[Bug 1600717] [NEW] Sync expat 2.2.0-1 (main) from Debian unstable (main)

Mon, 11 Jul 2016 01:41:17 -0700 

Public bug reported:

Please sync expat 2.2.0-1 (main) from Debian unstable (main)

Explanation of the Ubuntu delta and why it can be dropped:
  * SECURITY UPDATE: unanticipated internal calls to srand
    - debian/patches/CVE-2012-6702-1.patch: remove srand, use more entropy
      in lib/xmlparse.c.
    - debian/patches/CVE-2012-6702-2.patch: use a prime that fits 32bits on
      32bit platforms in lib/xmlparse.c.
    - CVE-2012-6702
  * SECURITY UPDATE: use of too little entropy
    - debian/patches/CVE-2016-5300-1.patch: extract method
      gather_time_entropy in lib/xmlparse.c.
    - debian/patches/CVE-2016-5300-2.patch: extract entropy from XML_Parser
      address in lib/xmlparse.c.
    - CVE-2016-5300
  * SECURITY UPDATE: denial of service and possible code execution via
    malformed documents
    - debian/patches/CVE-2016-0718.patch: fix out of bounds memory access
      and integer overflow in lib/xmlparse.c, lib/xmltok.c, lib/xmltok.h,
      lib/xmltok_impl.c.
    - CVE-2016-0718
  * SECURITY UPDATE: integer overflows in XML_GetBuffer
    - debian/patches/CVE-2015-1283-refix.patch: improved existing fix in
      lib/xmlparse.c.
    - CVE-2015-1283

Everything is part of Debian and the new upstream release.

Changelog entries since current yakkety version 2.1.1-1ubuntu2:

expat (2.2.0-1) unstable; urgency=low

  * New upstream release, update symbols accordingly.
  * Use upstream manpage for xmlwf.
  * Drop all patches as this release contains those.

 -- Laszlo Boszormenyi (GCS) <[email protected]>  Tue, 21 Jun 2016 15:29:58
+0000

expat (2.1.1-3) unstable; urgency=high

  * Use upstream fix for the following security vulnerabilities:
    - CVE-2012-6702, unanticipated internal calls to srand
    - CVE-2016-5300, use of too little entropy

 -- Laszlo Boszormenyi (GCS) <[email protected]>  Sun, 05 Jun 2016 00:17:46
+0000

expat (2.1.1-2) unstable; urgency=high

  * Avoid relying on undefined behavior in CVE-2015-1283 fix.
  * Apply upstream patch to fix the root cause of CVE-2016-0718 and
    CVE-2016-0719 vulnerabilities.
  * Update Standards-Version to 3.9.8 .

 -- Laszlo Boszormenyi (GCS) <[email protected]>  Mon, 16 May 2016 05:35:08
+0000

** Affects: expat (Ubuntu)
     Importance: Wishlist
         Status: New

** Changed in: expat (Ubuntu)
   Importance: Undecided => Wishlist

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1600717

Title:
  Sync expat 2.2.0-1 (main) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/expat/+bug/1600717/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to