Debian Bug report logs - #656377
libxml2: [PATCH] fix for CVE-2011-3919

version graph

Package: libxml2; Maintainer for libxml2 is Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>; Source for libxml2 is src:libxml2.

Reported by: Jamie Strandboge <jamie@ubuntu.com>

Date: Wed, 18 Jan 2012 21:33:01 UTC

Severity: grave

Tags: patch, security

Found in versions libxml2/2.6.32.dfsg-5+lenny4, libxml2/2.7.8.dfsg-5.1, libxml2/2.7.8.dfsg-2+squeeze1

Fixed in versions libxml2/2.7.8.dfsg-7, libxml2/2.7.8.dfsg-2+squeeze2, libxml2/2.6.32.dfsg-5+lenny5

Done: Aron Xu <aron@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#656377; Package libxml2. (Wed, 18 Jan 2012 21:33:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jamie Strandboge <jamie@ubuntu.com>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>. (Wed, 18 Jan 2012 21:33:08 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Jamie Strandboge <jamie@ubuntu.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libxml2: [PATCH] fix for CVE-2011-3919
Date: Wed, 18 Jan 2012 15:12:16 -0600
[Message part 1 (text/plain, inline)]
Package: libxml2
Version: 2.7.8.dfsg-5.1
Severity: grave
Tags: patch security
Justification: user security hole
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu precise ubuntu-patch

Dear Maintainer,

In Ubuntu, the attached patch was applied to achieve the following:

  * SECURITY UPDATE: denial of service via buffer overflow
    - parser.c: fix an allocation error when copying entities
    - 5bd3c061823a8499b27422aee04ea20aae24f03e
    - CVE-2011-3919

Thanks for considering the patch.

References:
http://git.gnome.org/browse/libxml2/commit/?id=5bd3c061823a8499b27422aee04ea20aae24f03e
http://src.chromium.org/svn/trunk/src/third_party/libxml/README.chromium
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3919
http://googlechromereleases.blogspot.com/2012/01/stable-channel-update.html


-- System Information:
Debian Release: wheezy/sid
  APT prefers precise-updates
  APT policy: (500, 'precise-updates'), (500, 'precise-security'), (500, 'precise')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-8-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
[libxml2_2.7.8.dfsg-5.1ubuntu2.debdiff (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#656377; Package libxml2. (Mon, 23 Jan 2012 02:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>. (Mon, 23 Jan 2012 02:45:03 GMT) Full text and rfc822 format available.

Message #10 received at 656377@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: 656377@bugs.debian.org, Thijs Kinkhorst <thijs@debian.org>
Subject: re: CVE-2011-3919
Date: Sun, 22 Jan 2012 21:43:47 -0500
[Message part 1 (text/plain, inline)]
Hi,

Attached is the patch I plan to apply as an nmu fixing an RC bug in
this package.

Best wishes,
Mike
[libxml2.patch (text/x-patch, attachment)]

Reply sent to bugzilla@tut.by (Andrew O. Shadura):
You have taken responsibility. (Mon, 23 Jan 2012 06:51:04 GMT) Full text and rfc822 format available.

Notification sent to Jamie Strandboge <jamie@ubuntu.com>:
Bug acknowledged by developer. (Mon, 23 Jan 2012 06:51:04 GMT) Full text and rfc822 format available.

Message #15 received at 656377-close@bugs.debian.org (full text, mbox):

From: bugzilla@tut.by (Andrew O. Shadura)
To: 656377-close@bugs.debian.org
Subject: Bug#656377: fixed in libxml2 2.7.8.dfsg-7
Date: Mon, 23 Jan 2012 06:47:43 +0000
Source: libxml2
Source-Version: 2.7.8.dfsg-7

We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive:

libxml2-dbg_2.7.8.dfsg-7_i386.deb
  to main/libx/libxml2/libxml2-dbg_2.7.8.dfsg-7_i386.deb
libxml2-dev_2.7.8.dfsg-7_i386.deb
  to main/libx/libxml2/libxml2-dev_2.7.8.dfsg-7_i386.deb
libxml2-doc_2.7.8.dfsg-7_all.deb
  to main/libx/libxml2/libxml2-doc_2.7.8.dfsg-7_all.deb
libxml2-utils_2.7.8.dfsg-7_i386.deb
  to main/libx/libxml2/libxml2-utils_2.7.8.dfsg-7_i386.deb
libxml2_2.7.8.dfsg-7.diff.gz
  to main/libx/libxml2/libxml2_2.7.8.dfsg-7.diff.gz
libxml2_2.7.8.dfsg-7.dsc
  to main/libx/libxml2/libxml2_2.7.8.dfsg-7.dsc
libxml2_2.7.8.dfsg-7_i386.deb
  to main/libx/libxml2/libxml2_2.7.8.dfsg-7_i386.deb
python-libxml2-dbg_2.7.8.dfsg-7_i386.deb
  to main/libx/libxml2/python-libxml2-dbg_2.7.8.dfsg-7_i386.deb
python-libxml2_2.7.8.dfsg-7_i386.deb
  to main/libx/libxml2/python-libxml2_2.7.8.dfsg-7_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 656377@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andrew O. Shadura <bugzilla@tut.by> (supplier of updated libxml2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 20 Jan 2012 12:54:41 +0300
Source: libxml2
Binary: libxml2 libxml2-utils libxml2-dev libxml2-dbg libxml2-doc python-libxml2 python-libxml2-dbg
Architecture: source i386 all
Version: 2.7.8.dfsg-7
Distribution: unstable
Urgency: low
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Andrew O. Shadura <bugzilla@tut.by>
Description: 
 libxml2    - GNOME XML library
 libxml2-dbg - Debugging symbols for the GNOME XML library
 libxml2-dev - Development files for the GNOME XML library
 libxml2-doc - Documentation for the GNOME XML library
 libxml2-utils - XML utilities
 python-libxml2 - Python bindings for the GNOME XML library
 python-libxml2-dbg - Python bindings for the GNOME XML library (debug extension)
Closes: 656377
Changes: 
 libxml2 (2.7.8.dfsg-7) unstable; urgency=high
 .
   * Team upload.
   * parser.c: Fix an allocation error when copying entities.
     CVE-2011-3919. Closes: #656377.
Checksums-Sha1: 
 6f2a3e081660b2f27ccb842b155423d3b3a8795e 1738 libxml2_2.7.8.dfsg-7.dsc
 4ced6692fa7cd44d421b0f6287ac8f323a8e14e1 119921 libxml2_2.7.8.dfsg-7.diff.gz
 ecb7f1b153ca5477e6834f3ad1b1037245195d93 885380 libxml2_2.7.8.dfsg-7_i386.deb
 005da2a78bc3fab3f8dfa3a9ad32b1882a8502be 92050 libxml2-utils_2.7.8.dfsg-7_i386.deb
 a41fe0c82eb2f7489bcd7f1e6a75d132a9cb1231 814356 libxml2-dev_2.7.8.dfsg-7_i386.deb
 7c2f8b4bf2ed9e3eed30d45d8227b5ed8e74a3b6 1104776 libxml2-dbg_2.7.8.dfsg-7_i386.deb
 da0811d5d749e34bc6e135202883c23051cfc5f2 1379182 libxml2-doc_2.7.8.dfsg-7_all.deb
 7869bce7892c1fe1317831e701666e240ae719ad 367566 python-libxml2_2.7.8.dfsg-7_i386.deb
 2a896da4234df14a3064bc66b22beb8e67c0ecbe 826778 python-libxml2-dbg_2.7.8.dfsg-7_i386.deb
Checksums-Sha256: 
 4ca18affaf517871d1a8567ac031775340e8645c052e6f534f78c03824677b43 1738 libxml2_2.7.8.dfsg-7.dsc
 9d4446d8092d582b9f0dc640e5807728948c63788172231118442d8f3fff7e0a 119921 libxml2_2.7.8.dfsg-7.diff.gz
 de02bdc027c679e05d1c3da077d8aee6ec11ae03334d3be0eb96d086a4022de3 885380 libxml2_2.7.8.dfsg-7_i386.deb
 3ec3db8fce90b17f5ff026e3514f4e1652643d339d294da146f0fd0e3f7cd8fd 92050 libxml2-utils_2.7.8.dfsg-7_i386.deb
 e6f81da60979df41aef78e60eb93acd570b22f4044de20ab2cafbdc8a09c0aa3 814356 libxml2-dev_2.7.8.dfsg-7_i386.deb
 d86785c60d175db55642e7a20166c94cab0b4adb41b76d0fda3c9a4117dc522c 1104776 libxml2-dbg_2.7.8.dfsg-7_i386.deb
 cc79722f2fcab229e8a15745e33bb748bfdeda62e213983313c089a5b112c76f 1379182 libxml2-doc_2.7.8.dfsg-7_all.deb
 409a99bc6b9a4d195fc8ff1543151720ca4dc1dd5a94080f96846a0225643e88 367566 python-libxml2_2.7.8.dfsg-7_i386.deb
 5250729c62ac2f76e5479141eda1d0bc5f482e93bd7f4535904c5f4e5316ccbe 826778 python-libxml2-dbg_2.7.8.dfsg-7_i386.deb
Files: 
 5c98fcc81337ac567b3395d67d05e36f 1738 libs optional libxml2_2.7.8.dfsg-7.dsc
 3662251bba7a9ec40bba5a133ebfc104 119921 libs optional libxml2_2.7.8.dfsg-7.diff.gz
 0979a092c951849559b8b5935f51e036 885380 libs standard libxml2_2.7.8.dfsg-7_i386.deb
 5f701e4afce5bb55390b966f08ddc3ec 92050 text optional libxml2-utils_2.7.8.dfsg-7_i386.deb
 85aa6b51f8416d934f50d24253c713c4 814356 libdevel optional libxml2-dev_2.7.8.dfsg-7_i386.deb
 418dfde4d4ae11a16fddb0f4ab47aeae 1104776 debug extra libxml2-dbg_2.7.8.dfsg-7_i386.deb
 3391c92e3b0f3e62747c9ccb6db29eef 1379182 doc optional libxml2-doc_2.7.8.dfsg-7_all.deb
 58a1fb82f8f83ccfa884e9c9d06472d2 367566 python optional python-libxml2_2.7.8.dfsg-7_i386.deb
 8da30190c23236d4ff6d25ecf5bdae03 826778 debug extra python-libxml2-dbg_2.7.8.dfsg-7_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk8c/tYACgkQ5UTeB5t8Mo3kDwCgznPdBH3Bo3Yqmhs0MmmtY48X
9p8An2Vd419Kf9oRRWTeiVK95QRb746y
=27Ti
-----END PGP SIGNATURE-----





Bug Marked as found in versions libxml2/2.7.8.dfsg-2+squeeze1. Request was from Aron Xu <happyaron.xu@gmail.com> to control@bugs.debian.org. (Mon, 23 Jan 2012 17:24:03 GMT) Full text and rfc822 format available.

Bug Marked as found in versions libxml2/2.6.32.dfsg-5+lenny4. Request was from Aron Xu <happyaron.xu@gmail.com> to control@bugs.debian.org. (Mon, 23 Jan 2012 18:45:03 GMT) Full text and rfc822 format available.

Reply sent to Aron Xu <aron@debian.org>:
You have taken responsibility. (Sat, 28 Jan 2012 19:33:08 GMT) Full text and rfc822 format available.

Notification sent to Jamie Strandboge <jamie@ubuntu.com>:
Bug acknowledged by developer. (Sat, 28 Jan 2012 19:33:08 GMT) Full text and rfc822 format available.

Message #24 received at 656377-close@bugs.debian.org (full text, mbox):

From: Aron Xu <aron@debian.org>
To: 656377-close@bugs.debian.org
Subject: Bug#656377: fixed in libxml2 2.7.8.dfsg-2+squeeze2
Date: Sat, 28 Jan 2012 19:32:14 +0000
Source: libxml2
Source-Version: 2.7.8.dfsg-2+squeeze2

We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive:

libxml2-dbg_2.7.8.dfsg-2+squeeze2_amd64.deb
  to main/libx/libxml2/libxml2-dbg_2.7.8.dfsg-2+squeeze2_amd64.deb
libxml2-dev_2.7.8.dfsg-2+squeeze2_amd64.deb
  to main/libx/libxml2/libxml2-dev_2.7.8.dfsg-2+squeeze2_amd64.deb
libxml2-doc_2.7.8.dfsg-2+squeeze2_all.deb
  to main/libx/libxml2/libxml2-doc_2.7.8.dfsg-2+squeeze2_all.deb
libxml2-utils_2.7.8.dfsg-2+squeeze2_amd64.deb
  to main/libx/libxml2/libxml2-utils_2.7.8.dfsg-2+squeeze2_amd64.deb
libxml2_2.7.8.dfsg-2+squeeze2.diff.gz
  to main/libx/libxml2/libxml2_2.7.8.dfsg-2+squeeze2.diff.gz
libxml2_2.7.8.dfsg-2+squeeze2.dsc
  to main/libx/libxml2/libxml2_2.7.8.dfsg-2+squeeze2.dsc
libxml2_2.7.8.dfsg-2+squeeze2_amd64.deb
  to main/libx/libxml2/libxml2_2.7.8.dfsg-2+squeeze2_amd64.deb
python-libxml2-dbg_2.7.8.dfsg-2+squeeze2_amd64.deb
  to main/libx/libxml2/python-libxml2-dbg_2.7.8.dfsg-2+squeeze2_amd64.deb
python-libxml2_2.7.8.dfsg-2+squeeze2_amd64.deb
  to main/libx/libxml2/python-libxml2_2.7.8.dfsg-2+squeeze2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 656377@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Aron Xu <aron@debian.org> (supplier of updated libxml2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 24 Jan 2012 03:25:23 +0800
Source: libxml2
Binary: libxml2 libxml2-utils libxml2-dev libxml2-dbg libxml2-doc python-libxml2 python-libxml2-dbg
Architecture: source amd64 all
Version: 2.7.8.dfsg-2+squeeze2
Distribution: stable-security
Urgency: high
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Aron Xu <aron@debian.org>
Description: 
 libxml2    - GNOME XML library
 libxml2-dbg - Debugging symbols for the GNOME XML library
 libxml2-dev - Development files for the GNOME XML library
 libxml2-doc - Documentation for the GNOME XML library
 libxml2-utils - XML utilities
 python-libxml2 - Python bindings for the GNOME XML library
 python-libxml2-dbg - Python bindings for the GNOME XML library (debug extension)
Closes: 643648 652352 656377
Changes: 
 libxml2 (2.7.8.dfsg-2+squeeze2) stable-security; urgency=high
 .
   * Security update.
   * parser.c: Fix an allocation error when copying entities.
     CVE-2011-3919. Closes: #656377.
   * parser.c: Make sure parser returns when getting a Stop order.
     CVE-2011-3905.
   * encoding.c: Fix off by one error. CVE-2011-0216. Closes: 652352.
   * xpath.c: Fix for undefined namespaces. CVE-2011-2834.
   * xpath.c, xpointer.c, include/libxml/xpath.h:
     Hardening of XPath evaluation. CVE-2011-2821. Closes: 643648.
Checksums-Sha1: 
 4d579893c3c9a69c7a1501b9ad4ce19c902d7538 1848 libxml2_2.7.8.dfsg-2+squeeze2.dsc
 a6c44a21925893c5ae0d1f7278707f1dd943041c 114123 libxml2_2.7.8.dfsg-2+squeeze2.diff.gz
 602dfbdba01bfe2f7c077bb920cd34be482dbac0 872698 libxml2_2.7.8.dfsg-2+squeeze2_amd64.deb
 59e7ebb7d11d0d8d8a82c11282bfbdeceaeb12dd 93562 libxml2-utils_2.7.8.dfsg-2+squeeze2_amd64.deb
 a0772e321ee20d49179ca7a9493d14981e3e01b6 829522 libxml2-dev_2.7.8.dfsg-2+squeeze2_amd64.deb
 f0b2bf8baa6b5bce186fd0d27775f15044452005 989434 libxml2-dbg_2.7.8.dfsg-2+squeeze2_amd64.deb
 2f54b26e35dae817df246be61e8b49515248273b 1344280 libxml2-doc_2.7.8.dfsg-2+squeeze2_all.deb
 69790763f51d513364d5e114d62a9dec299f9e00 337756 python-libxml2_2.7.8.dfsg-2+squeeze2_amd64.deb
 dbecb1b40a1d5f91c4d38d527bcb7a955bda98b9 871316 python-libxml2-dbg_2.7.8.dfsg-2+squeeze2_amd64.deb
Checksums-Sha256: 
 6b800b7613067d10cac87f102e63c8f5a486ec9020cd48fee46b2944accd1cb9 1848 libxml2_2.7.8.dfsg-2+squeeze2.dsc
 4e47516b5fb6070c897bec33ac64f7aba23cdc56e8df5b90eaf27c0a45a6e95f 114123 libxml2_2.7.8.dfsg-2+squeeze2.diff.gz
 3752043bae775ad3ffeef4df72f79a59200560c300ddd25cd416f5510a67f0a7 872698 libxml2_2.7.8.dfsg-2+squeeze2_amd64.deb
 1b40087c1bacd9e3986a6134b42c80bab7f391cb310d3cb69a783daaa260f893 93562 libxml2-utils_2.7.8.dfsg-2+squeeze2_amd64.deb
 a5f197bd4053c849ac4ab4cf9d0d4d1a59e44c6fcab94686965afffc1f619d5a 829522 libxml2-dev_2.7.8.dfsg-2+squeeze2_amd64.deb
 1f53495e18fd6a8d662f4819f23e2ef6da72da840d88c54aa373a1e5f6777710 989434 libxml2-dbg_2.7.8.dfsg-2+squeeze2_amd64.deb
 12d013eb556c71704f3edd1c2bf3ea73a37920fd7281120808ebe48c3c724684 1344280 libxml2-doc_2.7.8.dfsg-2+squeeze2_all.deb
 758d069118af14a5d8cd27eae6ccda37cd6d7aafdac821ec2609f76dc003cb9c 337756 python-libxml2_2.7.8.dfsg-2+squeeze2_amd64.deb
 51933e3f1062421b1f562e3419037f7790460928f8eaeee257435cee36fea6a0 871316 python-libxml2-dbg_2.7.8.dfsg-2+squeeze2_amd64.deb
Files: 
 2289a483906e1bd815ac66723b1171fa 1848 libs optional libxml2_2.7.8.dfsg-2+squeeze2.dsc
 af0c7c2a628935f4c5e19a05731f2b65 114123 libs optional libxml2_2.7.8.dfsg-2+squeeze2.diff.gz
 a6e62127cb8bffb6e592b8175b337a1a 872698 libs standard libxml2_2.7.8.dfsg-2+squeeze2_amd64.deb
 41504ec2093d29ec6125ff5e9fce42c2 93562 text optional libxml2-utils_2.7.8.dfsg-2+squeeze2_amd64.deb
 3acf0aecf78055eb53b8296c1a0824fc 829522 libdevel optional libxml2-dev_2.7.8.dfsg-2+squeeze2_amd64.deb
 182a9fa5e1a65650e2b0510384ed1736 989434 debug extra libxml2-dbg_2.7.8.dfsg-2+squeeze2_amd64.deb
 73772ba505e876f8525a5b5dbfca0201 1344280 doc optional libxml2-doc_2.7.8.dfsg-2+squeeze2_all.deb
 c97e21d629f7834c03b6a95eae5125d1 337756 python optional python-libxml2_2.7.8.dfsg-2+squeeze2_amd64.deb
 200a40737ccf8a659618961693e99af2 871316 debug extra python-libxml2-dbg_2.7.8.dfsg-2+squeeze2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBCgAGBQJPHpGaAAoJEIAhAkTu07wNTBAIAK5JzAj+YHj6mIy+PcZQTxzp
5+wJ+omkhijL+UtDrCE3ZkimZcjf7PWoc8bLbiCjEeBb+PfD9oIE2dJUXN08iPKG
aPJNiXEt43L6Xp4mAQ7eGA7Onm5iEw+IGtZrS6ziOZQBrwN15QanvK93Am0XOFO9
8/CQPxeFEC/ZS6AWGrk7rEi4SD2UgYE0lrh2Tc4I7Jm9AlSY14nRaJkxPKdhoBfw
x0SVZZ0IYwx0mltLqkUwvMRVx8cSG6NAlr1BfrzVOkK87W/auNVi7Lcu8fs0E9bA
Nwjl3W8Sfzf7R3z/Wn+08fYk3GMNRkmruTxa4HdiPKbiYw55LxsPXbevQOOcpzc=
=rzTR
-----END PGP SIGNATURE-----





Reply sent to Aron Xu <aron@debian.org>:
You have taken responsibility. (Mon, 30 Jan 2012 21:51:19 GMT) Full text and rfc822 format available.

Notification sent to Jamie Strandboge <jamie@ubuntu.com>:
Bug acknowledged by developer. (Mon, 30 Jan 2012 21:51:19 GMT) Full text and rfc822 format available.

Message #29 received at 656377-close@bugs.debian.org (full text, mbox):

From: Aron Xu <aron@debian.org>
To: 656377-close@bugs.debian.org
Subject: Bug#656377: fixed in libxml2 2.6.32.dfsg-5+lenny5
Date: Mon, 30 Jan 2012 21:50:43 +0000
Source: libxml2
Source-Version: 2.6.32.dfsg-5+lenny5

We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive:

libxml2-dbg_2.6.32.dfsg-5+lenny5_amd64.deb
  to main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5+lenny5_amd64.deb
libxml2-dev_2.6.32.dfsg-5+lenny5_amd64.deb
  to main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5+lenny5_amd64.deb
libxml2-doc_2.6.32.dfsg-5+lenny5_all.deb
  to main/libx/libxml2/libxml2-doc_2.6.32.dfsg-5+lenny5_all.deb
libxml2-utils_2.6.32.dfsg-5+lenny5_amd64.deb
  to main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5+lenny5_amd64.deb
libxml2_2.6.32.dfsg-5+lenny5.diff.gz
  to main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny5.diff.gz
libxml2_2.6.32.dfsg-5+lenny5.dsc
  to main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny5.dsc
libxml2_2.6.32.dfsg-5+lenny5_amd64.deb
  to main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny5_amd64.deb
python-libxml2_2.6.32.dfsg-5+lenny5_amd64.deb
  to main/libx/libxml2/python-libxml2_2.6.32.dfsg-5+lenny5_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 656377@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Aron Xu <aron@debian.org> (supplier of updated libxml2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 24 Jan 2012 06:04:56 +0800
Source: libxml2
Binary: libxml2 libxml2-utils libxml2-dev libxml2-dbg libxml2-doc python-libxml2
Architecture: source all amd64
Version: 2.6.32.dfsg-5+lenny5
Distribution: oldstable-security
Urgency: high
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Aron Xu <aron@debian.org>
Description: 
 libxml2    - GNOME XML library
 libxml2-dbg - Debugging symbols for the GNOME XML library
 libxml2-dev - Development files for the GNOME XML library
 libxml2-doc - Documentation for the GNOME XML library
 libxml2-utils - XML utilities
 python-libxml2 - Python bindings for the GNOME XML library
Closes: 643648 652352 656377
Changes: 
 libxml2 (2.6.32.dfsg-5+lenny5) oldstable-security; urgency=high
 .
   * Security update.
   * parser.c: Fix an allocation error when copying entities.
     CVE-2011-3919. Closes: #656377.
   * parser.c: Make sure parser returns when getting a Stop order.
     CVE-2011-3905.
   * encoding.c: Fix off by one error. CVE-2011-0216. Closes: 652352.
   * xpath.c: Fix for undefined namespaces.
     CVE-2011-2834. Closes: 643648.
Checksums-Sha1: 
 04a90287debdfc7f7559f80e9e0dab808794e909 1647 libxml2_2.6.32.dfsg-5+lenny5.dsc
 9db39d08996626ab5c584214ef70e5e307e8b9f7 86309 libxml2_2.6.32.dfsg-5+lenny5.diff.gz
 20a9b17e35dcc7652f0e07ce0d54f0bfa79206a9 1307492 libxml2-doc_2.6.32.dfsg-5+lenny5_all.deb
 8e436f404235b31ad0c68c97d23c070ee02bb650 861080 libxml2_2.6.32.dfsg-5+lenny5_amd64.deb
 903e7dc78c52ea8b49789957a188c81a44ffbc02 37326 libxml2-utils_2.6.32.dfsg-5+lenny5_amd64.deb
 99ba81e0ef39e2b679fc366c8b269da6acaadd4f 774076 libxml2-dev_2.6.32.dfsg-5+lenny5_amd64.deb
 39bebbe51e9a142297e85b55d26634fa1362b834 988562 libxml2-dbg_2.6.32.dfsg-5+lenny5_amd64.deb
 bd2b69a0f895fc93ff1e6d5f91311bd23d2ee550 295928 python-libxml2_2.6.32.dfsg-5+lenny5_amd64.deb
Checksums-Sha256: 
 1232b8cd41cdf7f295a23af260a151da9e26b89bb1a271c435aaab2dd6857bed 1647 libxml2_2.6.32.dfsg-5+lenny5.dsc
 1059796d4afa24699a5b59bcf9846ea215be06b2657298d526feda2bd3e3db84 86309 libxml2_2.6.32.dfsg-5+lenny5.diff.gz
 3e74d6c1d54fbd068a0ea19a4fefca4ec244784e73e664080eedd049f1460171 1307492 libxml2-doc_2.6.32.dfsg-5+lenny5_all.deb
 d81e76796ebac9f079e720765102a6ad0c6c5abd7ec6e88caf19a2725f020c6c 861080 libxml2_2.6.32.dfsg-5+lenny5_amd64.deb
 a44877fa3585934149ea1e756862dc0732296079e062200b537259e65212a23c 37326 libxml2-utils_2.6.32.dfsg-5+lenny5_amd64.deb
 8677a517f84435e99441e8b6a3cd58876b6233a8581648c9a065625e81c27212 774076 libxml2-dev_2.6.32.dfsg-5+lenny5_amd64.deb
 4afb005d1e38435d8dd180ab7a8c9cc491c141a442071516c94350a0e3091978 988562 libxml2-dbg_2.6.32.dfsg-5+lenny5_amd64.deb
 dcccd350a3e3f87f3a148a8af9cfa0940a9681d226b31653b653023396324c4a 295928 python-libxml2_2.6.32.dfsg-5+lenny5_amd64.deb
Files: 
 86c24ecca29d1633dff0e7cccc285f06 1647 libs optional libxml2_2.6.32.dfsg-5+lenny5.dsc
 9cdf129340dce255b2dfb450ca4e06fe 86309 libs optional libxml2_2.6.32.dfsg-5+lenny5.diff.gz
 9826e7e6915ec8090e00d10483ad7031 1307492 doc optional libxml2-doc_2.6.32.dfsg-5+lenny5_all.deb
 c327a8e8849388d294d60f95b4d14326 861080 libs optional libxml2_2.6.32.dfsg-5+lenny5_amd64.deb
 59fad6589fb7fd7f63bc796b7177ab89 37326 text optional libxml2-utils_2.6.32.dfsg-5+lenny5_amd64.deb
 dea37e4e8b0e568d81751524a193a401 774076 libdevel optional libxml2-dev_2.6.32.dfsg-5+lenny5_amd64.deb
 873db597ec1a1cfaf16f87e992298c63 988562 libdevel extra libxml2-dbg_2.6.32.dfsg-5+lenny5_amd64.deb
 53ffa695e87d37a6499b414d80f795ea 295928 python optional python-libxml2_2.6.32.dfsg-5+lenny5_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBCgAGBQJPHpQ+AAoJEIAhAkTu07wNR5YH/3bk7aGqvpdFPMzWvUS6ks4m
uqi+d7SzE2ZkvEelsYRZ5SjqyvjgSYRnG6wq0VhIMD96v72K5Lo81YxeZCwUvsO+
q1lXnmJaBD62bUOFavwLKALHhrKCrvpDREV5mdDdcCRcM+sbRocuJBwSPPD5Fdwf
F+JLnAByVAAwqOL47ufxcOm2cr9wbuSDutbe5ond5tDHctfDMmVVHMDYK1Lwf4vN
olb453FjQBSowmpAvBktjId0mGz7koMi9wedjLIWuWVoKVKx97OXgCGZEuz26+HP
R3t93UDOWKs4qGeEdDi6Nne/Ve3HWaDHGR8H/adIJqlW3fZh0ejIL5kQUG5Etj4=
=wMNG
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 13 May 2012 07:48:08 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 19:25:19 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.