[Bug 1600717] [NEW] Sync expat 2.2.0-1 (main) from Debian unstable (main)
Launchpad Bug Tracker
1600717 at bugs.launchpad.net
Mon Jul 11 08:33:39 UTC 2016
You have been subscribed to a public bug by LocutusOfBorg (costamagnagianfranco):
Please sync expat 2.2.0-1 (main) from Debian unstable (main)
Explanation of the Ubuntu delta and why it can be dropped:
* SECURITY UPDATE: unanticipated internal calls to srand
- debian/patches/CVE-2012-6702-1.patch: remove srand, use more entropy
in lib/xmlparse.c.
- debian/patches/CVE-2012-6702-2.patch: use a prime that fits 32bits on
32bit platforms in lib/xmlparse.c.
- CVE-2012-6702
* SECURITY UPDATE: use of too little entropy
- debian/patches/CVE-2016-5300-1.patch: extract method
gather_time_entropy in lib/xmlparse.c.
- debian/patches/CVE-2016-5300-2.patch: extract entropy from XML_Parser
address in lib/xmlparse.c.
- CVE-2016-5300
* SECURITY UPDATE: denial of service and possible code execution via
malformed documents
- debian/patches/CVE-2016-0718.patch: fix out of bounds memory access
and integer overflow in lib/xmlparse.c, lib/xmltok.c, lib/xmltok.h,
lib/xmltok_impl.c.
- CVE-2016-0718
* SECURITY UPDATE: integer overflows in XML_GetBuffer
- debian/patches/CVE-2015-1283-refix.patch: improved existing fix in
lib/xmlparse.c.
- CVE-2015-1283
Everything is part of Debian and the new upstream release.
Changelog entries since current yakkety version 2.1.1-1ubuntu2:
expat (2.2.0-1) unstable; urgency=low
* New upstream release, update symbols accordingly.
* Use upstream manpage for xmlwf.
* Drop all patches as this release contains those.
-- Laszlo Boszormenyi (GCS) <gcs at debian.org> Tue, 21 Jun 2016 15:29:58
+0000
expat (2.1.1-3) unstable; urgency=high
* Use upstream fix for the following security vulnerabilities:
- CVE-2012-6702, unanticipated internal calls to srand
- CVE-2016-5300, use of too little entropy
-- Laszlo Boszormenyi (GCS) <gcs at debian.org> Sun, 05 Jun 2016 00:17:46
+0000
expat (2.1.1-2) unstable; urgency=high
* Avoid relying on undefined behavior in CVE-2015-1283 fix.
* Apply upstream patch to fix the root cause of CVE-2016-0718 and
CVE-2016-0719 vulnerabilities.
* Update Standards-Version to 3.9.8 .
-- Laszlo Boszormenyi (GCS) <gcs at debian.org> Mon, 16 May 2016 05:35:08
+0000
** Affects: expat (Ubuntu)
Importance: Wishlist
Status: New
--
Sync expat 2.2.0-1 (main) from Debian unstable (main)
https://bugs.launchpad.net/bugs/1600717
You received this bug notification because you are a member of Ubuntu Sponsors Team, which is subscribed to the bug report.
More information about the Ubuntu-sponsors
mailing list