Your message dated Sat, 19 Feb 2022 07:34:06 +0000 with message-id <e1nlkfq-0003gc...@fasolo.debian.org> and subject line Bug#1005895: fixed in expat 2.4.5-1 has caused the Debian Bug report #1005895, regarding expat: CVE-2022-25236 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1005895: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005895 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: expat Version: 2.4.4-1 Severity: important Tags: security upstream Forwarded: https://github.com/libexpat/libexpat/pull/561 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for expat. CVE-2022-25236[0]: | xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to | insert namespace-separator characters into namespace URIs. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-25236 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25236 [1] https://github.com/libexpat/libexpat/pull/561 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: expat Source-Version: 2.4.5-1 Done: Laszlo Boszormenyi (GCS) <g...@debian.org> We believe that the bug you reported is fixed in the latest version of expat, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1005...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Laszlo Boszormenyi (GCS) <g...@debian.org> (supplier of updated expat package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 19 Feb 2022 07:34:25 +0100 Source: expat Architecture: source Version: 2.4.5-1 Distribution: unstable Urgency: high Maintainer: Laszlo Boszormenyi (GCS) <g...@debian.org> Changed-By: Laszlo Boszormenyi (GCS) <g...@debian.org> Closes: 1005894 1005895 Changes: expat (2.4.5-1) unstable; urgency=high . * New upstream release: - fixes CVE-2022-25235: certain validation of encoding, such as checks for whether a UTF-8 character is valid can cause code execution (closes: #1005894), - fixes CVE-2022-25236: passing namespace separator characters can cause code execution (closes: #1005895), - fixes CVE-2022-25313: an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element, - fixes CVE-2022-25314: integer overflow in function copyString() , - fixes CVE-2022-25315: integer overflow in function storeRawNames() . Checksums-Sha1: 0503fcfe35ea8658f0d7b0c6657c5e45e06558db 1981 expat_2.4.5-1.dsc d344f8949c3d889e8999bf3a5dfabe5393679f69 8312969 expat_2.4.5.orig.tar.gz da35bb11135dc91e2b90b7876d067a2f756053f3 12456 expat_2.4.5-1.debian.tar.xz Checksums-Sha256: c8fd4daf9d8ff8be7c4bf22776332e6861383c889098a4b43c54e8d39409709c 1981 expat_2.4.5-1.dsc c53865ca8bb7159500ab819ee141eb30da56277b9921047f800b633ae8e5f12c 8312969 expat_2.4.5.orig.tar.gz 03d5fde1333193d8ad480ce9640a23b59b5484e475e3e6f5211db366e14432cb 12456 expat_2.4.5-1.debian.tar.xz Files: 65a04e60068098ee54077ac928ee16dd 1981 text optional expat_2.4.5-1.dsc 89fe97319d8d7900c98f4f0044ff0cb2 8312969 text optional expat_2.4.5.orig.tar.gz f873f811d3cabdeed0e7528ad8e423a7 12456 text optional expat_2.4.5-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmIQmn4ACgkQ3OMQ54ZM yL9GaRAAtaa5U+F5ZvRwSma09qiMv+8MtzfBshdXYp8AAuOc4AIYgRSpY5CeZ8/6 6D4gkeAFjxtLE+o/vvxpv/Rqv04EOPuuEFNXHi9EdvPDt+hv7izNbn9/uzavofmz WTMwtcdqrYbdIOrdx4T6aM8oFgJJGmu3QLRihcpeZC6eRdFGIOkUb2l2Mj8AMeyo /9C+PDem5bugvPCWV1CMIJPl2mMJ+8vkouw5UEifPcERsgsqMZf97tfThefejrRM /0D6X2n1CGYYPWOZqLSUNmsblp4Q1VKPJUgkt6zF/2I8eSUycqh7OQjshR+xC7Jk 5P3srtWquxIAbQgKJNn7BwA7pHrQ+hKfQU5Er/2pm4vO7vzgTIC9GFQUYkGstquJ yV68So8IzmVGAteIpEuFPefHU8+w/zVCW3IWYtMRMy9WoIfWw3E1JDo1GYJ1QGJG uRdti19rjAJ+FX5DBVAzdGZTMbEdAeUAXQ04j/5qhelWzW2zETve8oUudBmmKTsW aH/ZjoeYr2b+1osyGCn6LYDZUA6D7HHJFdUU+w5Vc7/5Ec+d/+lubexGRvPsnt9n gtD3YWSW6dbOnYlUzSOcol8M3dYKAhmqBYE/diDZO1Gr4aO+nin4dpHDMhKaT4pn 7aEZmKLoEj45M5oAizv7ZpRxGApF8LEQ7YviFxyKZKBQrzNb3IY= =kwPN -----END PGP SIGNATURE-----
--- End Message ---
