Your message dated Sat, 30 Dec 2023 22:34:59 +0000
with message-id <[email protected]>
and subject line Bug#1059315: fixed in tinyxml 2.6.2-6.1
has caused the Debian Bug report #1059315,
regarding tinyxml: CVE-2023-34194 CVE-2023-40462 CVE-2023-40458
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1059315: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059315
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: tinyxml
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
https://www.forescout.com/resources/sierra21-vulnerabilities
mentions three security issues in Tinyxml:
CVE-2023-34194[0]:
| StringEqual in TiXmlDeclaration::Parse in tinyxmlparser.cpp in
| TinyXML through 2.6.2 has a reachable assertion (and application
| exit) via a crafted XML document with a '\0' located after
| whitespace.
CVE-2023-40462[1]:
| The ACEManager component of ALEOS 4.16 and earlier does not
| perform input sanitization during authentication, which could
| potentially result in a Denial of Service (DoS) condition for
| ACEManager without impairing other router functions. ACEManager
| recovers from the DoS condition by restarting within ten seconds of
| becoming unavailable.
CVE-2023-40458[2]:
| Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability
| in Sierra Wireless, Inc ALEOS could potentially allow a remote
| attacker to trigger a Denial of Service (DoS) condition for
| ACEManager without impairing other router functions. This condition
| is cleared by restarting the device.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-34194
https://www.cve.org/CVERecord?id=CVE-2023-34194
[1] https://security-tracker.debian.org/tracker/CVE-2023-40462
https://www.cve.org/CVERecord?id=CVE-2023-40462
[2] https://security-tracker.debian.org/tracker/CVE-2023-40458
https://www.cve.org/CVERecord?id=CVE-2023-40458
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: tinyxml
Source-Version: 2.6.2-6.1
Done: Guilhem Moulin <[email protected]>
We believe that the bug you reported is fixed in the latest version of
tinyxml, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <[email protected]> (supplier of updated tinyxml package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 30 Dec 2023 22:49:10 +0100
Source: tinyxml
Architecture: source
Version: 2.6.2-6.1
Distribution: unstable
Urgency: medium
Maintainer: Felix Geyer <[email protected]>
Changed-By: Guilhem Moulin <[email protected]>
Closes: 1059315
Changes:
tinyxml (2.6.2-6.1) unstable; urgency=medium
.
* Non-maintainer upload.
.
[ Debian Janitor ]
* Set upstream metadata fields: Bug-Database.
.
[ Felix Geyer ]
* Set Homepage to the SourceForge project since the original website
is offline.
.
[ Guilhem Moulin ]
* Fix CVE-2023-34194 / CVE-2023-40462: Reachable assertion (and application
exit) via a crafted XML document with a '\0' located after whitespace.
(Closes: #1059315)
Checksums-Sha1:
758831892d0ffc542b3944336a0c9223363fe550 1968 tinyxml_2.6.2-6.1.dsc
e14f5d56b2a04a1982d8a9e32c612f28f54f6df9 5568 tinyxml_2.6.2-6.1.debian.tar.xz
a37d1b4704f5a99a966a2aac5ab6b54543daf5bd 6893 tinyxml_2.6.2-6.1_amd64.buildinfo
Checksums-Sha256:
7ab6d9a5521e4afe97a6fb729a731581211f873ea707f18880f78204a533d617 1968
tinyxml_2.6.2-6.1.dsc
6b440c3f64767be9fc60f2702776cc0b7ac3667195d34ae3337192cc7cd43500 5568
tinyxml_2.6.2-6.1.debian.tar.xz
34f44b7eae9278e471352e2e50822ee7429bf35a49f25bd0e670c902883e7000 6893
tinyxml_2.6.2-6.1_amd64.buildinfo
Files:
7d2f6d87f27b61e33bf178e32934120f 1968 libs optional tinyxml_2.6.2-6.1.dsc
839712067a9b8f4c1a83bdc3bdef5a3d 5568 libs optional
tinyxml_2.6.2-6.1.debian.tar.xz
cab9cf04ca6732d2b6436a60ee49cf0a 6893 libs optional
tinyxml_2.6.2-6.1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmWQkf8ACgkQ05pJnDwh
pVLaSxAArFCqLWbjAUufrfpZrbPc1P4SRBXtVuQuGo4aTW9kcftxbOWB19lzOpHk
GwNiL0xCCjr2mm+1awxOCLyqaV4TlNuUWocewvU80eoX3VoMl1sY6/K99cQMdKeP
Ll0gaDBjeMPcx9vXukUtE9oH9q9u0LZShUJE3+YVu0T2dYpg4Lm+Zo7624dre/2A
OT/aEKNBGuplOOrF8uiZAgWuqdreZ/niJmm722kDzzbF+YdjaJDJ0LDUhJju6T/A
inLRI5auUwpZ9i/aCGZk0fT1kIXQkvAirtuAVDqcc8V35cmmXRG0V+SfOyXAmCv+
iwbIZzLpTwD6xu7AirmteCaF/LOs3GXeCuhol230ChnO4lWJuyF72/sXFkJZkQ3j
/11jnd3Nf/P+CP5HqbvaFmOdvPcMlqa4u4O5aHy113XjfG/fcGnzGell+VEkyI4E
+qu7bPMiOqgD9UCT55YTrZKNFHWzirXUkRhW9aiqXmAswJ/azjR4tyLg3iYyJ2H8
2/i0UUWInd99nQi8YfudLHDd5QAoyenidBtqOymy9GtYpXy+1/ozXRMl2NiBskWS
Al49U+aRUZgYh4KS9PmVyWA5+gIHggiCGx2MYqQ2zWym2zUgbT9oYWI+UlYT15Cp
SKK6ZOKSNm0YWEz6fcxtgimVQHhemWqWLdWdjC8LbZDQQhpO+Qo=
=fGSV
-----END PGP SIGNATURE-----
--- End Message ---