[Touch-packages] [Bug 1963903] Re: expat relax fix for CVE-2022-25236 and possible regressions
This bug was fixed in the package expat - 2.2.9-1ubuntu0.4 --- expat (2.2.9-1ubuntu0.4) focal-security; urgency=medium * SECURITY UPDATE: Stack exhaustion - debian/patches/CVE-2022-25313.patch: prevent stack exhaustion in build_model in expat/lib/xmlparse.c. - debian/patches/fix-build_model-regression.patch: fix build_model regression in expat/lib/xmlparse.c. - debian/patches/protect-against-nested-element*: in expat/lib/xmlparse. - CVE-2022-25313 * SECURITY UPDATE: Integer overflow - debian/patches/CVE-2022-25314.patch: prevent integer overflow in copyString in expat/lib/xmlparse.c. - CVE-2022-25314 * SECURITY UPDATE: Integer overflow - debian/patches/CVE-2022-25315.patch: prevent integer overflow in storeRawNames in expat/lib/xmlparse.c. - CVE-2022-25315 * SECURITY UPDATE: relax fix to CVE-2022-25236 with regard to RFC 3986 URI characters and possibly regressions - debian/patches/CVE-2022-25236-3.patch: add a note on namespace URI validation in expat/doc/reference.html, expat/lib/expat.h. - debian/patches/CVE-2022-25236-4.patch: document namespace separator effect right in header expat/lib/expat.h. - debian/patches/CVE-2022-25236-5.patch: cover relaxed fix in tests. - debian/patches/CVE-2022-25236-6.patch: relax fix with regard to RFC 3986 URI characters in expat/lib/xmlparse.c. (LP: #1963903) * removing duplicated tests - debian/patches/fix_test_dup.patch: removing tests were duplicated in expat/tests/runtests.c. -- Leonidas Da Silva Barbosa Mon, 21 Feb 2022 15:48:46 -0300 ** Changed in: expat (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to expat in Ubuntu. https://bugs.launchpad.net/bugs/1963903 Title: expat relax fix for CVE-2022-25236 and possible regressions Status in expat package in Ubuntu: Fix Released Bug description: Sebastian Pipping report to us that these additional fixes are required to fix properly CVE-2022-25236 in regard to RCF 3986 URI characters and possibly regressions as the merge request points. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/expat/+bug/1963903/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1963903] Re: expat relax fix for CVE-2022-25236 and possible regressions
This bug was fixed in the package expat - 2.2.5-3ubuntu0.7 --- expat (2.2.5-3ubuntu0.7) bionic-security; urgency=medium * SECURITY UPDATE: Stack exhaustion - debian/patches/CVE-2022-25313.patch: prevent stack exhaustion in build_model in expat/lib/xmlparse.c. - debian/patches/fix-build_model-regression.patch: fix build_model regression in expat/lib/xmlparse.c. - CVE-2022-25313 * SECURITY UPDATE: Integer overflow - debian/patches/CVE-2022-25314.patch: prevent integer overflow in copyString in expat/lib/xmlparse.c. - CVE-2022-25314 * SECURITY UPDATE: Integer overflow - debian/patches/CVE-2022-25315.patch: prevent integer overflow in storeRawNames in expat/lib/xmlparse.c. - CVE-2022-25315 * SECURITY UPDATE: relax fix to CVE-2022-25236 with regard to RFC 3986 URI characters and possibly regressions - debian/patches/CVE-2022-25236-3.patch: add a note on namespace URI validation in expat/doc/reference.html, expat/lib/expat.h. - debian/patches/CVE-2022-25236-4.patch: document namespace separator effect right in header expat/lib/expat.h. - debian/patches/CVE-2022-25236-5.patch: cover relaxed fix in tests. - debian/patches/CVE-2022-25236-6.patch: relax fix with regard to RFC 3986 URI characters in expat/lib/xmlparse.c. (LP: #1963903) -- Leonidas Da Silva Barbosa Tue, 08 Mar 2022 09:28:37 -0300 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to expat in Ubuntu. https://bugs.launchpad.net/bugs/1963903 Title: expat relax fix for CVE-2022-25236 and possible regressions Status in expat package in Ubuntu: Fix Released Bug description: Sebastian Pipping report to us that these additional fixes are required to fix properly CVE-2022-25236 in regard to RCF 3986 URI characters and possibly regressions as the merge request points. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/expat/+bug/1963903/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1963903] Re: expat relax fix for CVE-2022-25236 and possible regressions
This bug was fixed in the package expat - 2.4.1-2ubuntu0.3 --- expat (2.4.1-2ubuntu0.3) impish-security; urgency=medium * SECURITY UPDATE: Stack exhaustion - debian/patches/CVE-2022-25313.patch: prevent stack exhaustion in build_model in expat/lib/xmlparse.c. - debian/patches/fix-build_model-regression.patch: fix build_model regression in expat/lib/xmlparse.c. - debian/patches/protect-against-nested-element*: in expat/lib/xmlparse. - CVE-2022-25313 * SECURITY UPDATE: Integer overflow - debian/patches/CVE-2022-25314.patch: prevent integer overflow in copyString in expat/lib/xmlparse.c. - CVE-2022-25314 * SECURITY UPDATE: Integer overflow - debian/patches/CVE-2022-25315.patch: prevent integer overflow in storeRawNames in expat/lib/xmlparse.c. - CVE-2022-25315 * SECURITY UPDATE: relax fix to CVE-2022-25236 with regard to RFC 3986 URI characters and possibly regressions - debian/patches/CVE-2022-25236-3.patch: add a note on namespace URI validation in expat/doc/reference.html, expat/lib/expat.h. - debian/patches/CVE-2022-25236-4.patch: document namespace separator effect right in header expat/lib/expat.h. - debian/patches/CVE-2022-25236-5.patch: cover relaxed fix in tests. - debian/patches/CVE-2022-25236-6.patch: relax fix with regard to RFC 3986 URI characters in expat/lib/xmlparse.c. (LP: #1963903) -- Leonidas Da Silva Barbosa Mon, 21 Feb 2022 14:42:01 -0300 ** Changed in: expat (Ubuntu) Status: In Progress => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-25236 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-25313 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-25314 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-25315 ** Changed in: expat (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to expat in Ubuntu. https://bugs.launchpad.net/bugs/1963903 Title: expat relax fix for CVE-2022-25236 and possible regressions Status in expat package in Ubuntu: Fix Released Bug description: Sebastian Pipping report to us that these additional fixes are required to fix properly CVE-2022-25236 in regard to RCF 3986 URI characters and possibly regressions as the merge request points. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/expat/+bug/1963903/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1963903] Re: expat relax fix for CVE-2022-25236 and possible regressions
https://github.com/exxamalte/python-aio-georss-client/issues/29 ** Bug watch added: github.com/exxamalte/python-aio-georss-client/issues #29 https://github.com/exxamalte/python-aio-georss-client/issues/29 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to expat in Ubuntu. https://bugs.launchpad.net/bugs/1963903 Title: expat relax fix for CVE-2022-25236 and possible regressions Status in expat package in Ubuntu: In Progress Bug description: Sebastian Pipping report to us that these additional fixes are required to fix properly CVE-2022-25236 in regard to RCF 3986 URI characters and possibly regressions as the merge request points. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/expat/+bug/1963903/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1963903] Re: expat relax fix for CVE-2022-25236 and possible regressions
https://github.com/libexpat/libexpat/pull/577 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to expat in Ubuntu. https://bugs.launchpad.net/bugs/1963903 Title: expat relax fix for CVE-2022-25236 and possible regressions Status in expat package in Ubuntu: In Progress Bug description: Sebastian Pipping report to us that these additional fixes are required to fix properly CVE-2022-25236 in regard to RCF 3986 URI characters and possibly regressions as the merge request points. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/expat/+bug/1963903/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp