[Bug 1482777] [NEW] [MIR] open-vm-tools 9.10.2 build dependencies: xml-security-c and xerces-c
Ben Howard
ben.howard at canonical.com
Fri Aug 7 21:36:17 UTC 2015
Public bug reported:
Explanation: open-vm-tools 9.10.2 synced from Debian introduces two new build dependencies. This MIR requests that both
libxerces-c and libxml-security-c be promoted to main.
These build dependencies support the SAML based guest authentication.
open-vm-tools was MIR with Bug #1220950
[PACKAGE: xml-security-c ]
Apache XML Security for C++ is a library for the XML Digital Security specification. It provides processing and handling of XML Key Management Specifications (XKMS) messages.
Availability: universe, Debian
Rationale: build dependency for SAML Based guest authentication in open-
vm-tools
Security: There have been 5 CVE's, with four in 2013:
[1] CVE-2013-2153 - signature validation bypass issue
[2] CVE-2013-2154 - stack overflow during XPointer evaluation
[3] CVE-2013-2155 - DoS attack through crafted HMAC authenticatoin
[4] CVE-2013-2156 - heap overflow potentially allow arbitrary code execution
[1] http://santuario.apache.org/secadv.data/CVE-2013-2153.txt
[2] http://santuario.apache.org/secadv.data/CVE-2013-2154.txt
[3] http://santuario.apache.org/secadv.data/CVE-2013-2155.txt
[4] http://santuario.apache.org/secadv.data/CVE-2013-2156.txt
QA: This is an official project under the Apache foundation. The project
is actively maintained. See: https://svn.apache.org/viewvc/santuario/
[ PACKAGE: xerces-c ]
Xerces-C++ is a validating XML parser written in a portable subset of C++.
Availability: universe, Debian
Rationale: build dependency for SAML Based guest authentication in
open-vm-tools
Security: A review of the CVE history shows 3 CVE's since 2004. There
was one CVE in 2015 (CVE-2015-0252) and before that in 2009
(CVE-2009-1885). CVE-2009-1885 was a DoS vector caused with malformed
DTD's.
QA: This package is an official project under the Apache foundation and
has been around since 2004. The project is actively maintained. See
https://svn.apache.org/viewvc/xerces/c/?root=Apache-SVN
Dependencies: Package is maintained in Debian and Ubuntu.
** Affects: open-vm-tools (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to open-vm-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1482777
Title:
[MIR] open-vm-tools 9.10.2 build dependencies: xml-security-c and
xerces-c
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1482777/+subscriptions
More information about the Ubuntu-server-bugs
mailing list