[xml/sgml-pkgs] Bug#299729: marked as done ([CAN-2004-1575] Xerces-C++ 2.4.0: Attribute blowup)

Debian Bug Tracking System owner@bugs.debian.org
Tue, 22 Mar 2005 18:33:12 -0800 

Your message dated Tue, 22 Mar 2005 21:02:47 -0500
with message-id <E1DDvCp-0005Qw-00@newraff.debian.org>
and subject line Bug#299729: fixed in xerces24 2.4.0-4
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 22 Feb 2005 13:49:20 +0000
>From djoume@taket.org Tue Feb 22 05:49:20 2005
Return-path: <djoume@taket.org>
Received: from krepost.taket.org [82.233.235.217] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1D3aPf-0004Y4-00; Tue, 22 Feb 2005 05:49:20 -0800
Received: from djoume by krepost.taket.org with local (Exim 3.36 #1 (Debian))
	id 1D3aPw-0000lI-00; Tue, 22 Feb 2005 14:49:36 +0100
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: SALVETTI Djoume <djoume@taket.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: xerces25: [CAN-2004-1575] Xerces-C++ 2.5.0: Attribute blowup
X-Mailer: reportbug 3.2
Date: Tue, 22 Feb 2005 14:49:36 +0100
Message-Id: <E1D3aPw-0000lI-00@krepost.taket.org>
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: xerces25
Severity: normal


Good day,

>From [CAN-2004-1575] :

| The XML parser in Xerces-C++ 2.5.0 allows remote attackers to cause a
| denial of service (CPU consumption) via XML attributes in a crafted
| XML document.

This problem have been fixed in version 2.6 of Xerces.

It's not clear to me if prior versions ( xerces24, xerces23, xerces22,
xerces21) are also vulnerable. 

I can filed bugs if you think it's appropriate.

Could you also mention the CAN number in changelog entries about this problem.

Regards.

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686
Locale: LANG=fr_FR@euro, LC_CTYPE=fr_FR@euro (charmap=ISO-8859-15) (ignored: LC_ALL set to fr_FR@euro)

---------------------------------------
Received: (at 299729-close) by bugs.debian.org; 23 Mar 2005 02:18:08 +0000
>From katie@ftp-master.debian.org Tue Mar 22 18:18:08 2005
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DDvRf-00018g-00; Tue, 22 Mar 2005 18:18:07 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
	id 1DDvCp-0005Qw-00; Tue, 22 Mar 2005 21:02:47 -0500
From: Jay Berkenbilt <qjb@debian.org>
To: 299729-close@bugs.debian.org
X-Katie: $Revision: 1.55 $
Subject: Bug#299729: fixed in xerces24 2.4.0-4
Message-Id: <E1DDvCp-0005Qw-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Tue, 22 Mar 2005 21:02:47 -0500
Delivered-To: 299729-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Source: xerces24
Source-Version: 2.4.0-4

We believe that the bug you reported is fixed in the latest version of
xerces24, which is due to be installed in the Debian FTP archive:

libxerces24-dev_2.4.0-4_i386.deb
  to pool/main/x/xerces24/libxerces24-dev_2.4.0-4_i386.deb
libxerces24-doc_2.4.0-4_all.deb
  to pool/main/x/xerces24/libxerces24-doc_2.4.0-4_all.deb
libxerces24_2.4.0-4_i386.deb
  to pool/main/x/xerces24/libxerces24_2.4.0-4_i386.deb
libxercesicu24_2.4.0-4_i386.deb
  to pool/main/x/xerces24/libxercesicu24_2.4.0-4_i386.deb
xerces24_2.4.0-4.diff.gz
  to pool/main/x/xerces24/xerces24_2.4.0-4.diff.gz
xerces24_2.4.0-4.dsc
  to pool/main/x/xerces24/xerces24_2.4.0-4.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 299729@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jay Berkenbilt <qjb@debian.org> (supplier of updated xerces24 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 22 Mar 2005 19:40:45 -0500
Source: xerces24
Binary: libxerces24 libxerces24-doc libxerces24-dev libxercesicu24
Architecture: source i386 all
Version: 2.4.0-4
Distribution: unstable
Urgency: low
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Jay Berkenbilt <qjb@debian.org>
Description: 
 libxerces24 - validating XML parser library for C++
 libxerces24-dev - validating XML parser library for C++ (development files)
 libxerces24-doc - validating XML parser library for C++ (documentation)
 libxercesicu24 - validating XML parser library for C++
Closes: 299729
Changes: 
 xerces24 (2.4.0-4) unstable; urgency=low
 .
   * Fix for performance problem on elements with a large number of
     attributes [CAN-2004-1575].  (Closes: #299729)
   * Clarify documentation on differences between icu and native versions
     of the library.
   * Add shlibs files
   * Removed dependency on autoconf, updated dependency on debhelper
   * Changed dependency on libc6-dev to libc6-dev | libc-dev
Files: 
 ab083897140ad84f065e73313d71e2f9 758 libs extra xerces24_2.4.0-4.dsc
 655b67fd766e452a53b554619c7f9280 9020 libs extra xerces24_2.4.0-4.diff.gz
 bd5261fcc84f7b74e23ba5f4973d89ae 5267690 doc extra libxerces24-doc_2.4.0-4_all.deb
 667ce225a4c17239bdf4e462a0cb1d6f 1016326 libs extra libxerces24_2.4.0-4_i386.deb
 0ee3be190d9ee3ddc39dc0399b04aa73 798100 libdevel extra libxerces24-dev_2.4.0-4_i386.deb
 39d280505024830d5214627ff5724ac4 1016566 libs extra libxercesicu24_2.4.0-4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCQMzUEBVk6taI4KcRApnQAJ43l9ucnhLTHiqeSglFV4zFIpCjoQCffiX0
XYJUIs+GEzsWwxz1A4O5mas=
=bxWT
-----END PGP SIGNATURE-----