent attackers to cause a denial of service
| (application crash) via an XML document with crafted UTF-8 sequences
| that trigger a buffer over-read, a different vulnerability than
| CVE-2009-2625.
These issues also affect old versions of expat, so this package in etch
and lenny is very likely affected. This is a low-severity security
issue, so DSAs will not be issued to correct these problems. However,
you can optionally submit a proposed-update to the release team for
inclusion in the next stable point releases. If you plan to do this,
please open new bugs and include the security tag so we are aware that
you are working on that.
For further information see [0],[1],[2],[3]. In particular, [2] and [3]
are links to the patches for CVE-2009-3560 and CVE-2009-3720
respectively. Note that the ideal solution would be to make use of the
system expat so only one package will need to be updated for future
security issues. Preferably in your update to unstable, alter your
package to make use of the system expat.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560
http://security-tracker.debian.org/tracker/CVE-2009-3560
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720
http://security-tracker.debian.org/tracker/CVE-2009-3720
[2]
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.165
[3]
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.13&r2=1.15&view=patch
--- End Message ---
--- Begin Message ---
Source: python2.4
Source-Version: 2.4.6-1+lenny1
We believe that the bug you reported is fixed in the latest version of
python2.4, which is due to be installed in the Debian FTP archive:
idle-python2.4_2.4.6-1+lenny1_all.deb
to main/p/python2.4/idle-python2.4_2.4.6-1+lenny1_all.deb
python2.4-dbg_2.4.6-1+lenny1_i386.deb
to main/p/python2.4/python2.4-dbg_2.4.6-1+lenny1_i386.deb
python2.4-dev_2.4.6-1+lenny1_i386.deb
to main/p/python2.4/python2.4-dev_2.4.6-1+lenny1_i386.deb
python2.4-examples_2.4.6-1+lenny1_all.deb
to main/p/python2.4/python2.4-examples_2.4.6-1+lenny1_all.deb
python2.4-minimal_2.4.6-1+lenny1_i386.deb
to main/p/python2.4/python2.4-minimal_2.4.6-1+lenny1_i386.deb
python2.4_2.4.6-1+lenny1.diff.gz
to main/p/python2.4/python2.4_2.4.6-1+lenny1.diff.gz
python2.4_2.4.6-1+lenny1.dsc
to main/p/python2.4/python2.4_2.4.6-1+lenny1.dsc
python2.4_2.4.6-1+lenny1_i386.deb
to main/p/python2.4/python2.4_2.4.6-1+lenny1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Gilbert <[email protected]> (supplier of updated python2.4
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 21 Jan 2010 20:16:16 -0500
Source: python2.4
Binary: python2.4 python2.4-minimal python2.4-examples python2.4-dev
idle-python2.4 python2.4-doc python2.4-dbg
Architecture: source all i386
Version: 2.4.6-1+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Matthias Klose <[email protected]>
Changed-By: Michael Gilbert <[email protected]>
Description:
idle-python2.4 - An IDE for Python (v2.4) using Tkinter
python2.4 - An interactive high-level object-oriented language (version 2.4)
python2.4-dbg - Debug Build of the Python Interpreter (version 2.4)
python2.4-dev - Header files and a static library for Python (v2.4)
python2.4-doc - Documentation for the high-level object-oriented language
Python
python2.4-examples - Examples for the Python language (v2.4)
python2.4-minimal - A minimal subset of the Python language (version 2.4)
Closes: 560913
Changes:
python2.4 (2.4.6-1+lenny1) stable-security; urgency=high
.
* Non-maintainer upload by the security team.
* Fix two denial-of-service vulnerabilities: CVE-2009-3560 and CVE-2009-3720.
(Closes: #560913)
Checksums-Sha1:
80e2a886986b9ddcde80a71249f30291857df83c 1635 python2.4_2.4.6-1+lenny1.dsc
514e6be857e9cbe461806816a7024aab0db10aa8 9594954 python2.4_2.4.6.orig.tar.gz
e0bfd5f733fe8ec10b5efda3327c59025e9ea1bb 227322
python2.4_2.4.6-1+lenny1.diff.gz
3ae81a0a291bced38efc64aa7e1221db6dcb5350 592970
python2.4-examples_2.4.6-1+lenny1_all.deb
2e96c98bd94d9d4e6140b7f233dd9667dcbb7a61 62960
idle-python2.4_2.4.6-1+lenny1_all.deb
60058bfb86b6c5c669e7d0f7e4374d09eab65c19 2840966
python2.4_2.4.6-1+lenny1_i386.deb
67bf4b2d0aedcbf6d3c5ad1adfeac656dc4ed4d8 1001110
python2.4-minimal_2.4.6-1+lenny1_i386.deb
d04b4f713e75558bc774a3035af8e9519b7fd07a 1500408
python2.4-dev_2.4.6-1+lenny1_i386.deb
0a1fd176656146bf9f1ae4cdc5671015691daf03 6473440
python2.4-dbg_2.4.6-1+lenny1_i386.deb
Checksums-Sha256:
162cba2c50207f510716d2d4221354ad45b4fca354e63cb158f68f678d5b18a4 1635
python2.4_2.4.6-1+lenny1.dsc
855c5fb882b1f6e8a061603b0207485bd86407864f4de60a45df588903e3f95d 9594954
python2.4_2.4.6.orig.tar.gz
d4f06f5e7ab6f14e219906a644083e10ecefaf02fa94afe134e8202eaaf2997e 227322
python2.4_2.4.6-1+lenny1.diff.gz
03b464296735d472875603196dbb906ca50c1a3cab6edc364cdd51b71457bea7 592970
python2.4-examples_2.4.6-1+lenny1_all.deb
50861611c2aa2ae4451adfc52692aa7ad09e19c65a786835578535d1f0a4371e 62960
idle-python2.4_2.4.6-1+lenny1_all.deb
7166f843c4251f6d0c099b5c84ce1ea041660401c5ec3a680edaa57fa66e51bf 2840966
python2.4_2.4.6-1+lenny1_i386.deb
aea9666b683b49952de61e6d73982d8cb28d04be0fbfdffd80c8503686b3dd50 1001110
python2.4-minimal_2.4.6-1+lenny1_i386.deb
e12b0a5e5cd9d9dd21a21770f5dc52d37dca26c5fd26faf2fcdbf457afc65f20 1500408
python2.4-dev_2.4.6-1+lenny1_i386.deb
cd2380dc1e5b191a85a16f9e99c7b54c494ace3bb31e33061e42f2107170d5e2 6473440
python2.4-dbg_2.4.6-1+lenny1_i386.deb
Files:
d834b90d21b73518ccccb726f18f05c3 1635 python optional
python2.4_2.4.6-1+lenny1.dsc
1f81e15ea22838260d5c094d31107443 9594954 python optional
python2.4_2.4.6.orig.tar.gz
f71561ec858f0e70c4c4a3170b70d825 227322 python optional
python2.4_2.4.6-1+lenny1.diff.gz
acd6acbc49867555f82a0973d3ea3634 592970 python optional
python2.4-examples_2.4.6-1+lenny1_all.deb
3ab8888a4f25fc99665468e1b9b6a532 62960 python optional
idle-python2.4_2.4.6-1+lenny1_all.deb
2857bbbf61e0d7105748d5f7d998ecc9 2840966 python optional
python2.4_2.4.6-1+lenny1_i386.deb
dc8aabc3ad985885ba6697ad9005b114 1001110 python optional
python2.4-minimal_2.4.6-1+lenny1_i386.deb
577f7604a1bcb169382eb2b04ffc3da4 1500408 python optional
python2.4-dev_2.4.6-1+lenny1_i386.deb
8a63d0afe4d8a9bfb231029653386ac7 6473440 python extra
python2.4-dbg_2.4.6-1+lenny1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktcM+oACgkQNxpp46476aqLlACeIm/FhB3VARr8fzFxax59lQAB
Wl0Ani/onB/09qsmqt8KsrD+LG1qOgrI
=ktAs
-----END PGP SIGNATURE-----
--- End Message ---
