Bug#765722: marked as done (CVE-2014-3660 libxml2 billion laugh variant)

[Debian Bug Tracking System]

Your message dated Sun, 26 Oct 2014 01:04:16 +0000
with message-id <e1xicfk-00027q...@franck.debian.org>
and subject line Bug#765722: fixed in libxml2 2.9.2+dfsg1-1
has caused the Debian Bug report #765722,
regarding CVE-2014-3660 libxml2 billion laugh variant
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
765722: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765722
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libxml2
Severity: serious
Tags: security patch

Hi,

The Netherlands Cyber Security Center announced an issue in libxml2.
https://www.ncsc.nl/actueel/nieuwsberichten/kwetsbaarheid-ontdekt-in-libxml2.html

It seems to be a variant of the classic 'billion laughs' vulnerability.
Upstream has fixed this in 2.9.2:

https://git.gnome.org/browse/libxml2/commit/?id=be2a7edaf289c5da74a4f9ed3a0b6c733e775230

Cheers,
Thijs

--- End Message ---

--- Begin Message ---

Source: libxml2
Source-Version: 2.9.2+dfsg1-1

We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 765...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Aron Xu <a...@debian.org> (supplier of updated libxml2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 26 Oct 2014 07:04:50 +0800
Source: libxml2
Binary: libxml2 libxml2-utils libxml2-utils-dbg libxml2-dev libxml2-dbg 
libxml2-doc python-libxml2 python-libxml2-dbg
Architecture: source amd64 all
Version: 2.9.2+dfsg1-1
Distribution: unstable
Urgency: low
Maintainer: Debian XML/SGML Group <debian-xml-sgml-p...@lists.alioth.debian.org>
Changed-By: Aron Xu <a...@debian.org>
Description:
 libxml2    - GNOME XML library
 libxml2-dbg - Debugging symbols for the GNOME XML library
 libxml2-dev - Development files for the GNOME XML library
 libxml2-doc - Documentation for the GNOME XML library
 libxml2-utils - XML utilities
 libxml2-utils-dbg - XML utilities (debug extension)
 python-libxml2 - Python bindings for the GNOME XML library
 python-libxml2-dbg - Python bindings for the GNOME XML library (debug 
extension)
Closes: 765722
Changes:
 libxml2 (2.9.2+dfsg1-1) unstable; urgency=low
 .
   * New upstream release (Closes: #765722, CVE-2014-3660)
   * Remove no-longer-needed upstream patches
   * Update distro patch
   * Std-ver: 3.9.5 -> 3.9.6, no change.
Checksums-Sha1:
 b33bc6c1a2453df7450f6f03fabadee08421e16f 2578 libxml2_2.9.2+dfsg1-1.dsc
 6dc1815cd83ecda87988d7528fc918f2aca91cfc 2473592 
libxml2_2.9.2+dfsg1.orig.tar.xz
 07d798e1920f0372b7f1c166e4109a0c35c8906a 22916 
libxml2_2.9.2+dfsg1-1.debian.tar.xz
 2dbaa2a73560955e36c757d4cabdedb99fef5f7e 932966 libxml2_2.9.2+dfsg1-1_amd64.deb
 45a7d6a962bfbe7a5279033d6ce64859ea80efa3 101570 
libxml2-utils_2.9.2+dfsg1-1_amd64.deb
 9aadccfc3a64a41277a9b7f7c8ee4d78a5c6c402 132428 
libxml2-utils-dbg_2.9.2+dfsg1-1_amd64.deb
 c322d80f1233d4a61f2368c57bf59e620e28d746 826726 
libxml2-dev_2.9.2+dfsg1-1_amd64.deb
 d2d12c77a88b424fab9eb28e7934d6d522cee10c 1599626 
libxml2-dbg_2.9.2+dfsg1-1_amd64.deb
 eab48d71b806999062043f907c5be4564b41abab 823914 
libxml2-doc_2.9.2+dfsg1-1_all.deb
 7481a03de5d78597d6b7dce146b2fd7e28ec718d 203788 
python-libxml2_2.9.2+dfsg1-1_amd64.deb
 11696f3e37825f5af648c91a2ba23d64a59ee383 331994 
python-libxml2-dbg_2.9.2+dfsg1-1_amd64.deb
Checksums-Sha256:
 edbdfc52935b14210c7cacd84e625350d29c913f5d9043e5336ed30488c77097 2578 
libxml2_2.9.2+dfsg1-1.dsc
 0e2ba8bcdb181343f78acfacd342f211f70894b904747367c52011ab9a096776 2473592 
libxml2_2.9.2+dfsg1.orig.tar.xz
 ff2ab07c7b6220572dc4a513d0ac037095c24ed51ee42452fff3bd64ae465a99 22916 
libxml2_2.9.2+dfsg1-1.debian.tar.xz
 5d2348eb0cc17623251362dc0a56dbe27bf765e1b7a8daa7dd8ca09da9c45192 932966 
libxml2_2.9.2+dfsg1-1_amd64.deb
 41e651a4499aebf4719d7e1e0368100dcfef548a11ef28e3af5a7ff862c35c1b 101570 
libxml2-utils_2.9.2+dfsg1-1_amd64.deb
 188ef6f0a693a16f67a8835e5cecad68b4fd4ce6e5fb6e48c88d37be94ee5225 132428 
libxml2-utils-dbg_2.9.2+dfsg1-1_amd64.deb
 51ffe88790f73c796ef5c583ad3418d4911eb0899ba6db85a593ef452569be41 826726 
libxml2-dev_2.9.2+dfsg1-1_amd64.deb
 57b377a49a684b2e258675d20bd1ed263cdbc671b3cb4c1b56ed232fc3335ecc 1599626 
libxml2-dbg_2.9.2+dfsg1-1_amd64.deb
 8375353efc8a1606d28333003e748f490c99b01ed7612d63d1893b1f770cff07 823914 
libxml2-doc_2.9.2+dfsg1-1_all.deb
 03fe267273dfe09b24e8c750f52aa25ef92f91a1879ea651e79fdaa69f9af6c1 203788 
python-libxml2_2.9.2+dfsg1-1_amd64.deb
 c91ae76ae789c509e0160628d4a6c772080948ba656d8832b3bfb70bebd2c869 331994 
python-libxml2-dbg_2.9.2+dfsg1-1_amd64.deb
Files:
 b5c2fca4d36d55d2719bf252a998c0c4 2578 libs optional libxml2_2.9.2+dfsg1-1.dsc
 459ddafff94a763976bbdccfcc6394f7 2473592 libs optional 
libxml2_2.9.2+dfsg1.orig.tar.xz
 2a5a00844e47101822f0d1bcc0be443f 22916 libs optional 
libxml2_2.9.2+dfsg1-1.debian.tar.xz
 cc72d1abbd029405fcb677b32a765f82 932966 libs standard 
libxml2_2.9.2+dfsg1-1_amd64.deb
 755f9e85b1211241aae69d599f06130c 101570 text optional 
libxml2-utils_2.9.2+dfsg1-1_amd64.deb
 bfc9d0f74ba736f60d9d86d4bd5d06fc 132428 debug extra 
libxml2-utils-dbg_2.9.2+dfsg1-1_amd64.deb
 1613df1eb2110f62d33cb93cd1107a61 826726 libdevel optional 
libxml2-dev_2.9.2+dfsg1-1_amd64.deb
 8c8356cab60a7ddcd5c6aedaae55dd23 1599626 debug extra 
libxml2-dbg_2.9.2+dfsg1-1_amd64.deb
 8f482b293a72cbccfe0252b26c018ce4 823914 doc optional 
libxml2-doc_2.9.2+dfsg1-1_all.deb
 daa5e3648621aadf93f7855d4b9d5562 203788 python optional 
python-libxml2_2.9.2+dfsg1-1_amd64.deb
 dc1fdc170f0653af6eceb12589e0c624 331994 debug extra 
python-libxml2-dbg_2.9.2+dfsg1-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJUTEa8AAoJEMOOgWCheEH+YpoP/jkME4CHjeZPDPCdkOUDkOfQ
dAOcbaDrZwO7InzPNGehM+VB8bdlE1XLqEHDvI/wxX2PpnAq+QUJiO92Tl9qrHVD
aaezLB2ghTrMQrRW5Xid+4THBe7CEnXUpjOcb6qZA/440L8MaQCBu7dQ+gNkGJn+
Nl1OHtEfDKkBj1+o64cuT/O5lk125A+Wb1xyj4Mr5DrYsVhynyn+g5RgW0oO8/FI
Y3cnS++RToOrpm6BU7tUmEkg6FLBtJx/XDR7fk2Y26OdP5HiW04Hm5AE4HrRXmmW
fRnGLQ9kr84b51ayjB5DDHxbRj8Z7MtwptutitfN9CY5YRKrJokYzxsZtu1Iptnj
3eeULO/Et8H89NAMHp302Ov5hEbCG7p4LhoIB1Vdx/rskUi4aslxnKWvjuRagdLg
Qx3bIpzAH6MpIz8hJMxhopMZBN7Ub8uXNSNDNGQbfvL7X9YPUh+EnVNvVmZUk6Ip
y7A4eBmvToB1YLx4lN8kxiw4QZE2gct6GrIGHjn8KA3gwOtj2Hx1WVYI8yr8qStc
b0866Mxf6WWQ6OxE90NQV03VCf1chwrDjKYt7xvM++MX/NAVl0FFS7sybU4z0mv0
1pxV8D12o/Oxg2rnvWfeL3koYDC/LLJ2A2X89ya3DNAQ0ldWAl6OlfxcRRCzIwdO
Ce89bAIEfc+FzhU4m52U
=BjRY
-----END PGP SIGNATURE-----

--- End Message ---