The current xerces-c2 package, 2.8.0+deb1-2, contains a patch supplied by upstream to address CVE-2009-1885. The security team has deemed that this is not important enough for a DSA, and I agree. From Giuseppe Iuculano:
> the following CVE (Common Vulnerabilities & Exposures) id was > published for xerces-c2 and xerces27 some time ago. > > CVE-2009-1885[0]: > | Stack consumption vulnerability in validators/DTD/DTDScanner.cpp in > | Apache Xerces C++ 2.7.0 and 2.8.0 allows context-dependent attackers > | to cause a denial of service (application crash) via vectors involving > | nested parentheses and invalid byte values in "simply nested DTD > | structures," as demonstrated by the Codenomicon XML fuzzing framework. > > Unfortunately the vulnerability described above is not important > enough to get it fixed via regular security update in Debian stable > and oldstable. It does not warrant a DSA. > > However it would be nice if this could get fixed via a regular point > update[1]. Please contact the release team for this. As it happens, the patch from 2.8.0+deb1-2 applies perfectly to the version in stable, so preparing an update to stable is trivial. With the permission of the release team, I will prepare the upload. I'm not sure what the best way to do this is. I can either prepare an upload to stable or I can supply a patch that can be applied to the version of the package in stable. I don't presently have a stable chroot to build in, though I can obviously make one to prepare the package if it would help. My changelog starts with this: xerces-c2 (2.8.0-3+lenny1) stable; urgency=low I also added the patch to the debian/patches directory after regenerating it (just to be sure) and changing its name based on the different packaging of the older version. [note to self: ~/tmp/xerces-c2-2.8.0-3+lenny1.patch] -- Jay Berkenbilt <[email protected]> -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
