Your message dated Wed, 31 Jan 2024 10:03:35 +0000
with message-id <[email protected]>
and subject line Bug#1059315: fixed in tinyxml 2.6.2-6+deb12u1
has caused the Debian Bug report #1059315,
regarding tinyxml: CVE-2023-34194
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1059315: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059315
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: tinyxml
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
https://www.forescout.com/resources/sierra21-vulnerabilities
mentions three security issues in Tinyxml:
CVE-2023-34194[0]:
| StringEqual in TiXmlDeclaration::Parse in tinyxmlparser.cpp in
| TinyXML through 2.6.2 has a reachable assertion (and application
| exit) via a crafted XML document with a '\0' located after
| whitespace.
CVE-2023-40462[1]:
| The ACEManager component of ALEOS 4.16 and earlier does not
| perform input sanitization during authentication, which could
| potentially result in a Denial of Service (DoS) condition for
| ACEManager without impairing other router functions. ACEManager
| recovers from the DoS condition by restarting within ten seconds of
| becoming unavailable.
CVE-2023-40458[2]:
| Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability
| in Sierra Wireless, Inc ALEOS could potentially allow a remote
| attacker to trigger a Denial of Service (DoS) condition for
| ACEManager without impairing other router functions. This condition
| is cleared by restarting the device.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-34194
https://www.cve.org/CVERecord?id=CVE-2023-34194
[1] https://security-tracker.debian.org/tracker/CVE-2023-40462
https://www.cve.org/CVERecord?id=CVE-2023-40462
[2] https://security-tracker.debian.org/tracker/CVE-2023-40458
https://www.cve.org/CVERecord?id=CVE-2023-40458
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: tinyxml
Source-Version: 2.6.2-6+deb12u1
Done: Guilhem Moulin <[email protected]>
We believe that the bug you reported is fixed in the latest version of
tinyxml, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <[email protected]> (supplier of updated tinyxml package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 25 Jan 2024 04:27:36 +0100
Source: tinyxml
Architecture: source
Version: 2.6.2-6+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Felix Geyer <[email protected]>
Changed-By: Guilhem Moulin <[email protected]>
Closes: 1059315
Changes:
tinyxml (2.6.2-6+deb12u1) bookworm; urgency=medium
.
* Non-maintainer upload.
* Fix CVE-2023-34194: Reachable assertion (and application exit) via a
crafted XML document with a '\0' located after whitespace.
(Closes: #1059315)
Checksums-Sha1:
cafa9e9a6c6c2e370f12d6760768bb08b6ad1b68 1989 tinyxml_2.6.2-6+deb12u1.dsc
54bc8c6a1abe4e0087d83fdfe59b29271bb5102b 5508
tinyxml_2.6.2-6+deb12u1.debian.tar.xz
47c471eec11d2f4b574c816ebeae698a3aa78238 7078
tinyxml_2.6.2-6+deb12u1_amd64.buildinfo
Checksums-Sha256:
1f1500f6ff3c627327ebe3fffa702ab3ccc0cd8af0b2cd046bad5cde5f538f5f 1989
tinyxml_2.6.2-6+deb12u1.dsc
577ca162ec4db57e0be5f64a8e4813a72dcdab928ef690585f3300387262df78 5508
tinyxml_2.6.2-6+deb12u1.debian.tar.xz
6907894213ad1f5f434bd50dcb4c8fce27fc2cb4210e275a1dfcb680beed7ed3 7078
tinyxml_2.6.2-6+deb12u1_amd64.buildinfo
Files:
eccd7f3e6322ebdf208e1080c8b6b0ec 1989 libs optional tinyxml_2.6.2-6+deb12u1.dsc
9d103489b1b3ec27d2fee9d32af081d4 5508 libs optional
tinyxml_2.6.2-6+deb12u1.debian.tar.xz
d429607975bdb6f06989cc0cde3ebeb7 7078 libs optional
tinyxml_2.6.2-6+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmW4LwEACgkQ05pJnDwh
pVIymhAAg+VvynRPZWfHxSPSfqFEp2LG7M7U01WWOoF1h0U+JHU19JlVaOh6tGWC
/304YBAvSMJp9zPUf3C1Po+c/631w21GY6eA4VK3XaNxksk/qTqfy6BJA7cb/yQC
hfCxd979rreI1Z6FVhiu4nmHmXi2hHW1dA9DsR+i1B/PX2YCp552JXYaszXi2JrQ
E3QxiWBWefG/uzxpfzazPZLOmz6lKOGisx2+01sFoZOA6ZvhvJHTCmoXZvkjESSd
uyl7JbaQLW9nlRY6QnGIVbU0x5WdQjHh/x8M7jRiRMVYbe0rlyAA0h5URMcdfOO8
XDgiNYmreJOIFPiWBYA+yOJpyx0Vs+kNdmUL8+OIDod6txt9mFN7O5+FB0VdK5tC
h8LiwS/8r+5McqgMtjXwhy39M35tj7TsBk1758Y2NXQbubLtW2RN1OP3DnMy+gOh
zJWYRUtHaxxDdWExUBTquBW3hUcJPs/JddNgk31NU+wtU4PMluVlxhUO9sQpqLco
ZUxX1FOmzAjFJhjRnpAQYwE7jpvGm94neSftyHbwsObn350UD0OKXcPzgfScjOPu
CJwGj6kY+Ld1lmMViz0n4sX/BL1yxHvzmZCn6VH0w+oSWJoOLC/+4ZMbjTZIXji3
yB3AH+YPy5Zo77V//WQ+UZKVDvBW5MANs0WvMHbq5POTGs7LdTk=
=1Y6G
-----END PGP SIGNATURE-----
--- End Message ---
