Debian Bug report logs - #560936
CVE-2009-3560 and CVE-2009-3720 denial-of-services

version graph

Package: poco; Maintainer for poco is Krzysztof Burghardt <krzysztof@burghardt.pl>;

Reported by: Michael Gilbert <michael.s.gilbert@gmail.com>

Date: Sun, 13 Dec 2009 04:09:42 UTC

Severity: serious

Tags: security

Fixed in version poco/1.3.6p1-1

Done: Patrick Gansterer <paroga@paroga.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Krzysztof Burghardt <krzysztof@burghardt.pl>:
Bug#560936; Package poco. (Sun, 13 Dec 2009 04:09:45 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to Krzysztof Burghardt <krzysztof@burghardt.pl>. (Sun, 13 Dec 2009 04:09:45 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: submit@bugs.debian.org
Subject: CVE-2009-3560 and CVE-2009-3720 denial-of-services
Date: Sat, 12 Dec 2009 22:53:49 -0500
package: poco
severity: serious
tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) ids were
published for expat.  I have determined that this package embeds a
vulnerable copy of xmlparse.c and xmltok_impl.c.  However, since this is
a mass bug filing (due to so many packages embedding expat), I have
not had time to determine whether the vulnerable code is actually
present in any of the binary packages derived from this source package.
Please determine whether this is the case. If the binary packages are
not affected, please feel free to close the bug with a message
containing the details of what you did to check.

CVE-2009-3560[0]:
| The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1,
| as used in the XML-Twig module for Perl, allows context-dependent
| attackers to cause a denial of service (application crash) via an XML
| document with malformed UTF-8 sequences that trigger a buffer
| over-read, related to the doProlog function in lib/xmlparse.c, a
| different vulnerability than CVE-2009-2625 and CVE-2009-3720.

CVE-2009-3720[1]:
| The updatePosition function in lib/xmltok_impl.c in libexpat in Expat
| 2.0.1, as used in Python, PyXML, w3c-libwww, and other software,
| allows context-dependent attackers to cause a denial of service
| (application crash) via an XML document with crafted UTF-8 sequences
| that trigger a buffer over-read, a different vulnerability than
| CVE-2009-2625.

These issues also affect old versions of expat, so this package in etch
and lenny is very likely affected.  This is a low-severity security
issue, so DSAs will not be issued to correct these problems.  However,
you can optionally submit a proposed-update to the release team for
inclusion in the next stable point releases.  If you plan to do this, 
please open new bugs and include the security tag so we are aware that
you are working on that.

For further information see [0],[1],[2],[3].  In particular, [2] and [3]
are links to the patches for CVE-2009-3560 and CVE-2009-3720
respectively. Note that the ideal solution would be to make use of the
system expat so only one package will need to be updated for future
security issues. Preferably in your update to unstable, alter your
package to make use of the system expat.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560
    http://security-tracker.debian.org/tracker/CVE-2009-3560
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720
    http://security-tracker.debian.org/tracker/CVE-2009-3720
[2]
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.165
[3]
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.13&r2=1.15&view=patch




Information forwarded to debian-bugs-dist@lists.debian.org, Krzysztof Burghardt <krzysztof@burghardt.pl>:
Bug#560936; Package poco. (Sun, 13 Dec 2009 15:33:47 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Krzysztof Burghardt <krzysztof@burghardt.pl>. (Sun, 13 Dec 2009 15:33:47 GMT) Full text and rfc822 format available.

Message #10 received at 560936@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: 560912@bugs.debian.org, 560913@bugs.debian.org, 560914@bugs.debian.org, 560915@bugs.debian.org, 560916@bugs.debian.org, 560917@bugs.debian.org, 560918@bugs.debian.org, 560919@bugs.debian.org, 560920@bugs.debian.org, 560921@bugs.debian.org, 560922@bugs.debian.org, 560923@bugs.debian.org, 560924@bugs.debian.org, 560925@bugs.debian.org, 560926@bugs.debian.org, 560927@bugs.debian.org, 560928@bugs.debian.org, 560929@bugs.debian.org, 560930@bugs.debian.org, 560931@bugs.debian.org, 560932@bugs.debian.org, 560933@bugs.debian.org, 560934@bugs.debian.org, 560935@bugs.debian.org, 560936@bugs.debian.org, 560937@bugs.debian.org, 560938@bugs.debian.org, 560939@bugs.debian.org, 560940@bugs.debian.org, 560941@bugs.debian.org, 560942@bugs.debian.org, 560943@bugs.debian.org, 560944@bugs.debian.org, 560945@bugs.debian.org, 560946@bugs.debian.org, 560947@bugs.debian.org, 560948@bugs.debian.org, 560949@bugs.debian.org, 560950@bugs.debian.org, 560951@bugs.debian.org
Subject: Expat issues update
Date: Sun, 13 Dec 2009 10:29:27 -0500
Hi all,

In order to guarantee that the system expat is used, the
'--with-expat=sys' configure argument must be used.  If you think
your package is already using the system expat, or if you are updating
your package to use the system expat, please check to make sure that
this option is being used. Thanks.

Mike




Information forwarded to debian-bugs-dist@lists.debian.org, Krzysztof Burghardt <krzysztof@burghardt.pl>:
Bug#560936; Package poco. (Sun, 13 Dec 2009 16:27:58 GMT) Full text and rfc822 format available.

Acknowledgement sent to Matthias Klose <doko@debian.org>:
Extra info received and forwarded to list. Copy sent to Krzysztof Burghardt <krzysztof@burghardt.pl>. (Sun, 13 Dec 2009 16:27:58 GMT) Full text and rfc822 format available.

Message #15 received at 560936@bugs.debian.org (full text, mbox):

From: Matthias Klose <doko@debian.org>
To: Michael Gilbert <michael.s.gilbert@gmail.com>, 560912@bugs.debian.org
Cc: 560913@bugs.debian.org, 560914@bugs.debian.org, 560915@bugs.debian.org, 560916@bugs.debian.org, 560917@bugs.debian.org, 560918@bugs.debian.org, 560919@bugs.debian.org, 560920@bugs.debian.org, 560921@bugs.debian.org, 560922@bugs.debian.org, 560923@bugs.debian.org, 560924@bugs.debian.org, 560925@bugs.debian.org, 560926@bugs.debian.org, 560927@bugs.debian.org, 560928@bugs.debian.org, 560929@bugs.debian.org, 560930@bugs.debian.org, 560931@bugs.debian.org, 560932@bugs.debian.org, 560933@bugs.debian.org, 560934@bugs.debian.org, 560935@bugs.debian.org, 560936@bugs.debian.org, 560937@bugs.debian.org, 560938@bugs.debian.org, 560939@bugs.debian.org, 560940@bugs.debian.org, 560941@bugs.debian.org, 560942@bugs.debian.org, 560943@bugs.debian.org, 560944@bugs.debian.org, 560945@bugs.debian.org, 560946@bugs.debian.org, 560947@bugs.debian.org, 560948@bugs.debian.org, 560949@bugs.debian.org, 560950@bugs.debian.org, 560951@bugs.debian.org
Subject: Re: Bug#560912: Expat issues update
Date: Sun, 13 Dec 2009 17:21:26 +0100
On 13.12.2009 16:29, Michael Gilbert wrote:
> Hi all,
>
> In order to guarantee that the system expat is used, the
> '--with-expat=sys' configure argument must be used.  If you think
> your package is already using the system expat, or if you are updating
> your package to use the system expat, please check to make sure that
> this option is being used. Thanks.

there's no such option for python, which uses a modified copy of expat.





Information forwarded to debian-bugs-dist@lists.debian.org, Krzysztof Burghardt <krzysztof@burghardt.pl>:
Bug#560936; Package poco. (Mon, 14 Dec 2009 07:57:49 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike Hommey <mh@glandium.org>:
Extra info received and forwarded to list. Copy sent to Krzysztof Burghardt <krzysztof@burghardt.pl>. (Mon, 14 Dec 2009 07:57:49 GMT) Full text and rfc822 format available.

Message #20 received at 560936@bugs.debian.org (full text, mbox):

From: Mike Hommey <mh@glandium.org>
To: 560932@bugs.debian.org
Cc: Michael Gilbert <michael.s.gilbert@gmail.com>, 560912@bugs.debian.org, 560913@bugs.debian.org, 560914@bugs.debian.org, 560915@bugs.debian.org, 560916@bugs.debian.org, 560917@bugs.debian.org, 560918@bugs.debian.org, 560919@bugs.debian.org, 560920@bugs.debian.org, 560921@bugs.debian.org, 560922@bugs.debian.org, 560923@bugs.debian.org, 560924@bugs.debian.org, 560925@bugs.debian.org, 560926@bugs.debian.org, 560927@bugs.debian.org, 560928@bugs.debian.org, 560929@bugs.debian.org, 560930@bugs.debian.org, 560931@bugs.debian.org, 560933@bugs.debian.org, 560934@bugs.debian.org, 560935@bugs.debian.org, 560936@bugs.debian.org, 560937@bugs.debian.org, 560938@bugs.debian.org, 560939@bugs.debian.org, 560940@bugs.debian.org, 560941@bugs.debian.org, 560942@bugs.debian.org, 560943@bugs.debian.org, 560944@bugs.debian.org, 560945@bugs.debian.org, 560946@bugs.debian.org, 560947@bugs.debian.org, 560948@bugs.debian.org, 560949@bugs.debian.org, 560950@bugs.debian.org, 560951@bugs.debian.org
Subject: Re: Bug#560932: Bug#560912: Expat issues update
Date: Mon, 14 Dec 2009 08:55:03 +0100
On Sun, Dec 13, 2009 at 05:21:26PM +0100, Matthias Klose wrote:
> On 13.12.2009 16:29, Michael Gilbert wrote:
> >Hi all,
> >
> >In order to guarantee that the system expat is used, the
> >'--with-expat=sys' configure argument must be used.  If you think
> >your package is already using the system expat, or if you are updating
> >your package to use the system expat, please check to make sure that
> >this option is being used. Thanks.
> 
> there's no such option for python, which uses a modified copy of expat.

Likewise with mozilla, which uses a heavily modified copy of expat.




Information forwarded to debian-bugs-dist@lists.debian.org, Krzysztof Burghardt <krzysztof@burghardt.pl>:
Bug#560936; Package poco. (Mon, 14 Dec 2009 12:15:46 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ove Kaaven <ovek@arcticnet.no>:
Extra info received and forwarded to list. Copy sent to Krzysztof Burghardt <krzysztof@burghardt.pl>. (Mon, 14 Dec 2009 12:15:46 GMT) Full text and rfc822 format available.

Message #25 received at 560936@bugs.debian.org (full text, mbox):

From: Ove Kaaven <ovek@arcticnet.no>
To: Mike Hommey <mh@glandium.org>, 560937@bugs.debian.org
Cc: 560932@bugs.debian.org, 560948@bugs.debian.org, 560945@bugs.debian.org, 560935@bugs.debian.org, 560946@bugs.debian.org, 560921@bugs.debian.org, 560939@bugs.debian.org, 560949@bugs.debian.org, 560917@bugs.debian.org, 560924@bugs.debian.org, 560938@bugs.debian.org, 560919@bugs.debian.org, 560913@bugs.debian.org, 560916@bugs.debian.org, 560943@bugs.debian.org, 560920@bugs.debian.org, 560912@bugs.debian.org, 560931@bugs.debian.org, Michael Gilbert <michael.s.gilbert@gmail.com>, 560918@bugs.debian.org, 560930@bugs.debian.org, 560940@bugs.debian.org, 560951@bugs.debian.org, 560933@bugs.debian.org, 560914@bugs.debian.org, 560922@bugs.debian.org, 560941@bugs.debian.org, 560926@bugs.debian.org, 560923@bugs.debian.org, 560942@bugs.debian.org, 560936@bugs.debian.org, 560915@bugs.debian.org, 560950@bugs.debian.org, 560927@bugs.debian.org, 560928@bugs.debian.org, 560947@bugs.debian.org, 560929@bugs.debian.org, 560944@bugs.debian.org, 560934@bugs.debian.org, 560925@bugs.debian.org
Subject: Re: [pkg-fgfs-crew] Bug#560937: Bug#560932: Bug#560912: Expat issues update
Date: Mon, 14 Dec 2009 12:17:17 +0100
Mike Hommey skrev:
> On Sun, Dec 13, 2009 at 05:21:26PM +0100, Matthias Klose wrote:
>> On 13.12.2009 16:29, Michael Gilbert wrote:
>>> Hi all,
>>>
>>> In order to guarantee that the system expat is used, the
>>> '--with-expat=sys' configure argument must be used.  If you think
>>> your package is already using the system expat, or if you are updating
>>> your package to use the system expat, please check to make sure that
>>> this option is being used. Thanks.
>> there's no such option for python, which uses a modified copy of expat.
> 
> Likewise with mozilla, which uses a heavily modified copy of expat.

And I think the xml parser in simgear was ripped from some version of
mozilla. (Of course, I wouldn't consider a security flaw in a flight
simulator library as critical as one in an actual web browser or
anything, so I'm not sure how much I need to worry...)




Information forwarded to debian-bugs-dist@lists.debian.org, Krzysztof Burghardt <krzysztof@burghardt.pl>:
Bug#560936; Package poco. (Tue, 15 Dec 2009 19:48:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Günter Obiltschnig <guenter.obiltschnig@appinf.com>:
Extra info received and forwarded to list. Copy sent to Krzysztof Burghardt <krzysztof@burghardt.pl>. (Tue, 15 Dec 2009 19:48:03 GMT) Full text and rfc822 format available.

Message #30 received at 560936@bugs.debian.org (full text, mbox):

From: Günter Obiltschnig <guenter.obiltschnig@appinf.com>
To: 560936@bugs.debian.org
Subject: Re: CVE-2009-3560 and CVE-2009-3720 denial-of-services
Date: Tue, 15 Dec 2009 20:39:26 +0100
This is fixed in POCO C++ Libraries release 1.3.6p1 (SVN 1.3.6 branch,  
rev. 1298). In addition, this release can now be built with the system  
expat.

--
Günter Obiltschnig
Applied Informatics Software Engineering GmbH
A-9184 St. Jakob im Rosental | St. Peter 33 | www.appinf.com
P: +43 4253 32596  M: +43 676 5166737  F: +43 4253 32096

Company Registration: FN 276491 f | Landesgericht Klagenfurt
Managing Director: DI Günter Obiltschnig








Reply sent to Patrick Gansterer <paroga@paroga.com>:
You have taken responsibility. (Sat, 26 Dec 2009 16:36:13 GMT) Full text and rfc822 format available.

Notification sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Sat, 26 Dec 2009 16:36:13 GMT) Full text and rfc822 format available.

Message #35 received at 560936-close@bugs.debian.org (full text, mbox):

From: Patrick Gansterer <paroga@paroga.com>
To: 560936-close@bugs.debian.org
Subject: Bug#560936: fixed in poco 1.3.6p1-1
Date: Sat, 26 Dec 2009 16:33:07 +0000
Source: poco
Source-Version: 1.3.6p1-1

We believe that the bug you reported is fixed in the latest version of
poco, which is due to be installed in the Debian FTP archive:

libpoco-dev_1.3.6p1-1_i386.deb
  to main/p/poco/libpoco-dev_1.3.6p1-1_i386.deb
libpococrypto9-dbg_1.3.6p1-1_i386.deb
  to main/p/poco/libpococrypto9-dbg_1.3.6p1-1_i386.deb
libpococrypto9_1.3.6p1-1_i386.deb
  to main/p/poco/libpococrypto9_1.3.6p1-1_i386.deb
libpocodata9-dbg_1.3.6p1-1_i386.deb
  to main/p/poco/libpocodata9-dbg_1.3.6p1-1_i386.deb
libpocodata9_1.3.6p1-1_i386.deb
  to main/p/poco/libpocodata9_1.3.6p1-1_i386.deb
libpocofoundation9-dbg_1.3.6p1-1_i386.deb
  to main/p/poco/libpocofoundation9-dbg_1.3.6p1-1_i386.deb
libpocofoundation9_1.3.6p1-1_i386.deb
  to main/p/poco/libpocofoundation9_1.3.6p1-1_i386.deb
libpocomysql9-dbg_1.3.6p1-1_i386.deb
  to main/p/poco/libpocomysql9-dbg_1.3.6p1-1_i386.deb
libpocomysql9_1.3.6p1-1_i386.deb
  to main/p/poco/libpocomysql9_1.3.6p1-1_i386.deb
libpoconet9-dbg_1.3.6p1-1_i386.deb
  to main/p/poco/libpoconet9-dbg_1.3.6p1-1_i386.deb
libpoconet9_1.3.6p1-1_i386.deb
  to main/p/poco/libpoconet9_1.3.6p1-1_i386.deb
libpoconetssl9-dbg_1.3.6p1-1_i386.deb
  to main/p/poco/libpoconetssl9-dbg_1.3.6p1-1_i386.deb
libpoconetssl9_1.3.6p1-1_i386.deb
  to main/p/poco/libpoconetssl9_1.3.6p1-1_i386.deb
libpocoodbc9-dbg_1.3.6p1-1_i386.deb
  to main/p/poco/libpocoodbc9-dbg_1.3.6p1-1_i386.deb
libpocoodbc9_1.3.6p1-1_i386.deb
  to main/p/poco/libpocoodbc9_1.3.6p1-1_i386.deb
libpocosqlite9-dbg_1.3.6p1-1_i386.deb
  to main/p/poco/libpocosqlite9-dbg_1.3.6p1-1_i386.deb
libpocosqlite9_1.3.6p1-1_i386.deb
  to main/p/poco/libpocosqlite9_1.3.6p1-1_i386.deb
libpocoutil9-dbg_1.3.6p1-1_i386.deb
  to main/p/poco/libpocoutil9-dbg_1.3.6p1-1_i386.deb
libpocoutil9_1.3.6p1-1_i386.deb
  to main/p/poco/libpocoutil9_1.3.6p1-1_i386.deb
libpocoxml9-dbg_1.3.6p1-1_i386.deb
  to main/p/poco/libpocoxml9-dbg_1.3.6p1-1_i386.deb
libpocoxml9_1.3.6p1-1_i386.deb
  to main/p/poco/libpocoxml9_1.3.6p1-1_i386.deb
libpocozip9-dbg_1.3.6p1-1_i386.deb
  to main/p/poco/libpocozip9-dbg_1.3.6p1-1_i386.deb
libpocozip9_1.3.6p1-1_i386.deb
  to main/p/poco/libpocozip9_1.3.6p1-1_i386.deb
poco_1.3.6p1-1.diff.gz
  to main/p/poco/poco_1.3.6p1-1.diff.gz
poco_1.3.6p1-1.dsc
  to main/p/poco/poco_1.3.6p1-1.dsc
poco_1.3.6p1.orig.tar.gz
  to main/p/poco/poco_1.3.6p1.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 560936@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patrick Gansterer <paroga@paroga.com> (supplier of updated poco package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 24 Dec 2009 11:13:32 +0100
Source: poco
Binary: libpoco-dev libpococrypto9-dbg libpococrypto9 libpocodata9-dbg libpocodata9 libpocofoundation9-dbg libpocofoundation9 libpocomysql9-dbg libpocomysql9 libpoconet9-dbg libpoconet9 libpoconetssl9-dbg libpoconetssl9 libpocoodbc9-dbg libpocoodbc9 libpocosqlite9-dbg libpocosqlite9 libpocoutil9-dbg libpocoutil9 libpocoxml9-dbg libpocoxml9 libpocozip9-dbg libpocozip9
Architecture: source i386
Version: 1.3.6p1-1
Distribution: unstable
Urgency: low
Maintainer: Krzysztof Burghardt <krzysztof@burghardt.pl>
Changed-By: Patrick Gansterer <paroga@paroga.com>
Description: 
 libpoco-dev - Development files for POCO - The C++ Portable Components
 libpococrypto9 - The C++ Portable Components Crypto library
 libpococrypto9-dbg - The C++ Portable Components Crypto library, debug version
 libpocodata9 - The C++ Portable Components Data library
 libpocodata9-dbg - The C++ Portable Components Data library, debug version
 libpocofoundation9 - The C++ Portable Components Foundation library
 libpocofoundation9-dbg - The C++ Portable Components Foundation library, debug version
 libpocomysql9 - The C++ Portable Components MySQL library
 libpocomysql9-dbg - The C++ Portable Components MySQL library, debug version
 libpoconet9 - The C++ Portable Components Network library
 libpoconet9-dbg - The C++ Portable Components Network library, debug version
 libpoconetssl9 - The C++ Portable Components Network library with SSL
 libpoconetssl9-dbg - The C++ Portable Components Network library with SSL, dbg version
 libpocoodbc9 - The C++ Portable Components ODBC library
 libpocoodbc9-dbg - The C++ Portable Components ODBC library, debug version
 libpocosqlite9 - The C++ Portable Components SQLite library
 libpocosqlite9-dbg - The C++ Portable Components SQLite library, debug version
 libpocoutil9 - The C++ Portable Components Util library
 libpocoutil9-dbg - The C++ Portable Components Util library, debug version
 libpocoxml9 - The C++ Portable Components XML library
 libpocoxml9-dbg - The C++ Portable Components XML library, debug version
 libpocozip9 - The C++ Portable Components Zip library
 libpocozip9-dbg - The C++ Portable Components Zip library, debug version
Closes: 545854 548113 560936
Changes: 
 poco (1.3.6p1-1) unstable; urgency=low
 .
   * New Upstream Version
   * Removed 20_unbundled.dpatch (merged into upstream)
   * Removed 30_sh-support.dpatch (merged into upstream)
 .
 poco (1.3.6-1) unstable; urgency=low
 .
   * New Upstream Version
   * Corrected package dependencies (Closes: #545854)
   * Removed 20_gcc44-missing-include.dpatch (merged into upstream)
   * Now using upstream unbundled implementation (Closes: #560936)
     + using r1294 from SVN poco 1.3.6 branch
     + new patch: 20_unbundled.dpatch
     + removed patch: 30_use-system-zlib.dpatch
     + new build dependencies: libpcre3-dev, libsqlite3-dev
   * Added 30_sh-support.dpatch to support sh4 (Closes: #548113)
Checksums-Sha1: 
 a79fbf4bf7387b5d47c4ac423617bf09c5657544 2310 poco_1.3.6p1-1.dsc
 f4f7b8ca8a9a06f206b64cc6a49ee534bedf76e1 3057466 poco_1.3.6p1.orig.tar.gz
 86ebe740253407e16e7df69bdfee66c3dd6afe2a 9508 poco_1.3.6p1-1.diff.gz
 8a98d52cd688bb4e792d4dca79244b163bb718a3 518102 libpoco-dev_1.3.6p1-1_i386.deb
 37de8a420fe3436646bbb51ec68b988bf84b4ae2 286110 libpococrypto9-dbg_1.3.6p1-1_i386.deb
 6d948b54b77c088dea31fc225ffeff648e6adb50 78134 libpococrypto9_1.3.6p1-1_i386.deb
 4bb49af091459b05849d4fa377e6048071125886 709112 libpocodata9-dbg_1.3.6p1-1_i386.deb
 e5afb899c3ea8b9c4faa3e239218480bd0cfbb9e 148706 libpocodata9_1.3.6p1-1_i386.deb
 6457a852ca0c78273c5f86b69b0304ef40fd6997 2364288 libpocofoundation9-dbg_1.3.6p1-1_i386.deb
 92c70d1bdbe9eadfe2e41771fbbccc8e356f072e 522634 libpocofoundation9_1.3.6p1-1_i386.deb
 161f7fcf7480337d0c018790e7f5e2e80b613a65 305644 libpocomysql9-dbg_1.3.6p1-1_i386.deb
 d18006025a861a369ad94f621eec39b0ec52dea1 70292 libpocomysql9_1.3.6p1-1_i386.deb
 347bc60843ae80361f8e90eae7a9491241d84991 1571112 libpoconet9-dbg_1.3.6p1-1_i386.deb
 0352d91972e18fe2651f07ba61ab1212e89039b1 346044 libpoconet9_1.3.6p1-1_i386.deb
 d8121f9e33ad2217c1209e7f5ef4d75487ca3abf 627024 libpoconetssl9-dbg_1.3.6p1-1_i386.deb
 919205412b80a2c3deabacf17b7121c51dd1460c 120400 libpoconetssl9_1.3.6p1-1_i386.deb
 40244c8c3b2c2123f4af9da2da3536bcf934c882 564688 libpocoodbc9-dbg_1.3.6p1-1_i386.deb
 fbc6430e12ed29fe1fa73dbdd98f889637fb27e7 102384 libpocoodbc9_1.3.6p1-1_i386.deb
 a17b86398e185983cc0479dc4e079f8dce171001 306144 libpocosqlite9-dbg_1.3.6p1-1_i386.deb
 a9f6538d1abc7edb7f53b1bf180044ee5bc84347 98520 libpocosqlite9_1.3.6p1-1_i386.deb
 a3ff5b11f09e838488846472bba3a29fa7092d4e 632120 libpocoutil9-dbg_1.3.6p1-1_i386.deb
 b3b876e9a886f94caba764f429e081989b3d0b92 142624 libpocoutil9_1.3.6p1-1_i386.deb
 6228c40f0e38aeb0b7608db6c0319f4032530d8d 844348 libpocoxml9-dbg_1.3.6p1-1_i386.deb
 f4542965d32191d7dbed0bfef66b4be70ec2ee80 176216 libpocoxml9_1.3.6p1-1_i386.deb
 70ff2b18aaaeef027c3edd7d2c500b9f270197e1 712360 libpocozip9-dbg_1.3.6p1-1_i386.deb
 645ad3f1392f8dffe5f96d87cd1911751917f6a3 121786 libpocozip9_1.3.6p1-1_i386.deb
Checksums-Sha256: 
 26a08af99ed305552db90f5e0d519b2a2c7442091567b46e2ddb8041ef9392c0 2310 poco_1.3.6p1-1.dsc
 b08f1c742975549e2cee705fa3b77edcd05f65085348f3a489b897285af958e5 3057466 poco_1.3.6p1.orig.tar.gz
 d59af81472c4215720848a10d96bc4fcb33d701e5b226812088fd6e5ed36ec3b 9508 poco_1.3.6p1-1.diff.gz
 a4a438983c146fd325dee2d281a2a450fe0ce8cd556d22ae9193c6c55c343e14 518102 libpoco-dev_1.3.6p1-1_i386.deb
 a3d003a5a7bb1b766bae0eed2b5281bc455559410ff3cfafef55c93a1e0e0a22 286110 libpococrypto9-dbg_1.3.6p1-1_i386.deb
 bd76d3cffeff99f6f4020614d147c8e4fffd85d607ebd632ee6c6df1f8166d6c 78134 libpococrypto9_1.3.6p1-1_i386.deb
 5d8519d56081e734289721778cd3eef23f68b2be6c3c259160693ee4d3bfefb3 709112 libpocodata9-dbg_1.3.6p1-1_i386.deb
 3a8a6593461ee14f5e539b44b70241258f549eb49f3d29678388b02672d9552f 148706 libpocodata9_1.3.6p1-1_i386.deb
 9f861da4422c72ed2a5cd2a934fdc27bcb3b650537ac00a25a4e5fbac16debf9 2364288 libpocofoundation9-dbg_1.3.6p1-1_i386.deb
 68beb500b3ec353d0768db1b992d298baf340017ee7db39ba816cfbd6e1e8be7 522634 libpocofoundation9_1.3.6p1-1_i386.deb
 9e28231c2c6e0626165fdaa9622a3e427d6071e1adc4fbdc20b9c48b55f76d2e 305644 libpocomysql9-dbg_1.3.6p1-1_i386.deb
 91ce5cbff1a53b558f95482eb3f164cbfd7a4e16db440ec807f503259f7896d8 70292 libpocomysql9_1.3.6p1-1_i386.deb
 decb79922da90ba3f950be4b4d3eae65a985d11c571ee9ccca5e2ce54ae650ea 1571112 libpoconet9-dbg_1.3.6p1-1_i386.deb
 8ab30c44bc49faca5def79408b559b19db419e4710d9fe57bee6301af6c0d417 346044 libpoconet9_1.3.6p1-1_i386.deb
 b3b31bebe8e2ffb8bab117e410ee2621a37c082d1e19bcd7cf09d65b61f7ef98 627024 libpoconetssl9-dbg_1.3.6p1-1_i386.deb
 9cc4a6c6e561fe4a717e20f16c73e3e0a983ec71e146a09074a6fa44ed6fd6af 120400 libpoconetssl9_1.3.6p1-1_i386.deb
 3da2f36b921cf20da8c2643be8fb01335e96ad28c2a00a0dec18a2d2246a8e8a 564688 libpocoodbc9-dbg_1.3.6p1-1_i386.deb
 8264c73d162f7abb99d2b9e298b35cdb2a3d14a29850d3f170cdb03ed03c7c8c 102384 libpocoodbc9_1.3.6p1-1_i386.deb
 cd8b9e839e19d58f723282570f00bc562b80d077fae8cb20921fb4b2d6c32d3c 306144 libpocosqlite9-dbg_1.3.6p1-1_i386.deb
 da19f16f824be434968b4a5b00bcc2a41d1e9561debe7e07f3c77a48fb6843d9 98520 libpocosqlite9_1.3.6p1-1_i386.deb
 e99c1ff82f89dd0225bc2026e3d282d1bbc2de9db411983b47318659ed0949ac 632120 libpocoutil9-dbg_1.3.6p1-1_i386.deb
 91834ba0011219957d014347320ad20667cba846b1533739b1e5f8679692deee 142624 libpocoutil9_1.3.6p1-1_i386.deb
 d6dc7e79b5396db67fd16f42e787df5a2b4635ba1b7a884e3cfac492cfe93d49 844348 libpocoxml9-dbg_1.3.6p1-1_i386.deb
 470403c7bebff0caee18c15fc673ebc999630dbf8e72470217a1053edbcbb72e 176216 libpocoxml9_1.3.6p1-1_i386.deb
 aba6aa69dc559f3c2a493c8739aba9fa66593ef07c6f1a627e8e025b9cb1a832 712360 libpocozip9-dbg_1.3.6p1-1_i386.deb
 581a3ca37c3bdff07975fad11e10276a92a12b2762c12b6337ebd25475d282f3 121786 libpocozip9_1.3.6p1-1_i386.deb
Files: 
 862a86e05e6991b4e07a3a23c305f8d8 2310 libs optional poco_1.3.6p1-1.dsc
 5be904b24c9984c3629e1b89b6aaab4e 3057466 libs optional poco_1.3.6p1.orig.tar.gz
 917f41ee2902f0493d189df0d069ca17 9508 libs optional poco_1.3.6p1-1.diff.gz
 e935c98f2d2a4e48ae1e114b0ea0dba8 518102 libdevel optional libpoco-dev_1.3.6p1-1_i386.deb
 735b76efd4a7854e7428807fa64e7510 286110 debug extra libpococrypto9-dbg_1.3.6p1-1_i386.deb
 75c472d3ff5b7526ee3da751ca3e62c3 78134 libs optional libpococrypto9_1.3.6p1-1_i386.deb
 a2da6dd58e2fa0676750332ff51030c7 709112 debug extra libpocodata9-dbg_1.3.6p1-1_i386.deb
 e93573c55cc2e5b005cd74feb31f8f2d 148706 libs optional libpocodata9_1.3.6p1-1_i386.deb
 c996d8ba86cf5398bd86be4b2695102d 2364288 debug extra libpocofoundation9-dbg_1.3.6p1-1_i386.deb
 592f9f81537b52296d87db774b16971f 522634 libs optional libpocofoundation9_1.3.6p1-1_i386.deb
 a30732ff60cdfd8889f4e67ccb2c9fe4 305644 debug extra libpocomysql9-dbg_1.3.6p1-1_i386.deb
 a216254f86580d547cdcd4c98a2b60db 70292 libs optional libpocomysql9_1.3.6p1-1_i386.deb
 0b07c6041223d353f7326da790c8a187 1571112 debug extra libpoconet9-dbg_1.3.6p1-1_i386.deb
 7b219f2f58bebc8b8d17fef56121e811 346044 libs optional libpoconet9_1.3.6p1-1_i386.deb
 dc0da30941cc964f16dbaf455ee3e032 627024 debug extra libpoconetssl9-dbg_1.3.6p1-1_i386.deb
 428ac36982abdc2446cb8c8191375168 120400 libs optional libpoconetssl9_1.3.6p1-1_i386.deb
 2971541f54c30d895e20d690b3400926 564688 debug extra libpocoodbc9-dbg_1.3.6p1-1_i386.deb
 d35ead0d47d6743fa7c0d21ec2ed2919 102384 libs optional libpocoodbc9_1.3.6p1-1_i386.deb
 3333093b35857aea7139c07259649c42 306144 debug extra libpocosqlite9-dbg_1.3.6p1-1_i386.deb
 472b50b5e18decde73864006705ef281 98520 libs optional libpocosqlite9_1.3.6p1-1_i386.deb
 75127b9b85f97d7be0eb9070bcee211d 632120 debug extra libpocoutil9-dbg_1.3.6p1-1_i386.deb
 0d2f57f3b12ec507e8118a0c6fe63448 142624 libs optional libpocoutil9_1.3.6p1-1_i386.deb
 891674ebc448aaa802a86239533bf145 844348 debug extra libpocoxml9-dbg_1.3.6p1-1_i386.deb
 ec0dafb13354623c43163051c1503b1b 176216 libs optional libpocoxml9_1.3.6p1-1_i386.deb
 3f08490b296419fc1468475d4b122687 712360 debug extra libpocozip9-dbg_1.3.6p1-1_i386.deb
 fa847f62bbdc1b3e1d91f688e7ef710d 121786 libs optional libpocozip9_1.3.6p1-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJLNfBpAAoJEBxXDIkOS9CrvccP/3DiuslW3Cl0G8XMq2xHx4Ua
2ctg6ym709ARJtbh8HdkOK0Za9rYJznwRJEeAzn5T1rNFx0S4UcCOm4l9syDamrz
qeu56xblbSnQRlCFevX0f4e+wvKnrw1Un/8C6uMc9Y4rt0ZrVsY5jSnDGPiftaUk
sjne34oCFceQD3avdN3hqHJ46APSVs2f2Ac/fbmC9HkQSm+zvP/hPNTZND8ukKzo
7EzoVdW42WQsDiMh2FybHmXzblvZVjP7FrlBBrFIYDjSOWcXY846u2fvU4HiC/aH
L5fXAx5zQ+EXzjRGTrQ4o1tWmH8gzpoDobJybILHYN2wpUz4adYWV676fE1D+Nzv
43VZ09EHpWdFQjxFsmJdLOezq7wjT0fFoY48yNSlpmMiNv5yWIBu+CS5I+gGa9po
pllDbDG//nuADUWSywEBjx8hw0k4vL20aQy6el4cODcrkx0Qxt3ejXr3tIyPUhGf
U7muZ+7m7I2kYIpm8zyumb0g7ZMDZ65iiohcXZqtuociXee5e7ueQvpWSiHgUcVh
7SowqV3cwljsxizDL9PYAJZgx8vTshQNSOXVFETlxaB9i24n5ZR4fYZqmy/oTZYK
PiwXbjdZj+b845UenuYUeSZ+VoE1N/7MMzoHec9AKMXWgP29xWG93auYj9dc9Y0w
yTaNCGzITagh/GKi2kVJ
=7eMq
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Krzysztof Burghardt <krzysztof@burghardt.pl>:
Bug#560936; Package poco. (Mon, 04 Jan 2010 09:33:17 GMT) Full text and rfc822 format available.

Acknowledgement sent to Daniel Leidert <daniel.leidert@wgdd.de>:
Extra info received and forwarded to list. Copy sent to Krzysztof Burghardt <krzysztof@burghardt.pl>. (Mon, 04 Jan 2010 09:33:17 GMT) Full text and rfc822 format available.

Message #40 received at 560936@bugs.debian.org (full text, mbox):

From: Daniel Leidert <daniel.leidert@wgdd.de>
To: 560912@bugs.debian.org, 560913@bugs.debian.org, 560914@bugs.debian.org, 560915@bugs.debian.org, 560916@bugs.debian.org, 560917@bugs.debian.org, 560918@bugs.debian.org, 560919@bugs.debian.org, 560920@bugs.debian.org, 560921@bugs.debian.org, 560922@bugs.debian.org, 560923@bugs.debian.org, 560924@bugs.debian.org, 560925@bugs.debian.org, 560926@bugs.debian.org, 560927@bugs.debian.org, 560928@bugs.debian.org, 560929@bugs.debian.org, 560930@bugs.debian.org, 560931@bugs.debian.org, 560932@bugs.debian.org, 560933@bugs.debian.org, 560934@bugs.debian.org, 560935@bugs.debian.org, 560936@bugs.debian.org, 560937@bugs.debian.org, 560938@bugs.debian.org, 560939@bugs.debian.org, 560940@bugs.debian.org, 560941@bugs.debian.org, 560942@bugs.debian.org, 560943@bugs.debian.org, 560944@bugs.debian.org, 560945@bugs.debian.org, 560946@bugs.debian.org, 560947@bugs.debian.org, 560948@bugs.debian.org, 560949@bugs.debian.org, 560950@bugs.debian.org, 560951@bugs.debian.org
Subject: CVE-2009-3560: Revised patch
Date: Mon, 04 Jan 2010 08:40:26 +0100
[Message part 1 (text/plain, inline)]
Hi,

After fixing CVE-2009-3560 in the expat package [1] I was informed, that
it broke parsing [2] in some documents. After talking to upstream [3],
the fix for CVE-2009-3560 has been adjusted [4][5].

[1] http://bugs.debian.org/560901
[2] http://bugs.debian.org/561658
[3] http://mail.libexpat.org/pipermail/expat-discuss/2009-December/002644.html
[4] http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.166
[5] http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?view=log#rev1.166

Please note, that I just copied the bug-addresses from the mass bug
filing. I did not check, if you already fixed the issue or if this
information applies to you.

Regards, Daniel
[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 07 Mar 2011 08:41:38 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 16:11:33 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.