Debian Bug report logs - #714241
xml-security-c: CVE-2013-2210

version graph

Package: xml-security-c; Maintainer for xml-security-c is Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Thu, 27 Jun 2013 07:03:01 UTC

Severity: grave

Tags: patch, security

Fixed in versions xml-security-c/1.6.1-7, xml-security-c/1.7.2-1, xml-security-c/1.6.1-5+deb7u2, xml-security-c/1.5.1-3+squeeze3

Done: Russ Allbery <rra@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>:
Bug#714241; Package xml-security-c. (Thu, 27 Jun 2013 07:03:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>. (Thu, 27 Jun 2013 07:03:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: xml-security-c: CVE-2013-2210
Date: Thu, 27 Jun 2013 09:01:26 +0200
Package: xml-security-c
Severity: grave
Tags: security patch
Justification: user security hole

Hi Russ,

the following vulnerability was published for xml-security-c. It looks
the fix for CVE-2013-2154 introduced the possibility of a heap overflow.

CVE-2013-2210[0]:
heap overflow during XPointer evaluation

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2210
    http://security-tracker.debian.org/tracker/CVE-2013-2210
[1] http://santuario.apache.org/secadv.data/CVE-2013-2210.txt
[2] http://svn.apache.org/viewvc?view=revision&revision=r1496703

Could you double check this, and prepare packages for squeeze and
wheezy too?

Regards,
Salvatore



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>:
Bug#714241; Package xml-security-c. (Thu, 27 Jun 2013 17:30:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>. (Thu, 27 Jun 2013 17:30:04 GMT) Full text and rfc822 format available.

Message #10 received at submit@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: Salvatore Bonaccorso <carnil@debian.org>
Cc: 714241@bugs.debian.org, Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Re: Bug#714241: xml-security-c: CVE-2013-2210
Date: Thu, 27 Jun 2013 10:26:24 -0700
Salvatore Bonaccorso <carnil@debian.org> writes:

> the following vulnerability was published for xml-security-c. It looks
> the fix for CVE-2013-2154 introduced the possibility of a heap overflow.

> CVE-2013-2210[0]:
> heap overflow during XPointer evaluation

Yeah, thanks -- working on this today.  I was going to work on it
yesterday but then something else I was working on didn't go as planned.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>:
Bug#714241; Package xml-security-c. (Thu, 27 Jun 2013 17:30:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>. (Thu, 27 Jun 2013 17:30:07 GMT) Full text and rfc822 format available.

Reply sent to Russ Allbery <rra@debian.org>:
You have taken responsibility. (Thu, 27 Jun 2013 21:09:09 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Thu, 27 Jun 2013 21:09:09 GMT) Full text and rfc822 format available.

Message #20 received at 714241-close@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: 714241-close@bugs.debian.org
Subject: Bug#714241: fixed in xml-security-c 1.6.1-7
Date: Thu, 27 Jun 2013 21:05:23 +0000
Source: xml-security-c
Source-Version: 1.6.1-7

We believe that the bug you reported is fixed in the latest version of
xml-security-c, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 714241@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Russ Allbery <rra@debian.org> (supplier of updated xml-security-c package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 27 Jun 2013 13:44:56 -0700
Source: xml-security-c
Binary: libxml-security-c16 libxml-security-c-dev
Architecture: source i386
Version: 1.6.1-7
Distribution: unstable
Urgency: high
Maintainer: Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>
Changed-By: Russ Allbery <rra@debian.org>
Description: 
 libxml-security-c-dev - C++ library for XML Digital Signatures (development)
 libxml-security-c16 - C++ library for XML Digital Signatures (runtime)
Closes: 714241
Changes: 
 xml-security-c (1.6.1-7) unstable; urgency=high
 .
   * The attempted fix to address CVE-2013-2154 introduced the possibility
     of a heap overflow, possibly leading to arbitrary code execution, in
     the processing of malformed XPointer expressions in the XML Signature
     Reference processing code.  Apply upstream patch to fix that heap
     overflow.  (Closes: #714241, CVE-2013-2210)
Checksums-Sha1: 
 00bfb2fe2d2610247399a92d25be1b6741fb1894 1785 xml-security-c_1.6.1-7.dsc
 88bab9e767cbba07ad789b245547fcfcc461a096 12009 xml-security-c_1.6.1-7.debian.tar.gz
 7fc0b8e1da45668cfc87100eb5217643a3a8bfca 359686 libxml-security-c16_1.6.1-7_i386.deb
 58f871c561ee58e67ccfa167404bf9d4bc641917 151294 libxml-security-c-dev_1.6.1-7_i386.deb
Checksums-Sha256: 
 2b9323dc02ceb2705fc22395dcd4e170f72c8cc3bea321689c69d86c02a09774 1785 xml-security-c_1.6.1-7.dsc
 dc9308b535a57592ae450c8374be2eb6081d539c1f64d44c79ab11095153555b 12009 xml-security-c_1.6.1-7.debian.tar.gz
 82342fc3a0982d62e5fbf0a2a2eb089747f9ae4a8dc1dde7cbbcceb83fdce1be 359686 libxml-security-c16_1.6.1-7_i386.deb
 a9530bad8d09482a79ea7322bd1c422fd6156e4c0480b6893a2f27cdb6e9eab7 151294 libxml-security-c-dev_1.6.1-7_i386.deb
Files: 
 094bf36076fe14078fe156029ec8a981 1785 libs extra xml-security-c_1.6.1-7.dsc
 2818b708f8525ede455dfa57f768c2a5 12009 libs extra xml-security-c_1.6.1-7.debian.tar.gz
 2526c149389b0d418653aaf56036cd2e 359686 libs extra libxml-security-c16_1.6.1-7_i386.deb
 153a8eee6ee8d937e6a66ae331b579cf 151294 libdevel extra libxml-security-c-dev_1.6.1-7_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBCAAGBQJRzKYiAAoJEH2AMVxXNt51WL0H/jG3B/qEKrDXDtuViCeU/7ke
ez8KhhY7gmTojUl+qY0X5xkjnH50dpCBh+0HmmPwDodyRjAeHH+vnVmbOX/Sfaea
5DBLHuq6+eF0f/9Zlwxx6/xkO5z/wzjpxA9aOiTOKK99WO145PBshvVacmK2vt4I
vblFWXr3Cmo7i1YMqbqXNhAGFGm8mvFUI5/+X9KjquqkOHzw8gupsy5nN7TxWOep
Dmvuen9GC+ce+8U1AONZJ1ZcOGqFk+rd264BkpgqQCsr4CetJ5Qlr5x0gD6Q9419
tvEf36pE0oRI1wdLmMhuSzOroaTSuPY4XrOd4c0adYXwXKhNu3OfcHodtERwcT8=
=c4fI
-----END PGP SIGNATURE-----




Reply sent to Russ Allbery <rra@debian.org>:
You have taken responsibility. (Thu, 27 Jun 2013 21:09:13 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Thu, 27 Jun 2013 21:09:13 GMT) Full text and rfc822 format available.

Message #25 received at 714241-close@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: 714241-close@bugs.debian.org
Subject: Bug#714241: fixed in xml-security-c 1.7.2-1
Date: Thu, 27 Jun 2013 21:05:34 +0000
Source: xml-security-c
Source-Version: 1.7.2-1

We believe that the bug you reported is fixed in the latest version of
xml-security-c, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 714241@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Russ Allbery <rra@debian.org> (supplier of updated xml-security-c package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 27 Jun 2013 13:00:54 -0700
Source: xml-security-c
Binary: libxml-security-c17 libxml-security-c-dev xml-security-c-utils
Architecture: source i386
Version: 1.7.2-1
Distribution: experimental
Urgency: high
Maintainer: Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>
Changed-By: Russ Allbery <rra@debian.org>
Description: 
 libxml-security-c-dev - C++ library for XML Digital Signatures (development)
 libxml-security-c17 - C++ library for XML Digital Signatures (runtime)
 xml-security-c-utils - C++ library for XML Digital Signatures (utilities)
Closes: 714241
Changes: 
 xml-security-c (1.7.2-1) experimental; urgency=high
 .
   * New upstream release.
     - The attempted fix to address CVE-2013-2154 introduced the
       possibility of a heap overflow, possibly leading to arbitrary code
       execution, in the processing of malformed XPointer expressions in
       the XML Signature Reference processing code.  Fix that heap
       overflow.  (Closes: #714241, CVE-2013-2210)
Checksums-Sha1: 
 eea2280cf4b9542193e1ec78af1736e700168355 1841 xml-security-c_1.7.2-1.dsc
 fee59d5347ff0666802c8e5aa729e0304ee492bc 875465 xml-security-c_1.7.2.orig.tar.gz
 37f7cecc570e7f0e83a09c1a1c301a62b53f4140 12024 xml-security-c_1.7.2-1.debian.tar.xz
 7d9a425c3fae7bd8d7b193be726ee4af383ac969 279102 libxml-security-c17_1.7.2-1_i386.deb
 87a7de0704530cc794b8e86643dbd3091274fa2a 110818 libxml-security-c-dev_1.7.2-1_i386.deb
 449e2a02058dc840e04a85e81d144d05d8249d25 120508 xml-security-c-utils_1.7.2-1_i386.deb
Checksums-Sha256: 
 c22ae064be9b7b681cf4c6497ad6ef3649f24c5497d698ea9d07ac5f35a26710 1841 xml-security-c_1.7.2-1.dsc
 d576b07bb843eaebfde3be01301db40504ea8e8e477c0ad5f739b07022445452 875465 xml-security-c_1.7.2.orig.tar.gz
 50e9ce850a35457602edbaddee58b0ecccfdabee2515f1a2ecb6655752da667c 12024 xml-security-c_1.7.2-1.debian.tar.xz
 7b0ce19c4e77d366754dbb8cb814db3d967884e61b0a0b9730c2e999126cb809 279102 libxml-security-c17_1.7.2-1_i386.deb
 bd5f0d2acabed65cd24fa22d26f9e5c07ab074d2dd95344119ee39da89bee967 110818 libxml-security-c-dev_1.7.2-1_i386.deb
 aec9ba52f52837a02fc469e5036bf2c2b82d29aaf25cc315ad198c3ef7b64b86 120508 xml-security-c-utils_1.7.2-1_i386.deb
Files: 
 f142b0bd9081ecc5cdd50007410ef9cf 1841 libs extra xml-security-c_1.7.2-1.dsc
 2487e00569f6465f7070389e40a3d84f 875465 libs extra xml-security-c_1.7.2.orig.tar.gz
 0672e72dce6d315bdda2a1bb34fc8a08 12024 libs extra xml-security-c_1.7.2-1.debian.tar.xz
 473dfed2707bd4a2569991fc66321ac6 279102 libs extra libxml-security-c17_1.7.2-1_i386.deb
 1fd67612c8653987583d6d4282843596 110818 libdevel extra libxml-security-c-dev_1.7.2-1_i386.deb
 8b391edddc3e08cd1af8fd82ca5a854b 120508 utils extra xml-security-c-utils_1.7.2-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBCAAGBQJRzJ5BAAoJEH2AMVxXNt51kZ8H+wR6GrybFrKzrYyh9UQ0pacr
QZFq5fAEyNtcoCt2eIkYFzNQIWuV4CWxvmok/+I65t3exrfFd3ZfJQ9lA1I3SKPL
zTWRGYkU6T3hovEO4fzTX8LoxUsDCrIeYhzDsD3j9pYj7yK4SikVs7zVfIyrL5lv
yr5iLzcmr/I0TqFmGwjzK3NhkKCYCBHdAHIFCIjv+81vl6PNpo/NPZl26em+KmHA
JTMhO08Sae1/xwYuxgLEhJvTEK1dMhN7vAPPzcGN/UxHzvsjHE7HTSkWbKaNfXwM
WYbnqvAa9l0kv9V8sQOUBnXPk2W2RROZwIJgt9OmCNCBZ4jOWbRECHoiPiSG5L8=
=YXbC
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>:
Bug#714241; Package xml-security-c. (Thu, 27 Jun 2013 22:33:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>. (Thu, 27 Jun 2013 22:33:05 GMT) Full text and rfc822 format available.

Message #30 received at 714241@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: Salvatore Bonaccorso <carnil@debian.org>
Cc: 714241@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#714241: xml-security-c: CVE-2013-2210
Date: Thu, 27 Jun 2013 15:29:42 -0700
[Message part 1 (text/plain, inline)]
Salvatore Bonaccorso <carnil@debian.org> writes:

> Could you double check this, and prepare packages for squeeze and
> wheezy too?

I've uploaded fixed versions for experimental and unstable.  Here are the
debdiff patches for wheezy and squeeze.  Permission to upload to the
security queue?

Please note that Shibboleth doesn't exercise this part of the code, so I
don't personally have any application that tests this part of the
library.  However, the upstream change is fairly simple.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

[squeeze.diff (text/x-diff, attachment)]
[wheezy.diff (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>:
Bug#714241; Package xml-security-c. (Fri, 28 Jun 2013 04:57:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>. (Fri, 28 Jun 2013 04:57:04 GMT) Full text and rfc822 format available.

Message #35 received at 714241@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Russ Allbery <rra@debian.org>
Cc: 714241@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#714241: xml-security-c: CVE-2013-2210
Date: Fri, 28 Jun 2013 06:54:38 +0200
Hi Russ,

On Thu, Jun 27, 2013 at 03:29:42PM -0700, Russ Allbery wrote:
> Salvatore Bonaccorso <carnil@debian.org> writes:
> 
> > Could you double check this, and prepare packages for squeeze and
> > wheezy too?
> 
> I've uploaded fixed versions for experimental and unstable.  Here are the
> debdiff patches for wheezy and squeeze.  Permission to upload to the
> security queue?
> 
> Please note that Shibboleth doesn't exercise this part of the code, so I
> don't personally have any application that tests this part of the
> library.  However, the upstream change is fairly simple.

Looks good. Yes please upload to security-master both.

Thanks for your quick update.

Regards,
Salvatore



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>:
Bug#714241; Package xml-security-c. (Fri, 28 Jun 2013 05:03:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>. (Fri, 28 Jun 2013 05:03:04 GMT) Full text and rfc822 format available.

Message #40 received at 714241@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: Salvatore Bonaccorso <carnil@debian.org>
Cc: 714241@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#714241: xml-security-c: CVE-2013-2210
Date: Thu, 27 Jun 2013 21:58:15 -0700
Salvatore Bonaccorso <carnil@debian.org> writes:

> Looks good. Yes please upload to security-master both.

> Thanks for your quick update.

Done.  Thank you for handling security issues!

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>



Reply sent to Russ Allbery <rra@debian.org>:
You have taken responsibility. (Sat, 29 Jun 2013 10:51:19 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 29 Jun 2013 10:51:19 GMT) Full text and rfc822 format available.

Message #45 received at 714241-close@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: 714241-close@bugs.debian.org
Subject: Bug#714241: fixed in xml-security-c 1.6.1-5+deb7u2
Date: Sat, 29 Jun 2013 10:47:22 +0000
Source: xml-security-c
Source-Version: 1.6.1-5+deb7u2

We believe that the bug you reported is fixed in the latest version of
xml-security-c, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 714241@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Russ Allbery <rra@debian.org> (supplier of updated xml-security-c package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 27 Jun 2013 13:54:03 -0700
Source: xml-security-c
Binary: libxml-security-c16 libxml-security-c-dev
Architecture: source i386
Version: 1.6.1-5+deb7u2
Distribution: stable-security
Urgency: high
Maintainer: Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>
Changed-By: Russ Allbery <rra@debian.org>
Description: 
 libxml-security-c-dev - C++ library for XML Digital Signatures (development)
 libxml-security-c16 - C++ library for XML Digital Signatures (runtime)
Closes: 714241
Changes: 
 xml-security-c (1.6.1-5+deb7u2) stable-security; urgency=high
 .
   * The attempted fix to address CVE-2013-2154 introduced the possibility
     of a heap overflow, possibly leading to arbitrary code execution, in
     the processing of malformed XPointer expressions in the XML Signature
     Reference processing code.  Apply upstream patch to fix that heap
     overflow.  (Closes: #714241, CVE-2013-2210)
Checksums-Sha1: 
 69343ccfc8fb3368cd3bf5cb289897f2f9b655a2 1813 xml-security-c_1.6.1-5+deb7u2.dsc
 ba7f9c8b5c122ea213ab6b880e13952cace2b36f 12013 xml-security-c_1.6.1-5+deb7u2.debian.tar.gz
 6c3d73f2d99f2f6b1f6c7ba97820209f17d64437 375560 libxml-security-c16_1.6.1-5+deb7u2_i386.deb
 7a4a814816050ca5d6e62d67ad17fce18dc7b460 151332 libxml-security-c-dev_1.6.1-5+deb7u2_i386.deb
Checksums-Sha256: 
 a5aaeff16e400d7351fde6903fb32733af8c38990365913d42923280cf9a39ec 1813 xml-security-c_1.6.1-5+deb7u2.dsc
 c0218aa7181316be9fa44753b09c81c5a327e5d6ed01d533f462a37325723789 12013 xml-security-c_1.6.1-5+deb7u2.debian.tar.gz
 05fdb7667ce34abb7cf2b7f3ea0f38820b4d6cbda9cd153842be9470079be733 375560 libxml-security-c16_1.6.1-5+deb7u2_i386.deb
 8f14e1257df217c479fddd63aaaa7345a772a1f359faf4e6f18beb1bc6170947 151332 libxml-security-c-dev_1.6.1-5+deb7u2_i386.deb
Files: 
 fd91e1b027e8af76e9260aa86a2c96cc 1813 libs extra xml-security-c_1.6.1-5+deb7u2.dsc
 ab3cf5ffdde120bbdf4aebd3c88bb9c9 12013 libs extra xml-security-c_1.6.1-5+deb7u2.debian.tar.gz
 95959ea297072b19617efd9757b34182 375560 libs extra libxml-security-c16_1.6.1-5+deb7u2_i386.deb
 8ae52f2ded56659e2e1e984a62b3a55c 151332 libdevel extra libxml-security-c-dev_1.6.1-5+deb7u2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBCAAGBQJRzRelAAoJEH2AMVxXNt51XosIAJimFictwIv+bNuF0ruNq+de
PcB3JFutC3hikV62nyEpT4/EBFGAF12NTAnESrqoEo2/nvwZvquPj3Yzbwg+SSfV
Bp8o/KVPbo8k+uV5cpzQlaPgEg5BCgHy2XNoOakaoIjTQb3+5YeY1mAlWeT05248
6zxdQ2YzGxmdWEhT5+u2wW2LTMynNrbHM3qc0HIEBnCkwOnnOcCg+Z6Be7nHprv1
EPQOIA+wiAB+T5KVw0IOj1LV7OeH9unxKc19iOZ8l5H2NSqiVNPWmnkJwfsXKanU
9sDWsoxUZUCVd6pYqAV8JmgEdxyeff4xkIFzaV9Gvcm6ieUx8zHcfGFltFwEv1o=
=Sa/6
-----END PGP SIGNATURE-----




Reply sent to Russ Allbery <rra@debian.org>:
You have taken responsibility. (Sat, 29 Jun 2013 10:51:23 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 29 Jun 2013 10:51:23 GMT) Full text and rfc822 format available.

Message #50 received at 714241-close@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: 714241-close@bugs.debian.org
Subject: Bug#714241: fixed in xml-security-c 1.5.1-3+squeeze3
Date: Sat, 29 Jun 2013 10:48:03 +0000
Source: xml-security-c
Source-Version: 1.5.1-3+squeeze3

We believe that the bug you reported is fixed in the latest version of
xml-security-c, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 714241@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Russ Allbery <rra@debian.org> (supplier of updated xml-security-c package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 27 Jun 2013 15:15:18 -0700
Source: xml-security-c
Binary: libxml-security-c15 libxml-security-c-dev
Architecture: source i386
Version: 1.5.1-3+squeeze3
Distribution: oldstable-security
Urgency: high
Maintainer: Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>
Changed-By: Russ Allbery <rra@debian.org>
Description: 
 libxml-security-c-dev - C++ library for XML Digital Signatures (development)
 libxml-security-c15 - C++ library for XML Digital Signatures (runtime)
Closes: 714241
Changes: 
 xml-security-c (1.5.1-3+squeeze3) oldstable-security; urgency=high
 .
   * The attempted fix to address CVE-2013-2154 introduced the possibility
     of a heap overflow, possibly leading to arbitrary code execution, in
     the processing of malformed XPointer expressions in the XML Signature
     Reference processing code.  Apply upstream patch to fix that heap
     overflow.  (Closes: #714241, CVE-2013-2210)
Checksums-Sha1: 
 8ab33f3e4f2f86f2400a900d97850dc11b0b2b67 1670 xml-security-c_1.5.1-3+squeeze3.dsc
 0baa3d982be6e10174b3c44ec6fdbe5844ccefd4 11620 xml-security-c_1.5.1-3+squeeze3.diff.gz
 d6ad35760bc00e601e1f57b2dcccde1b9279c716 353922 libxml-security-c15_1.5.1-3+squeeze3_i386.deb
 40f1e58a8c278dacca0a9f6ccbb2499aad20148c 141932 libxml-security-c-dev_1.5.1-3+squeeze3_i386.deb
Checksums-Sha256: 
 b631057a640a9df2bfe292e971ce064028acfe4bc6cdb17e670408c9f4b43dde 1670 xml-security-c_1.5.1-3+squeeze3.dsc
 b1e4d83a267a40316e30f1b961b51e7cb7a9b2b7fb82929f2cfb396136936b1f 11620 xml-security-c_1.5.1-3+squeeze3.diff.gz
 887e28919a86e19cbdd6a496ed06c9b366366374ae00a78a8637da7f1b2397d3 353922 libxml-security-c15_1.5.1-3+squeeze3_i386.deb
 956a172a4debd28ef6cc61b7b3803a72f65bf9357fb4c4f9eec7b5444f254e66 141932 libxml-security-c-dev_1.5.1-3+squeeze3_i386.deb
Files: 
 844929bf53f34c0ebc97c54bcd9f484b 1670 libs extra xml-security-c_1.5.1-3+squeeze3.dsc
 d224b034021957819fa8f08f3058a971 11620 libs extra xml-security-c_1.5.1-3+squeeze3.diff.gz
 7e60f8d3ffe67987d98a773986d985b2 353922 libs extra libxml-security-c15_1.5.1-3+squeeze3_i386.deb
 c0fc7af171374aa6e1ba762d797460ff 141932 libdevel extra libxml-security-c-dev_1.5.1-3+squeeze3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBCAAGBQJRzRfJAAoJEH2AMVxXNt51a0MH/3kUSswfHZwIVkDc9hLbsjgV
2MGL2/K0kPyUSahax86julJCT/flNFlalve3baSlSKW+0bxCz+LEvwdf3Kn2za1g
j5K/eNtr4U6M4CeUXV0aPydyRK3NymsPUBim30mTSTLHFCLXfbGCAicnzb99A7LD
iaX8Pt2PVkefRm7kcw3BZx/ukPtcb/CKiZf9BeFuDkiWcKQGNyDcI2Z4uEiT+hKj
jBZEZICkvnF70oVd286PlHyuThLwXHAj4bJZgRONGZr2RXAomDP6BqYTfak1cQeZ
wOO5/qMpnq8pgIV070tFEy6Nb6O1rJpw9ReJu+rMp4RDggBQE+bQld7a7IZNcVA=
=vUUF
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 13 Oct 2013 07:30:16 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 08:15:07 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.