Ubuntu 17.10 aka artful has reached the end of of its support lifetime,
closing artful's task. Thanks!
** Changed in: xmltooling (Ubuntu Artful)
Status: Incomplete => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
ht
This bug was fixed in the package xmltooling - 1.5.6-2ubuntu0.2
---
xmltooling (1.5.6-2ubuntu0.2) xenial-security; urgency=medium
* SECURITY UPDATE: Upstream patch to fix CVE-2018-0489 (LP: #1752306)
- d/p/Add-disallowDoctype-to-parser-configuration.patch:
Generic protecti
Packages from security-proposed tested and look ok.
** Tags added: verification-done-xenial
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1752306
Title:
Security bug in XMLTooling-C before 1.6.4 [C
** Changed in: xmltooling (Ubuntu Xenial)
Status: Incomplete => In Progress
** Changed in: xmltooling (Ubuntu Xenial)
Assignee: (unassigned) => Emily Ratliff (emilyr)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https:/
Debdiff attached which fixes the problem for Xenial.
Since there is no corresponding Debian release to fakesync this from for
Xenial, I've just recreated the patch sequence against the version
already in Xenial. It includes the same two quilt patches which have
been fake-synced into Trusty, and a
This bug was fixed in the package xmltooling -
1.5.3-2+deb8u3build0.14.04.1
---
xmltooling (1.5.3-2+deb8u3build0.14.04.1) trusty-security; urgency=medium
* fake sync from Debian (LP: #1752306)
xmltooling (1.5.3-2+deb8u3) jessie-security; urgency=high
* [2890d0c] New patches fixi
Fixed in bionic in
https://launchpad.net/ubuntu/+source/xmltooling/1.6.4-1ubuntu2.
Still needs to be addressed in xenial and artful.
** Also affects: xmltooling (Ubuntu Bionic)
Importance: Undecided
Status: Fix Released
** Also affects: xmltooling (Ubuntu Xenial)
Importance: Undecid
"Incomplete" is noisier -- if we set this to 'confirmed' and no one
works on it, no one will ever be reminded of it. If we set this to
'incomplete' and no one works on it, folks will get an email when it
auto-expires and be reminded that it's still not fixed. Perhaps by then
someone will have more
Another question though. Why is this bug now "incomplete" when there's a
CVE that confirms this version has a flaw? It doesn't seem unverifiable.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1752306
Thanks for the explanation. Unfortunately all the debian packaging stuff
puts it out of reach for me. I'll look into simply building my own stack
from source.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/b
Thanks for taking the time to report this bug and helping to make Ubuntu
better. Since the package referred to in this bug is in universe or
multiverse, it is community maintained. If you are able, I suggest
coordinating with upstream and posting a debdiff for this issue. When a
debdiff is availabl
The 14.04 LTS xmltooling package shows up on http://people.canonical.com
/~ubuntu-security/d2u/ so there's a good chance we'll release a fakesync
from Debian to address this for trusty, but other releases will need
someone from the community to prepare and test a debdiff. Once it's
ready, attach it
It's been 2 weeks since this critical vuln was announced, and SPs
running Shibboleth on Ubuntu are dead in the water or insecure. Does
Ubuntu have any fix plan for this?
I've tried porting the Debian package stack myself but there are build
failures I don't have time to pursue.
--
You received t
There is any prevision of a bugfix for Ubuntu 14.04?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1752306
Title:
Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]
To manage notifications a
Timeline?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1752306
Title:
Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]
To manage notifications about this bug go to:
https://bugs.launchpad
To emphasize, this vulnerability allows remote access as any valid user
by any third party with no local foothold. It's a very bad one.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1752306
Title:
S
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: xmltooling (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1752306
Title:
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-0489
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1752306
Title:
Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]
To mana
18 matches
Mail list logo
