Bug#703933: marked as done (libxslt: CVE-2012-6139)

[Debian Bug Tracking System]

Your message dated Tue, 26 Mar 2013 20:49:05 +0000
with message-id <e1ukanp-0002ns...@franck.debian.org>
and subject line Bug#703933: fixed in libxslt 1.1.26-14.1
has caused the Debian Bug report #703933,
regarding libxslt: CVE-2012-6139
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
703933: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703933
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libxslt
Severity: grave
Tags: security upstream patch

Hi,

the following vulnerability was published for libxslt.

CVE-2012-6139[0]:
libxslt "xsltDocumentFunction()" and "xsltAddKey()" Denial of Service 
Vulnerabilities

There are patches and minimalized test cases available at [1,2,3,4].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6139
    http://security-tracker.debian.org/tracker/CVE-2012-6139
[1] https://bugzilla.gnome.org/show_bug.cgi?id=685328
[2] 
http://git.gnome.org/browse/libxslt/commit/?id=dc11b6b379a882418093ecc8adf11f6166682e8d
[3] https://bugzilla.gnome.org/show_bug.cgi?id=685330
[4] 
http://git.gnome.org/browse/libxslt/commit/?id=6c99c519d97e5fcbec7a9537d190efb442e4e833

Please adjust the affected versions in the BTS as needed.

Thank you for your work!

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: libxslt
Source-Version: 1.1.26-14.1

We believe that the bug you reported is fixed in the latest version of
libxslt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 703...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated libxslt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 26 Mar 2013 20:31:18 +0100
Source: libxslt
Binary: libxslt1.1 libxslt1-dev libxslt1-dbg xsltproc python-libxslt1 
python-libxslt1-dbg
Architecture: source amd64
Version: 1.1.26-14.1
Distribution: unstable
Urgency: high
Maintainer: Debian XML/SGML Group <debian-xml-sgml-p...@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Description: 
 libxslt1-dbg - XSLT 1.0 processing library - debugging symbols
 libxslt1-dev - XSLT 1.0 processing library - development kit
 libxslt1.1 - XSLT 1.0 processing library - runtime library
 python-libxslt1 - Python bindings for libxslt1
 python-libxslt1-dbg - Python bindings for libxslt1 (debug extension)
 xsltproc   - XSLT 1.0 command line processor
Closes: 703933
Changes: 
 libxslt (1.1.26-14.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Upload as NMU acknowledged by Aron Xu.
   * Add patches to fix denial of service vulnerability (CVE-2012-6139)
     (Closes: #703933)
Checksums-Sha1: 
 e73d80d3eca080e94e8582749974b634bfca9345 2326 libxslt_1.1.26-14.1.dsc
 d442386db75d59869cc87ad3d584888a4a176c55 39595 
libxslt_1.1.26-14.1.debian.tar.gz
 ee7e01490a2b19187980136f6ea7f3d2d638d32c 253656 
libxslt1.1_1.1.26-14.1_amd64.deb
 4a75257b93239fcd0e36dd57945bfb8e73f32a9b 681184 
libxslt1-dev_1.1.26-14.1_amd64.deb
 08bf1c4e189ffac70a5980fb22d55f19b5e3c976 504090 
libxslt1-dbg_1.1.26-14.1_amd64.deb
 e7fd936ffac54f0d37714bd5062214da8b55e288 117852 xsltproc_1.1.26-14.1_amd64.deb
 f832c92a56dd18ae8b77b947430622d7087c1423 170782 
python-libxslt1_1.1.26-14.1_amd64.deb
 d98ab7fc646497a81ea9923ce3bba680edb4f833 413776 
python-libxslt1-dbg_1.1.26-14.1_amd64.deb
Checksums-Sha256: 
 744bd7a407594bbdb9f67ad3d8eb027b613d3751fd20cf902c3ef8f77ef3e50a 2326 
libxslt_1.1.26-14.1.dsc
 846fd6b53af71a5d1de1e972f1775ba2aad063ad1a65f95fbef4229443de8953 39595 
libxslt_1.1.26-14.1.debian.tar.gz
 b48c1686c5de11049e3e3271b890cf92de70a0c94629b73ae5cf675095c9c96e 253656 
libxslt1.1_1.1.26-14.1_amd64.deb
 537dd0a5c2694f42696cb217938a5e37c4153628d742d282c68f9fb1822d4685 681184 
libxslt1-dev_1.1.26-14.1_amd64.deb
 265cd08ecee75ec53060911d360ac2e225df91441d3b6b5d1a00fc7115900b22 504090 
libxslt1-dbg_1.1.26-14.1_amd64.deb
 af4a0be17c3dc296b1a6f119a6b105413d10275936977cb8a9fd700b853b44dc 117852 
xsltproc_1.1.26-14.1_amd64.deb
 17facbf3592fc18bf04c0304dca1cf0fe83e74da3b5e120131b2591bee915b6d 170782 
python-libxslt1_1.1.26-14.1_amd64.deb
 9d4c66015351c37a7f552e5157c559d8ce6aab6e5a425ad2b9ea837d15f8b2ae 413776 
python-libxslt1-dbg_1.1.26-14.1_amd64.deb
Files: 
 09f9670234bc15035bfd3dcab083e61e 2326 text optional libxslt_1.1.26-14.1.dsc
 f65fe82e3803250a74383f55c75dde7e 39595 text optional 
libxslt_1.1.26-14.1.debian.tar.gz
 308502ee1d417c36d565d41541629ae0 253656 libs optional 
libxslt1.1_1.1.26-14.1_amd64.deb
 dcda9fdf6911000176bcf1e77b907654 681184 libdevel optional 
libxslt1-dev_1.1.26-14.1_amd64.deb
 fef256725231dd51b6d6a05bfd8f6110 504090 debug extra 
libxslt1-dbg_1.1.26-14.1_amd64.deb
 48d95b3d97e4ea475fca7d024f502576 117852 text optional 
xsltproc_1.1.26-14.1_amd64.deb
 cb1ce3fc9c7dbcf1208838a55ad3fff2 170782 python optional 
python-libxslt1_1.1.26-14.1_amd64.deb
 0e3d044a48647183efa57e292acadef3 413776 debug extra 
python-libxslt1-dbg_1.1.26-14.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJRUfr7AAoJEHidbwV/2GP+QFYQANZ7ACl0qTH5w1BFjcuXJMJ9
Z7zYwRbrQPd5dYluvzkXnO09MTR7OxU9LfSBMmDvyl3ox4URBvfVaoF69vx8SDwQ
ZcHT9o9Pc7bnxQ72DJYWL6RlL81tSFU37Pol4H/QCuExs9UL5qxygsABivK5Fy7V
8vjg0XV4w6XFSg0hxAlv5r53kDpnlQ27gL4IIeE+uoYCl1m+m289ZChGH3RQev1i
ikXKMhyTXe02iKXJRDUlkjsq5b4qbrb86PLAH3jvmwilbN/DjFKkR2/9DMLjuK3E
P18I7L8I1Lrxks0Y4hoKMZkrBwt2JOVHMGAUauYX4i7G+2DCNad9+XZbhy/cdS9g
7eKL3tXG7R7Di1sSXWvvSpuAW3xjiMBxkPm5UtMqylRvxWCQhJaigqTUCx+jwHtW
qel9u37KLOQiriXEmzlTi3tKUI7McwVApjnY4WJ0TLq80aJArf/v9H0ZicWb54tf
8RJ7b9jnwzT3Y29aJVeFCksyEFiSI81pu6sVXuvUHy83PaC3KIAlRgRAVhLLffjO
xen+Znvz3691VahEogfv458USBzY/LQfmMKhVPHHt5JwIVCnPwA8TpipWAha+sFn
jH4i4XLnD8mr8pPxa9trcqFFDEuY105yOq8eUrgqJM2B9RtAh+2ZgeBuE/5qdjdR
V6/tAPOLujRfHzmZV3Ai
=Y2ew
-----END PGP SIGNATURE-----

--- End Message ---