Your message dated Sat, 26 Feb 2022 19:47:34 +0000 with message-id <e1no32u-000777...@fasolo.debian.org> and subject line Bug#1005895: fixed in expat 2.2.6-2+deb10u3 has caused the Debian Bug report #1005895, regarding expat: CVE-2022-25236 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1005895: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005895 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: expat Version: 2.4.4-1 Severity: important Tags: security upstream Forwarded: https://github.com/libexpat/libexpat/pull/561 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for expat. CVE-2022-25236[0]: | xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to | insert namespace-separator characters into namespace URIs. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-25236 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25236 [1] https://github.com/libexpat/libexpat/pull/561 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: expat Source-Version: 2.2.6-2+deb10u3 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of expat, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1005...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated expat package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 20 Feb 2022 17:19:40 +0100 Source: expat Architecture: source Version: 2.2.6-2+deb10u3 Distribution: buster-security Urgency: high Maintainer: Laszlo Boszormenyi (GCS) <g...@debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 1005894 1005895 Changes: expat (2.2.6-2+deb10u3) buster-security; urgency=high . * Non-maintainer upload by the Security Team. * Prevent stack exhaustion in build_model (CVE-2022-25313) * Prevent integer overflow in storeRawNames (CVE-2022-25315) * Prevent integer overflow in copyString (CVE-2022-25314) * lib: Fix (harmless) use of uninitialized memory * lib: Protect against malicious namespace declarations (CVE-2022-25236) (Closes: #1005895) * tests: Cover CVE-2022-25236 * lib: Drop unused macro UTF8_GET_NAMING * lib: Add missing validation of encoding (CVE-2022-25235) (Closes: #1005894) * tests: Cover missing validation of encoding (CVE-2022-25235) * Fix build_model regression. * tests: Protect against nested element declaration model regressions Package-Type: udeb Checksums-Sha1: 2d2f037225288140c25fadf648ee5c029279e072 2136 expat_2.2.6-2+deb10u3.dsc 3f2ca2ee5db7b68a647122320424edb7278dc087 25028 expat_2.2.6-2+deb10u3.debian.tar.xz Checksums-Sha256: 2b58ea166b515d88311e65047aaa81b701a3a4581fbb56e5dd76933a86883a93 2136 expat_2.2.6-2+deb10u3.dsc 99ccca69578e5bfff55b0fd5d21bf24ca2eda1a9e2f5a10610bc27409ca3f1b0 25028 expat_2.2.6-2+deb10u3.debian.tar.xz Files: 4f5240df4513afd5a160db2289a2e932 2136 text optional expat_2.2.6-2+deb10u3.dsc 9880ac9da76b4cf265135e1d5d24853a 25028 text optional expat_2.2.6-2+deb10u3.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmISaoxfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EqTsP/1UfvYc3yblKf43pzqesYtq+R6Ut33CH dxzJVLZhmkhMdnXnzNPMk3llEzKcNkINS+wT7C7qzIeLuz9HvIESSosJiC9E1MJQ PAmydb5TJgH2T/Eai+dSYtUxcrfWJFAVrC0R5WB4jBX8KocbwQbCyWm3olehdDp2 9ae2nsTj2Q6Bo8b0QQk4w9I3GlAwgTTqYYvfEEs3158Kip2x243TR108+gJkVHTD 7FPFXfy/BWJQe6Lb4XytBUNwByzsTMIXJZzFHJbgqCQ4NktgvwGZ8NPMdtbXm9AL M2Qh30TL8mRpRP7iXMvMa+UoPusMJnzmdOSJQ3TSCfSKBacZPQPHztILB5fzAVQO kDsz1r54t7+e9zCZ1CO4+BL/LJ5YhTJ5qQdWomKq4YVeYMi8++EqZRM7m3YlWdKq R42Kun1xGuyixppY7SMr77U4JUk+l1PCdPxSDd8YDQDFTQOnqOi82mY/hX613WpV pR7fKUiv5PSGBzpjJZ6IzOVXUhF57ZwSGeDE4SzVVANZ9a9MfRQN1SMepMfiEqjj OctMHUfrC1o1nwk9uBPA4YNspi4rB7mDt9BHaJnSs1HNLnJ8GePKbviSn9nVXK+1 y68FJPi3ptJmNsxxQVZySOj4G/TUOfOi5PqHmKWQy0il7QfKzmoH5msLigZl9IOr 6RwRuuYg8Gqv =My1P -----END PGP SIGNATURE-----
--- End Message ---
