Bug#1022225: marked as done (libxml2: CVE-2022-40304: dict corruption caused by entity reference cycles)
Your message dated Sat, 05 Nov 2022 22:47:07 + with message-id and subject line Bug#105: fixed in libxml2 2.9.10+dfsg-6.7+deb11u3 has caused the Debian Bug report #105, regarding libxml2: CVE-2022-40304: dict corruption caused by entity reference cycles to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 105: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=105 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: libxml2 Version: 2.9.14+dfsg-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for libxml2. CVE-2022-40304[0]: | dict corruption caused by entity reference cycles If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-40304 https://www.cve.org/CVERecord?id=CVE-2022-40304 [1] https://gitlab.gnome.org/GNOME/libxml2/-/commit/1b41ec4e9433b05bb0376be4725804c54ef1d80b Regards, Salvatore --- End Message --- --- Begin Message --- Source: libxml2 Source-Version: 2.9.10+dfsg-6.7+deb11u3 Done: Salvatore Bonaccorso We believe that the bug you reported is fixed in the latest version of libxml2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1022...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso (supplier of updated libxml2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sun, 30 Oct 2022 13:03:35 +0100 Source: libxml2 Architecture: source Version: 2.9.10+dfsg-6.7+deb11u3 Distribution: bullseye-security Urgency: high Maintainer: Debian XML/SGML Group Changed-By: Salvatore Bonaccorso Closes: 104 105 Changes: libxml2 (2.9.10+dfsg-6.7+deb11u3) bullseye-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix integer overflows with XML_PARSE_HUGE (CVE-2022-40303) (Closes: #104) * Fix dict corruption caused by entity reference cycles (CVE-2022-40304) (Closes: #105) Checksums-Sha1: 57e29833098fbfa23acf20260986c0e5b9334537 2859 libxml2_2.9.10+dfsg-6.7+deb11u3.dsc 1dae8cb164f4e913ee8dfd95b1424c6ae7363b25 40092 libxml2_2.9.10+dfsg-6.7+deb11u3.debian.tar.xz Checksums-Sha256: 92c6d3646f72080370da38a84ee1b4a8c49f99d0254f81ea4e344a25c349915a 2859 libxml2_2.9.10+dfsg-6.7+deb11u3.dsc af3a4b06a555f9a39d7f7487c330787795d0878c0e28313fcff44904f99a291c 40092 libxml2_2.9.10+dfsg-6.7+deb11u3.debian.tar.xz Files: b68b1ce83ae37ad279e2c00a5c7e5724 2859 libs optional libxml2_2.9.10+dfsg-6.7+deb11u3.dsc 74fb0c6cb975afdb91a0973c7cb6627b 40092 libs optional libxml2_2.9.10+dfsg-6.7+deb11u3.debian.tar.xz -BEGIN PGP SIGNATURE- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmNeaTBfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EAngQAIrSmQnoUbPgiRgeKrtxrBHvLl3o09FO LivoDQTFFMVjtc9mVJQZBzjh4OWeyjG5nHrdf8AeOnXmJVX+I5XltCZiZJkMNh7Y cwvj18HJ0Pg/q3aFvoGgzDXRjo6oqs1ah9yi6yfNCgLGPi6gpqHR79v9KOc/kpIk b1WPZwBC4gsnAZZci9U/Di6PLojwOQ7yOXwHYBmgb7MB24AltP3+bMmz+0W+rsLx yl7pVJ+BZD7L2tCJx0zaiaSTVegqafT3owGw+fO0tzwO6Tb+DBi9WzvEoV7LtBIo rSeKBOrgYQK5SW8193tJBIC8MmTjFgutklDKJNRH+ZzsWKCRs3ijDhwpFzSuRm2A Cnjr0bcFQtbvOdRXshiwLqbW5josju7f3wweCWDzupYs2N+65Pp/F5QOUrv3ms49 xDvYakIrelACvhRaPSstp431g16oho9w8ub3qRycNRr07Omoc+xyOy47EV0z/FQ9 aT4YCzmEBBxgmpOumcK2TiN4KaSZcybAd+6IZxSNr38HjwQU5VbKFGsikeFn59eV wm1F9NyfA1MWaMt2b0nXSnrFSCH7eUKUeZO5VWvS5qkERH+sFV0iq+pN3ICGsgMP 3wzqp8NLXGSX8Y1O1njN4pP0fPi7vC7gIKulitajkz7L2Fn79sF7fvGyCq4wy8Wq MGslSwLUWDQi =qvNu -END PGP SIGNATURE End Message ---
Bug#1022225: marked as done (libxml2: CVE-2022-40304: dict corruption caused by entity reference cycles)
Your message dated Mon, 31 Oct 2022 16:04:53 + with message-id and subject line Bug#105: fixed in libxml2 2.9.14+dfsg-1.1 has caused the Debian Bug report #105, regarding libxml2: CVE-2022-40304: dict corruption caused by entity reference cycles to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 105: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=105 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: libxml2 Version: 2.9.14+dfsg-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for libxml2. CVE-2022-40304[0]: | dict corruption caused by entity reference cycles If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-40304 https://www.cve.org/CVERecord?id=CVE-2022-40304 [1] https://gitlab.gnome.org/GNOME/libxml2/-/commit/1b41ec4e9433b05bb0376be4725804c54ef1d80b Regards, Salvatore --- End Message --- --- Begin Message --- Source: libxml2 Source-Version: 2.9.14+dfsg-1.1 Done: Salvatore Bonaccorso We believe that the bug you reported is fixed in the latest version of libxml2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1022...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso (supplier of updated libxml2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sun, 30 Oct 2022 11:18:06 +0100 Source: libxml2 Architecture: source Version: 2.9.14+dfsg-1.1 Distribution: unstable Urgency: medium Maintainer: Debian XML/SGML Group Changed-By: Salvatore Bonaccorso Closes: 104 105 Changes: libxml2 (2.9.14+dfsg-1.1) unstable; urgency=medium . * Non-maintainer upload. * Fix integer overflows with XML_PARSE_HUGE (CVE-2022-40303) (Closes: #104) * Fix dict corruption caused by entity reference cycles (CVE-2022-40304) (Closes: #105) Checksums-Sha1: e57c6121b412173f773d960f5f51e0c174c1c633 3078 libxml2_2.9.14+dfsg-1.1.dsc 7b8dab3e0e6a3176ab83be9cb69db76e2e8f3121 32820 libxml2_2.9.14+dfsg-1.1.debian.tar.xz Checksums-Sha256: ed31c56a4ecec3acbed5012fa5f1a2e23059d89eab938d5c66e809d9ae9bbf8d 3078 libxml2_2.9.14+dfsg-1.1.dsc 9a6d8cfcd1cab9ef2130c6e28e2d63c9eb789c3f6e8d25e2e702694f3049ef9a 32820 libxml2_2.9.14+dfsg-1.1.debian.tar.xz Files: 50a41ce15477818c75e16a5b6972a9d4 3078 libs optional libxml2_2.9.14+dfsg-1.1.dsc ce64ba9c8243518c40acd49d75736713 32820 libs optional libxml2_2.9.14+dfsg-1.1.debian.tar.xz -BEGIN PGP SIGNATURE- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmNeUBRfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89E3N4P/iWKWh72yCXaOPvR0N+zNgrK68+F4U9I G4o1i7IDTOIh4E08pgsxF5iSPCTirf9XfeEvLl39R/+JjCdkn8OmYEhFqzOiqxaV G15nqFowHuhOsoi97Js0UXyj+PoMOODCG5tc5Kst019UOJA6hq/8qQGcof8G8t/l 1uluQyVNEU8o5GQTKIp46LEJO20jVC6sDCRRnaevVsPYq45kddoUcAfHhZ8YgQ8t yZXvfCPVJhwIfdoTarFWL5VJZjQ2rBxsAVOP6PdUtiahz/QBZaM9pZyBx6QyoNuu SWI7qft9kBVkoDAp8Cm4+/jng+DGVh01NHA6WdFyevaOWNFhJZIJOoYMKD3joLjI 8gXQhr5dulHp0ln0HLeOJanqY922Xwh0BVISTRZaW651MewIBC8/zOOHYaXgOgDP 1FeWvF/HOVxtX0oUB2pdU4siLHugBChKHL3ZojDN4o0I7VAXvclw3UOgdIC7bGy6 ZePgHIE0wyyHxr4Jj+omqTmG08zcTCpZZtHGONnCMsvxilTZKtX/1nDQumfzDz9K ykT83wDNExRFjgIrxuFFKN7C1X2WnM0kTMoriDOa6SzkXs2U402kAluezaZqPy0j MujIR0vDc6dfbnFGYaEKfj+dZokSBAnLI8eVL/uIcH065fTkQh9fZDP+9PhIcRj3 XZdtC8LYg+EM =8gEE -END PGP SIGNATURE End Message ---