[Bug 1482777] [NEW] [MIR] open-vm-tools 9.10.2 build dependencies: xml-security-c and xerces-c

Ben Howard ben.howard at canonical.com
Fri Aug 7 21:36:17 UTC 2015 

Public bug reported:

Explanation: open-vm-tools 9.10.2 synced from Debian introduces two new build dependencies. This MIR requests that both 
libxerces-c and libxml-security-c be promoted to main. 

These build dependencies support the SAML based guest authentication.

open-vm-tools was MIR with Bug #1220950

[PACKAGE: xml-security-c ]
Apache XML Security for C++ is a library for the XML Digital Security specification. It provides processing and handling of XML Key Management Specifications (XKMS) messages.

Availability: universe, Debian

Rationale: build dependency for SAML Based guest authentication in open-
vm-tools

Security: There have been 5 CVE's, with four in 2013:
   [1] CVE-2013-2153 - signature validation bypass issue
   [2] CVE-2013-2154 - stack overflow during XPointer evaluation
   [3] CVE-2013-2155 - DoS attack through crafted HMAC authenticatoin
   [4] CVE-2013-2156 - heap overflow potentially allow arbitrary code execution

[1] http://santuario.apache.org/secadv.data/CVE-2013-2153.txt
[2] http://santuario.apache.org/secadv.data/CVE-2013-2154.txt
[3] http://santuario.apache.org/secadv.data/CVE-2013-2155.txt
[4] http://santuario.apache.org/secadv.data/CVE-2013-2156.txt

QA: This is an official project under the Apache foundation. The project
is actively maintained. See: https://svn.apache.org/viewvc/santuario/


[ PACKAGE: xerces-c ]
Xerces-C++ is a validating XML parser written in a portable subset of C++.

Availability: universe, Debian

Rationale:  build dependency for SAML Based guest authentication in
open-vm-tools

Security: A review of the CVE history shows 3 CVE's since 2004. There
was one CVE in 2015 (CVE-2015-0252) and before that in 2009
(CVE-2009-1885). CVE-2009-1885 was a DoS vector caused with malformed
DTD's.

QA:  This package is an official project under the Apache foundation and
has been around since 2004.  The project is actively maintained. See
https://svn.apache.org/viewvc/xerces/c/?root=Apache-SVN

Dependencies: Package is maintained in Debian and Ubuntu.

** Affects: open-vm-tools (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to open-vm-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1482777

Title:
  [MIR] open-vm-tools 9.10.2 build dependencies:  xml-security-c and
  xerces-c

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1482777/+subscriptions

More information about the Ubuntu-server-bugs mailing list