Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org: Bug#629225; Package lua-expat.
(Sat, 04 Jun 2011 16:00:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Enrico Tassi <gareuselesinge@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org.
(Sat, 04 Jun 2011 16:00:08 GMT) (full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Possible denial of service (AKA “billion laughs” attack)
Date: Sat, 04 Jun 2011 17:58:06 +0200
Package: lua-expat
Version: 1.1.0
Severity: important
Tags: security
Version 1.1.x of lua-expat exposes application to the DoS explained at:
http://www.ibm.com/developerworks/xml/library/x-tipcfsx/index.html#N100F1
Version 1.2.0 (Released to cope with that) adds a couple of API to let
application
protect from this kind of attack.
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (150, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.39-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Reply sent
to Enrico Tassi <gareuselesinge@debian.org>:
You have taken responsibility.
(Sat, 04 Jun 2011 16:36:07 GMT) (full text, mbox, link).
Notification sent
to Enrico Tassi <gareuselesinge@debian.org>:
Bug acknowledged by developer.
(Sat, 04 Jun 2011 16:36:08 GMT) (full text, mbox, link).
Source: lua-expat
Source-Version: 1.2.0-1
We believe that the bug you reported is fixed in the latest version of
lua-expat, which is due to be installed in the Debian FTP archive:
liblua5.1-expat-dev_1.2.0-1_amd64.deb
to main/l/lua-expat/liblua5.1-expat-dev_1.2.0-1_amd64.deb
liblua5.1-expat0_1.2.0-1_amd64.deb
to main/l/lua-expat/liblua5.1-expat0_1.2.0-1_amd64.deb
lua-expat_1.2.0-1.diff.gz
to main/l/lua-expat/lua-expat_1.2.0-1.diff.gz
lua-expat_1.2.0-1.dsc
to main/l/lua-expat/lua-expat_1.2.0-1.dsc
lua-expat_1.2.0.orig.tar.gz
to main/l/lua-expat/lua-expat_1.2.0.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 629225@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Enrico Tassi <gareuselesinge@debian.org> (supplier of updated lua-expat package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 04 Jun 2011 18:02:33 +0200
Source: lua-expat
Binary: liblua5.1-expat0 liblua5.1-expat-dev
Architecture: source amd64
Version: 1.2.0-1
Distribution: unstable
Urgency: high
Maintainer: Enrico Tassi <gareuselesinge@debian.org>
Changed-By: Enrico Tassi <gareuselesinge@debian.org>
Description:
liblua5.1-expat-dev - libexpat development files for the Lua language version 5.1
liblua5.1-expat0 - libexpat bindings for the Lua language version 5.1
Closes: 629225
Changes:
lua-expat (1.2.0-1) unstable; urgency=high
.
* new upstream release adding APIs to prevent the “billion laughs”
denial-of-service attack (Closes: #629225)
Checksums-Sha1:
1656b8c7b0d676e06472d5b8504cb8bf214bc82e 1237 lua-expat_1.2.0-1.dsc
76f036e6fb928a3e5f3c3ba1b854e5fef8e1b28f 28621 lua-expat_1.2.0.orig.tar.gz
d0c6fc6dea36c63e880258b88f550c475f4795f5 2630 lua-expat_1.2.0-1.diff.gz
a4450cd2b9940e4590ec2fc504850500259cd184 12370 liblua5.1-expat0_1.2.0-1_amd64.deb
5734066344b9c50f5f4875f25b9b13a8cfc786cb 28690 liblua5.1-expat-dev_1.2.0-1_amd64.deb
Checksums-Sha256:
2226a6d63e84f33b4989a50bb3297f4e17f6d5dcab1cadb39e75ffa6cc7cc8a8 1237 lua-expat_1.2.0-1.dsc
2a7140e9c1923510639e87b60e85d7ddd0cd4e27561663bd9d4031ef90bae5ef 28621 lua-expat_1.2.0.orig.tar.gz
006b345601f3f031ac0c920aa239286a4f251724afb92b278b6c87bcd22ea2b5 2630 lua-expat_1.2.0-1.diff.gz
3d97fecd687716ed75691123069e3f6c206a50512a3591798565f24ff2654ad4 12370 liblua5.1-expat0_1.2.0-1_amd64.deb
2d6ce5fc269168fd56b9a898cca3c9f4ed13d1adad4176ac5ed44c8412f3da07 28690 liblua5.1-expat-dev_1.2.0-1_amd64.deb
Files:
e276c0b71702b9d42bb0b5737d408e8d 1237 interpreters optional lua-expat_1.2.0-1.dsc
03efe50c7f30a34580701e6527d7bfee 28621 interpreters optional lua-expat_1.2.0.orig.tar.gz
8711c8f5b0418b8b87fa3dee52bba8ff 2630 interpreters optional lua-expat_1.2.0-1.diff.gz
9eee0a5e4d3841adc0c749cb4a39a7d7 12370 interpreters optional liblua5.1-expat0_1.2.0-1_amd64.deb
7ec7c8173e1fcc216ea331853801f527 28690 libdevel optional liblua5.1-expat-dev_1.2.0-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk3qWVMACgkQ7kkcPgEj8vJ47ACeOgbjx6r6l9q5rCGnxZJiDPSa
QZYAoJCk4x5huJdzybfKwul6Ttv+NE+1
=OReA
-----END PGP SIGNATURE-----
Bug No longer marked as fixed in versions lua-expat/1.2.0-1 and reopened.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 04 Jun 2011 16:42:08 GMT) (full text, mbox, link).
Bug Marked as fixed in versions 1.2.0-1.
Request was from Enrico Tassi <gareuselesinge@debian.org>
to control@bugs.debian.org.
(Sat, 04 Jun 2011 16:57:02 GMT) (full text, mbox, link).
Reply sent
to Enrico Tassi <gareuselesinge@debian.org>:
You have taken responsibility.
(Wed, 08 Jun 2011 02:00:09 GMT) (full text, mbox, link).
Notification sent
to Enrico Tassi <gareuselesinge@debian.org>:
Bug acknowledged by developer.
(Wed, 08 Jun 2011 02:00:09 GMT) (full text, mbox, link).
Subject: Bug#629225: fixed in lua-expat 1.2.0-0squeeze1
Date: Wed, 08 Jun 2011 01:56:48 +0000
Source: lua-expat
Source-Version: 1.2.0-0squeeze1
We believe that the bug you reported is fixed in the latest version of
lua-expat, which is due to be installed in the Debian FTP archive:
liblua5.1-expat-dev_1.2.0-0squeeze1_amd64.deb
to main/l/lua-expat/liblua5.1-expat-dev_1.2.0-0squeeze1_amd64.deb
liblua5.1-expat0_1.2.0-0squeeze1_amd64.deb
to main/l/lua-expat/liblua5.1-expat0_1.2.0-0squeeze1_amd64.deb
lua-expat_1.2.0-0squeeze1.diff.gz
to main/l/lua-expat/lua-expat_1.2.0-0squeeze1.diff.gz
lua-expat_1.2.0-0squeeze1.dsc
to main/l/lua-expat/lua-expat_1.2.0-0squeeze1.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 629225@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Enrico Tassi <gareuselesinge@debian.org> (supplier of updated lua-expat package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 05 Jun 2011 19:15:33 +0200
Source: lua-expat
Binary: liblua5.1-expat0 liblua5.1-expat-dev
Architecture: source amd64
Version: 1.2.0-0squeeze1
Distribution: stable
Urgency: low
Maintainer: Enrico Tassi <gareuselesinge@debian.org>
Changed-By: Enrico Tassi <gareuselesinge@debian.org>
Description:
liblua5.1-expat-dev - libexpat development files for the Lua language version 5.1
liblua5.1-expat0 - libexpat bindings for the Lua language version 5.1
Closes: 629225
Changes:
lua-expat (1.2.0-0squeeze1) stable; urgency=low
.
* new upstream release adding APIs to prevent the “billion laughs”
denial-of-service attack (Closes: #629225)
Checksums-Sha1:
ab9e43caab524473fad4d0f16152e007ad728429 1269 lua-expat_1.2.0-0squeeze1.dsc
76f036e6fb928a3e5f3c3ba1b854e5fef8e1b28f 28621 lua-expat_1.2.0.orig.tar.gz
7b9e0d14df3e5e39d917f5964f7ba184aed39d29 2590 lua-expat_1.2.0-0squeeze1.diff.gz
004f8c957959b41f66380c676aee73ea3173f0c2 12172 liblua5.1-expat0_1.2.0-0squeeze1_amd64.deb
13910a19bf9806f4b93e991e60b6db35f2ba682e 29036 liblua5.1-expat-dev_1.2.0-0squeeze1_amd64.deb
Checksums-Sha256:
955d269954db0afdb30bef07afd71f58306cbc2845747e9f35ff063b6abe93d8 1269 lua-expat_1.2.0-0squeeze1.dsc
2a7140e9c1923510639e87b60e85d7ddd0cd4e27561663bd9d4031ef90bae5ef 28621 lua-expat_1.2.0.orig.tar.gz
8c257ab565fbb730f31aaad184967105640ce2cb70f40612cbc6230ba1a0b565 2590 lua-expat_1.2.0-0squeeze1.diff.gz
9516ae3bfc82bed89bda8547b9783d02dcd96b0345a935eaeac68e0ae26fe403 12172 liblua5.1-expat0_1.2.0-0squeeze1_amd64.deb
d206dd14f7330456110f4d969288c5563f1c103f71f56d03ba045acf59803983 29036 liblua5.1-expat-dev_1.2.0-0squeeze1_amd64.deb
Files:
db7e165c92ca29ca93452b0b7db100e4 1269 interpreters optional lua-expat_1.2.0-0squeeze1.dsc
03efe50c7f30a34580701e6527d7bfee 28621 interpreters optional lua-expat_1.2.0.orig.tar.gz
d92a64853fe7fc28229db1f4d7d52b04 2590 interpreters optional lua-expat_1.2.0-0squeeze1.diff.gz
25eccc6ac5a5fec742bb301deeec9db8 12172 interpreters optional liblua5.1-expat0_1.2.0-0squeeze1_amd64.deb
60aebcbf79b25e2b1255db6bacfbe0ce 29036 libdevel optional liblua5.1-expat-dev_1.2.0-0squeeze1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk3r1PQACgkQ7kkcPgEj8vLphQCeNupayvS52dKKgslIN08ZhNyv
cIEAn0FNjbr0AlScBhpRvqZtG/Fuhuq6
=+Nz+
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 06 Jul 2011 07:31:25 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.