Your message dated Wed, 03 Feb 2010 09:52:21 +0000
with message-id <[email protected]>
and subject line Bug#560950: fixed in xotcl 1.6.5-1.1
has caused the Debian Bug report #560950,
regarding CVE-2009-3560 and CVE-2009-3720 denial-of-services
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
560950: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560950
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
package: xotcl
severity: serious
tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) ids were
published for expat. I have determined that this package embeds a
vulnerable copy of xmlparse.c and xmltok_impl.c. However, since this is
a mass bug filing (due to so many packages embedding expat), I have
not had time to determine whether the vulnerable code is actually
present in any of the binary packages derived from this source package.
Please determine whether this is the case. If the binary packages are
not affected, please feel free to close the bug with a message
containing the details of what you did to check.
CVE-2009-3560[0]:
| The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1,
| as used in the XML-Twig module for Perl, allows context-dependent
| attackers to cause a denial of service (application crash) via an XML
| document with malformed UTF-8 sequences that trigger a buffer
| over-read, related to the doProlog function in lib/xmlparse.c, a
| different vulnerability than CVE-2009-2625 and CVE-2009-3720.
CVE-2009-3720[1]:
| The updatePosition function in lib/xmltok_impl.c in libexpat in Expat
| 2.0.1, as used in Python, PyXML, w3c-libwww, and other software,
| allows context-dependent attackers to cause a denial of service
| (application crash) via an XML document with crafted UTF-8 sequences
| that trigger a buffer over-read, a different vulnerability than
| CVE-2009-2625.
These issues also affect old versions of expat, so this package in etch
and lenny is very likely affected. This is a low-severity security
issue, so DSAs will not be issued to correct these problems. However,
you can optionally submit a proposed-update to the release team for
inclusion in the next stable point releases. If you plan to do this,
please open new bugs and include the security tag so we are aware that
you are working on that.
For further information see [0],[1],[2],[3]. In particular, [2] and [3]
are links to the patches for CVE-2009-3560 and CVE-2009-3720
respectively. Note that the ideal solution would be to make use of the
system expat so only one package will need to be updated for future
security issues. Preferably in your update to unstable, alter your
package to make use of the system expat.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560
http://security-tracker.debian.org/tracker/CVE-2009-3560
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720
http://security-tracker.debian.org/tracker/CVE-2009-3720
[2]
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.165
[3]
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.13&r2=1.15&view=patch
--- End Message ---
--- Begin Message ---
Source: xotcl
Source-Version: 1.6.5-1.1
We believe that the bug you reported is fixed in the latest version of
xotcl, which is due to be installed in the Debian FTP archive:
aolserver4-xotcl_1.6.5-1.1_all.deb
to main/x/xotcl/aolserver4-xotcl_1.6.5-1.1_all.deb
xotcl-dev_1.6.5-1.1_amd64.deb
to main/x/xotcl/xotcl-dev_1.6.5-1.1_amd64.deb
xotcl-doc_1.6.5-1.1_all.deb
to main/x/xotcl/xotcl-doc_1.6.5-1.1_all.deb
xotcl-shells_1.6.5-1.1_amd64.deb
to main/x/xotcl/xotcl-shells_1.6.5-1.1_amd64.deb
xotcl_1.6.5-1.1.diff.gz
to main/x/xotcl/xotcl_1.6.5-1.1.diff.gz
xotcl_1.6.5-1.1.dsc
to main/x/xotcl/xotcl_1.6.5-1.1.dsc
xotcl_1.6.5-1.1_amd64.deb
to main/x/xotcl/xotcl_1.6.5-1.1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alexander Reichle-Schmehl <[email protected]> (supplier of updated xotcl
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 27 Jan 2010 10:02:03 +0100
Source: xotcl
Binary: xotcl xotcl-shells xotcl-doc xotcl-dev aolserver4-xotcl
Architecture: source all amd64
Version: 1.6.5-1.1
Distribution: unstable
Urgency: medium
Maintainer: Tcl/Tk Debian Packagers <[email protected]>
Changed-By: Alexander Reichle-Schmehl <[email protected]>
Description:
aolserver4-xotcl - Extended Object Tcl (XOTcl): Object orientation for
AOLServer - m
xotcl - Extended Object Tcl (XOTcl): Object orientation for Tcl - shared
xotcl-dev - Extended Object Tcl (XOTcl): Object orientation for Tcl - develop
xotcl-doc - Extended Object Tcl (XOTcl): Object orientation for Tcl - manual
xotcl-shells - Extended Object Tcl (XOTcl): Object orientation for Tcl - shells
Closes: 560950
Changes:
xotcl (1.6.5-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Add --with-expat=sys to configure (Closes: #560950)
* Urgendcy medium due to RC bug fix
Checksums-Sha1:
a5142afeabe2c11884ce4adadae8e986c06b2d52 1308 xotcl_1.6.5-1.1.dsc
e7158f5eb13359a2c71c523ecfabdde039137630 6421 xotcl_1.6.5-1.1.diff.gz
961fc440d103aefb185aa161cf8e3d972f0f7dd4 1121586 xotcl-doc_1.6.5-1.1_all.deb
6d6ca5fd8d71a13b77d62407545ddae2afc0c81e 50732
aolserver4-xotcl_1.6.5-1.1_all.deb
9c2d200b2dd52ce72adb01b762604395bdf3b714 318746 xotcl_1.6.5-1.1_amd64.deb
48568c49d3d096331b3b42dce1f933ed9a89782b 225704
xotcl-shells_1.6.5-1.1_amd64.deb
3a6f49113beef7c27332a29f2b370bb16ba3193d 62776 xotcl-dev_1.6.5-1.1_amd64.deb
Checksums-Sha256:
5bce241140233fea636bf0a53d2f3a9f32d5a32c75be448c443c7b28b447ef6e 1308
xotcl_1.6.5-1.1.dsc
60da1771424db82f0fb5d26a70028f02361780bdd39a006c5ff795d630f6eaac 6421
xotcl_1.6.5-1.1.diff.gz
e618b186db469137167a25390316d37023aafe52ade1bfb9054fac02458e7303 1121586
xotcl-doc_1.6.5-1.1_all.deb
31d5e25fd48ebc39a4b3ea68a276af995acb6d9b377a355bc30bfa79159b5f0e 50732
aolserver4-xotcl_1.6.5-1.1_all.deb
dbb0647beea613c937d101a22662be19595cabc8d9a5e2c7bc88caeeeed26b10 318746
xotcl_1.6.5-1.1_amd64.deb
4b37f097e0a1480beba397781ec7c9ee5c5745638a2fb5ca4c78b570c848394c 225704
xotcl-shells_1.6.5-1.1_amd64.deb
ebb0c8f251e1bf2c044977097aeb44b8a893ebc933de1dccb56e4da3df235156 62776
xotcl-dev_1.6.5-1.1_amd64.deb
Files:
cd3f331a5be624effe432b62c4bb9224 1308 libs optional xotcl_1.6.5-1.1.dsc
fa291b8bc8d3022139f1fc2fd67cd625 6421 libs optional xotcl_1.6.5-1.1.diff.gz
86e802ec7522b4b10116fc18e06ee6f1 1121586 doc optional
xotcl-doc_1.6.5-1.1_all.deb
081bf324a86f29ac64628d7296aac8f3 50732 httpd optional
aolserver4-xotcl_1.6.5-1.1_all.deb
b574397f43d95e01b210bfc30d53f28e 318746 libs optional xotcl_1.6.5-1.1_amd64.deb
9ed4d3be0d6bef201faeeb9f9107f9cc 225704 utils optional
xotcl-shells_1.6.5-1.1_amd64.deb
d5fc5692450d66cfe66cb6990567685a 62776 libdevel optional
xotcl-dev_1.6.5-1.1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktgA3wACgkQBxd04ADYzRbH2gCfdmfGslC4X1IRD9aRkNazIfpk
S6IAnjF1aGkFsbon8AWMUus5vGG5if0p
=RXK4
-----END PGP SIGNATURE-----
--- End Message ---
