Your message dated Sun, 10 Mar 2024 17:51:13 +0000
with message-id <[email protected]>
and subject line Bug#1065868: fixed in expat 2.6.1-2
has caused the Debian Bug report #1065868,
regarding expat: CVE-2024-28757
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1065868: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065868
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: expat
Version: 2.6.1-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/libexpat/libexpat/pull/842
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for expat.
CVE-2024-28757[0]:
| libexpat through 2.6.1 allows an XML Entity Expansion attack when
| there is isolated use of external parsers (created via
| XML_ExternalEntityParserCreate).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-28757
https://www.cve.org/CVERecord?id=CVE-2024-28757
[1] https://github.com/libexpat/libexpat/pull/842
[2]
https://github.com/libexpat/libexpat/commit/1d50b80cf31de87750103656f6eb693746854aa8
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: expat
Source-Version: 2.6.1-2
Done: Laszlo Boszormenyi (GCS) <[email protected]>
We believe that the bug you reported is fixed in the latest version of
expat, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <[email protected]> (supplier of updated expat package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 10 Mar 2024 18:24:38 +0100
Source: expat
Architecture: source
Version: 2.6.1-2
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
Changed-By: Laszlo Boszormenyi (GCS) <[email protected]>
Closes: 1065868
Changes:
expat (2.6.1-2) unstable; urgency=high
.
* Backport security fix for CVE-2024-28757: prevent billion laughs attacks
in isolated external parser (closes: #1065868).
Checksums-Sha1:
82208c1d9e2ff1c7e58b1c6f9a113cf2dbc5b5d3 1964 expat_2.6.1-2.dsc
7c61bbd29b3dffaea4801fbebf28f1e08b92f39e 14756 expat_2.6.1-2.debian.tar.xz
Checksums-Sha256:
01d9c45426c6f6afb498c3c9d4b50c77f51f13df849f5529a50014f66f9448f2 1964
expat_2.6.1-2.dsc
b7c2a812e7baa87851f4045efd9d13514d3ebd42da079f26f2716723182bc077 14756
expat_2.6.1-2.debian.tar.xz
Files:
e4ffdedb90e95e8dbcf6d4b2aa7ce1be 1964 text optional expat_2.6.1-2.dsc
20382e20a2de1b85ff6af4ff6126c66e 14756 text optional
expat_2.6.1-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmXt8CMACgkQ3OMQ54ZM
yL9VoA//f2G4/B4nHd+NS3luaeX68XmjiP/7Ub17E/phRFGWRj1nkBEdCzrDCEYj
eUwE1p7zJMN5+O+kVuEmNKXT1b0NFIuoLjWvkPxyKD5cGwdq1fR2OYOAnv9Rhh5d
K87DugjNPsHRSWLGpz0omJ006gkgrB7JtnIWhZvYv2wu1eVHfENo+dbXbpWK4QGK
cm0kCaeyU010uIkstceBuhpDh5iAAbHe3dcMXGkEbgELRYNuWTiPvlJfD2HJzyJM
3nhhZfLMQtPe50MDPQ4i/8itSX9nf3mNSh1oAgusft+4WNeMJ0iyUGkdMMJIBPYC
gcbnWlqnjjKTLy9QP4Ypkv1GXpOnBPPTWDZGNik7yK2PlqEt+VJ+enh2LqvZT+j1
vH+MExrRBs2MRYXoXvqaNm1zxK8GHhGdSBuxMOyao6xoTK7TXJHKZ4H5BWcE544t
ykMUFHDkXrqHqvQ/RdJ1Xy8xMPpsMEZpsr8gvYUUHEwUKZa3V6dsKN39gGYnBLj1
LyinyJbjcTaARF1lfUiaj9Q60QXc+MBmVBujPt3uLo4iMH7CMFQsj6M7NKz7R5Ny
VZ3UPJbVOZ3lb0qppRVbp7XiPPcSLBb/8E2EM0e5oOXY4ciZ2ssuczfJX70fXRBK
Rvc7zwf3fM/n+Zzo2WBo4yEA63axl/S5ycWGhZLwZeAL5YPPEo0=
=0iCF
-----END PGP SIGNATURE-----
pgpUzuyZ0Unhd.pgp
Description: PGP signature
--- End Message ---
