This bug was fixed in the package expat - 2.2.0-1 Sponsored for LocutusOfBorg (costamagnagianfranco)
--------------- expat (2.2.0-1) unstable; urgency=low * New upstream release, update symbols accordingly. * Use upstream manpage for xmlwf. * Drop all patches as this release contains those. -- Laszlo Boszormenyi (GCS) <[email protected]> Tue, 21 Jun 2016 15:29:58 +0000 expat (2.1.1-3) unstable; urgency=high * Use upstream fix for the following security vulnerabilities: - CVE-2012-6702, unanticipated internal calls to srand - CVE-2016-5300, use of too little entropy -- Laszlo Boszormenyi (GCS) <[email protected]> Sun, 05 Jun 2016 00:17:46 +0000 expat (2.1.1-2) unstable; urgency=high * Avoid relying on undefined behavior in CVE-2015-1283 fix. * Apply upstream patch to fix the root cause of CVE-2016-0718 and CVE-2016-0719 vulnerabilities. * Update Standards-Version to 3.9.8 . -- Laszlo Boszormenyi (GCS) <[email protected]> Mon, 16 May 2016 05:35:08 +0000 ** Changed in: expat (Ubuntu) Status: New => Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-6702 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2015-1283 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-0718 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-0719 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-5300 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to expat in Ubuntu. https://bugs.launchpad.net/bugs/1600717 Title: Sync expat 2.2.0-1 (main) from Debian unstable (main) Status in expat package in Ubuntu: Fix Released Bug description: Please sync expat 2.2.0-1 (main) from Debian unstable (main) Explanation of the Ubuntu delta and why it can be dropped: * SECURITY UPDATE: unanticipated internal calls to srand - debian/patches/CVE-2012-6702-1.patch: remove srand, use more entropy in lib/xmlparse.c. - debian/patches/CVE-2012-6702-2.patch: use a prime that fits 32bits on 32bit platforms in lib/xmlparse.c. - CVE-2012-6702 * SECURITY UPDATE: use of too little entropy - debian/patches/CVE-2016-5300-1.patch: extract method gather_time_entropy in lib/xmlparse.c. - debian/patches/CVE-2016-5300-2.patch: extract entropy from XML_Parser address in lib/xmlparse.c. - CVE-2016-5300 * SECURITY UPDATE: denial of service and possible code execution via malformed documents - debian/patches/CVE-2016-0718.patch: fix out of bounds memory access and integer overflow in lib/xmlparse.c, lib/xmltok.c, lib/xmltok.h, lib/xmltok_impl.c. - CVE-2016-0718 * SECURITY UPDATE: integer overflows in XML_GetBuffer - debian/patches/CVE-2015-1283-refix.patch: improved existing fix in lib/xmlparse.c. - CVE-2015-1283 Everything is part of Debian and the new upstream release. Changelog entries since current yakkety version 2.1.1-1ubuntu2: expat (2.2.0-1) unstable; urgency=low * New upstream release, update symbols accordingly. * Use upstream manpage for xmlwf. * Drop all patches as this release contains those. -- Laszlo Boszormenyi (GCS) <[email protected]> Tue, 21 Jun 2016 15:29:58 +0000 expat (2.1.1-3) unstable; urgency=high * Use upstream fix for the following security vulnerabilities: - CVE-2012-6702, unanticipated internal calls to srand - CVE-2016-5300, use of too little entropy -- Laszlo Boszormenyi (GCS) <[email protected]> Sun, 05 Jun 2016 00:17:46 +0000 expat (2.1.1-2) unstable; urgency=high * Avoid relying on undefined behavior in CVE-2015-1283 fix. * Apply upstream patch to fix the root cause of CVE-2016-0718 and CVE-2016-0719 vulnerabilities. * Update Standards-Version to 3.9.8 . -- Laszlo Boszormenyi (GCS) <[email protected]> Mon, 16 May 2016 05:35:08 +0000 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/expat/+bug/1600717/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
