[Bug 1600717] [NEW] Sync expat 2.2.0-1 (main) from Debian unstable (main)

Launchpad Bug Tracker 1600717 at bugs.launchpad.net
Mon Jul 11 08:33:39 UTC 2016 

You have been subscribed to a public bug by LocutusOfBorg (costamagnagianfranco):

Please sync expat 2.2.0-1 (main) from Debian unstable (main)

Explanation of the Ubuntu delta and why it can be dropped:
  * SECURITY UPDATE: unanticipated internal calls to srand
    - debian/patches/CVE-2012-6702-1.patch: remove srand, use more entropy
      in lib/xmlparse.c.
    - debian/patches/CVE-2012-6702-2.patch: use a prime that fits 32bits on
      32bit platforms in lib/xmlparse.c.
    - CVE-2012-6702
  * SECURITY UPDATE: use of too little entropy
    - debian/patches/CVE-2016-5300-1.patch: extract method
      gather_time_entropy in lib/xmlparse.c.
    - debian/patches/CVE-2016-5300-2.patch: extract entropy from XML_Parser
      address in lib/xmlparse.c.
    - CVE-2016-5300
  * SECURITY UPDATE: denial of service and possible code execution via
    malformed documents
    - debian/patches/CVE-2016-0718.patch: fix out of bounds memory access
      and integer overflow in lib/xmlparse.c, lib/xmltok.c, lib/xmltok.h,
      lib/xmltok_impl.c.
    - CVE-2016-0718
  * SECURITY UPDATE: integer overflows in XML_GetBuffer
    - debian/patches/CVE-2015-1283-refix.patch: improved existing fix in
      lib/xmlparse.c.
    - CVE-2015-1283

Everything is part of Debian and the new upstream release.

Changelog entries since current yakkety version 2.1.1-1ubuntu2:

expat (2.2.0-1) unstable; urgency=low

  * New upstream release, update symbols accordingly.
  * Use upstream manpage for xmlwf.
  * Drop all patches as this release contains those.

 -- Laszlo Boszormenyi (GCS) <gcs at debian.org>  Tue, 21 Jun 2016 15:29:58
+0000

expat (2.1.1-3) unstable; urgency=high

  * Use upstream fix for the following security vulnerabilities:
    - CVE-2012-6702, unanticipated internal calls to srand
    - CVE-2016-5300, use of too little entropy

 -- Laszlo Boszormenyi (GCS) <gcs at debian.org>  Sun, 05 Jun 2016 00:17:46
+0000

expat (2.1.1-2) unstable; urgency=high

  * Avoid relying on undefined behavior in CVE-2015-1283 fix.
  * Apply upstream patch to fix the root cause of CVE-2016-0718 and
    CVE-2016-0719 vulnerabilities.
  * Update Standards-Version to 3.9.8 .

 -- Laszlo Boszormenyi (GCS) <gcs at debian.org>  Mon, 16 May 2016 05:35:08
+0000

** Affects: expat (Ubuntu)
     Importance: Wishlist
         Status: New

-- 
Sync expat 2.2.0-1 (main) from Debian unstable (main)
https://bugs.launchpad.net/bugs/1600717
You received this bug notification because you are a member of Ubuntu Sponsors Team, which is subscribed to the bug report.

More information about the Ubuntu-sponsors mailing list