[Bug 1752306] Re: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]
Ubuntu 17.10 aka artful has reached the end of of its support lifetime, closing artful's task. Thanks! ** Changed in: xmltooling (Ubuntu Artful) Status: Incomplete => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1752306 Title: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1752306] Re: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]
This bug was fixed in the package xmltooling - 1.5.6-2ubuntu0.2 --- xmltooling (1.5.6-2ubuntu0.2) xenial-security; urgency=medium * SECURITY UPDATE: Upstream patch to fix CVE-2018-0489 (LP: #1752306) - d/p/Add-disallowDoctype-to-parser-configuration.patch: Generic protection against data forgery. Irrelevant under Xerces 3.1, but is a pre-req for the CVE-2018-0489 patch. - d/p/CVE-2018-0489-Fix-additional-data-forgery-flaws.patch: New patches fixing CVE-2018-0489: additional data forgery flaws. These flaws allow for changes to an XML document that do not break a digital signature but alter the user data passed through to applications enabling impersonation attacks and exposure of protected information. -- Ray LinkThu, 29 Mar 2018 15:17:35 -0400 ** Changed in: xmltooling (Ubuntu Xenial) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1752306 Title: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1752306] Re: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]
Packages from security-proposed tested and look ok. ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1752306 Title: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1752306] Re: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]
** Changed in: xmltooling (Ubuntu Xenial) Status: Incomplete => In Progress ** Changed in: xmltooling (Ubuntu Xenial) Assignee: (unassigned) => Emily Ratliff (emilyr) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1752306 Title: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1752306] Re: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]
Debdiff attached which fixes the problem for Xenial. Since there is no corresponding Debian release to fakesync this from for Xenial, I've just recreated the patch sequence against the version already in Xenial. It includes the same two quilt patches which have been fake-synced into Trusty, and already exist in Bionic: - A one-line patch to add 'disallowDoctype' to the parser configuration. While this does nothing under the Xerces 3.1 in Xenial, it provides generic impersonation protection for Xerces 3.2. This patch is a pre- req to get the upstream CVE-2018-0489 patch to apply cleanly. - Upstream's patch for CVE-2018-0489. ** Patch added: "debdiff for Xenial" https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+attachment/5095295/+files/CVE-2018-0489-xenial.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1752306 Title: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1752306] Re: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]
Fixed in bionic in https://launchpad.net/ubuntu/+source/xmltooling/1.6.4-1ubuntu2. Still needs to be addressed in xenial and artful. ** Also affects: xmltooling (Ubuntu Bionic) Importance: Undecided Status: Fix Released ** Also affects: xmltooling (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: xmltooling (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: xmltooling (Ubuntu Artful) Importance: Undecided Status: New ** Changed in: xmltooling (Ubuntu Trusty) Status: New => Fix Released ** Changed in: xmltooling (Ubuntu Xenial) Status: New => Incomplete ** Changed in: xmltooling (Ubuntu Artful) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1752306 Title: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1752306] Re: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]
This bug was fixed in the package xmltooling - 1.5.3-2+deb8u3build0.14.04.1 --- xmltooling (1.5.3-2+deb8u3build0.14.04.1) trusty-security; urgency=medium * fake sync from Debian (LP: #1752306) xmltooling (1.5.3-2+deb8u3) jessie-security; urgency=high * [2890d0c] New patches fixing CVE-2018-0489: additional data forgery flaws. These flaws allow for changes to an XML document that do not break a digital signature but alter the user data passed through to applications enabling impersonation attacks and exposure of protected information. https://shibboleth.net/community/advisories/secadv_20180227.txt https://issues.shibboleth.net/jira/browse/CPPXT-128 The Add-disallowDoctype-to-parser-configuration.patch is not effective under Xerces 3.1 in jessie, but provides more generic protection under Xerces 3.2 against issues like CVE-2018-0486. It's included here for completeness and to avoid a conflict applying the CVE-2018-0489 patch. -- Steve BeattieTue, 20 Mar 2018 15:21:30 -0700 ** Changed in: xmltooling (Ubuntu) Status: Incomplete => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-0486 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1752306 Title: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1752306] Re: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]
"Incomplete" is noisier -- if we set this to 'confirmed' and no one works on it, no one will ever be reminded of it. If we set this to 'incomplete' and no one works on it, folks will get an email when it auto-expires and be reminded that it's still not fixed. Perhaps by then someone will have more time / enthusiasm for providing a fix. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1752306 Title: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1752306] Re: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]
Another question though. Why is this bug now "incomplete" when there's a CVE that confirms this version has a flaw? It doesn't seem unverifiable. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1752306 Title: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1752306] Re: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]
Thanks for the explanation. Unfortunately all the debian packaging stuff puts it out of reach for me. I'll look into simply building my own stack from source. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1752306 Title: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1752306] Re: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures ** Changed in: xmltooling (Ubuntu) Status: Confirmed => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1752306 Title: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1752306] Re: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]
The 14.04 LTS xmltooling package shows up on http://people.canonical.com /~ubuntu-security/d2u/ so there's a good chance we'll release a fakesync from Debian to address this for trusty, but other releases will need someone from the community to prepare and test a debdiff. Once it's ready, attach it here, and subscribe ubuntu-security-sponsors. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1752306 Title: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1752306] Re: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]
It's been 2 weeks since this critical vuln was announced, and SPs running Shibboleth on Ubuntu are dead in the water or insecure. Does Ubuntu have any fix plan for this? I've tried porting the Debian package stack myself but there are build failures I don't have time to pursue. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1752306 Title: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1752306] Re: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]
There is any prevision of a bugfix for Ubuntu 14.04? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1752306 Title: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1752306] Re: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]
Timeline? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1752306 Title: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1752306] Re: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]
To emphasize, this vulnerability allows remote access as any valid user by any third party with no local foothold. It's a very bad one. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1752306 Title: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1752306] Re: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: xmltooling (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1752306 Title: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1752306] Re: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-0489 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1752306 Title: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs