Public bug reported: Explanation: open-vm-tools 9.10.2 synced from Debian introduces two new build dependencies. This MIR requests that both libxerces-c and libxml-security-c be promoted to main.
These build dependencies support the SAML based guest authentication. open-vm-tools was MIR with Bug #1220950 [PACKAGE: xml-security-c ] Apache XML Security for C++ is a library for the XML Digital Security specification. It provides processing and handling of XML Key Management Specifications (XKMS) messages. Availability: universe, Debian Rationale: build dependency for SAML Based guest authentication in open- vm-tools Security: There have been 5 CVE's, with four in 2013: [1] CVE-2013-2153 - signature validation bypass issue [2] CVE-2013-2154 - stack overflow during XPointer evaluation [3] CVE-2013-2155 - DoS attack through crafted HMAC authenticatoin [4] CVE-2013-2156 - heap overflow potentially allow arbitrary code execution [1] http://santuario.apache.org/secadv.data/CVE-2013-2153.txt [2] http://santuario.apache.org/secadv.data/CVE-2013-2154.txt [3] http://santuario.apache.org/secadv.data/CVE-2013-2155.txt [4] http://santuario.apache.org/secadv.data/CVE-2013-2156.txt QA: This is an official project under the Apache foundation. The project is actively maintained. See: https://svn.apache.org/viewvc/santuario/ [ PACKAGE: xerces-c ] Xerces-C++ is a validating XML parser written in a portable subset of C++. Availability: universe, Debian Rationale: build dependency for SAML Based guest authentication in open-vm-tools Security: A review of the CVE history shows 3 CVE's since 2004. There was one CVE in 2015 (CVE-2015-0252) and before that in 2009 (CVE-2009-1885). CVE-2009-1885 was a DoS vector caused with malformed DTD's. QA: This package is an official project under the Apache foundation and has been around since 2004. The project is actively maintained. See https://svn.apache.org/viewvc/xerces/c/?root=Apache-SVN Dependencies: Package is maintained in Debian and Ubuntu. ** Affects: open-vm-tools (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1482777 Title: [MIR] open-vm-tools 9.10.2 build dependencies: xml-security-c and xerces-c To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1482777/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
