[Bug 1600717] Re: Sync expat 2.2.0-1 (main) from Debian unstable (main)
Daniel Holbach
daniel.holbach at ubuntu.com
Mon Jul 11 08:43:37 UTC 2016
This bug was fixed in the package expat - 2.2.0-1
Sponsored for LocutusOfBorg (costamagnagianfranco)
---------------
expat (2.2.0-1) unstable; urgency=low
* New upstream release, update symbols accordingly.
* Use upstream manpage for xmlwf.
* Drop all patches as this release contains those.
-- Laszlo Boszormenyi (GCS) <gcs at debian.org> Tue, 21 Jun 2016 15:29:58
+0000
expat (2.1.1-3) unstable; urgency=high
* Use upstream fix for the following security vulnerabilities:
- CVE-2012-6702, unanticipated internal calls to srand
- CVE-2016-5300, use of too little entropy
-- Laszlo Boszormenyi (GCS) <gcs at debian.org> Sun, 05 Jun 2016 00:17:46
+0000
expat (2.1.1-2) unstable; urgency=high
* Avoid relying on undefined behavior in CVE-2015-1283 fix.
* Apply upstream patch to fix the root cause of CVE-2016-0718 and
CVE-2016-0719 vulnerabilities.
* Update Standards-Version to 3.9.8 .
-- Laszlo Boszormenyi (GCS) <gcs at debian.org> Mon, 16 May 2016 05:35:08
+0000
** Changed in: expat (Ubuntu)
Status: New => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-6702
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-1283
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-0718
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-0719
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-5300
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1600717
Title:
Sync expat 2.2.0-1 (main) from Debian unstable (main)
Status in expat package in Ubuntu:
Fix Released
Bug description:
Please sync expat 2.2.0-1 (main) from Debian unstable (main)
Explanation of the Ubuntu delta and why it can be dropped:
* SECURITY UPDATE: unanticipated internal calls to srand
- debian/patches/CVE-2012-6702-1.patch: remove srand, use more entropy
in lib/xmlparse.c.
- debian/patches/CVE-2012-6702-2.patch: use a prime that fits 32bits on
32bit platforms in lib/xmlparse.c.
- CVE-2012-6702
* SECURITY UPDATE: use of too little entropy
- debian/patches/CVE-2016-5300-1.patch: extract method
gather_time_entropy in lib/xmlparse.c.
- debian/patches/CVE-2016-5300-2.patch: extract entropy from XML_Parser
address in lib/xmlparse.c.
- CVE-2016-5300
* SECURITY UPDATE: denial of service and possible code execution via
malformed documents
- debian/patches/CVE-2016-0718.patch: fix out of bounds memory access
and integer overflow in lib/xmlparse.c, lib/xmltok.c, lib/xmltok.h,
lib/xmltok_impl.c.
- CVE-2016-0718
* SECURITY UPDATE: integer overflows in XML_GetBuffer
- debian/patches/CVE-2015-1283-refix.patch: improved existing fix in
lib/xmlparse.c.
- CVE-2015-1283
Everything is part of Debian and the new upstream release.
Changelog entries since current yakkety version 2.1.1-1ubuntu2:
expat (2.2.0-1) unstable; urgency=low
* New upstream release, update symbols accordingly.
* Use upstream manpage for xmlwf.
* Drop all patches as this release contains those.
-- Laszlo Boszormenyi (GCS) <gcs at debian.org> Tue, 21 Jun 2016
15:29:58 +0000
expat (2.1.1-3) unstable; urgency=high
* Use upstream fix for the following security vulnerabilities:
- CVE-2012-6702, unanticipated internal calls to srand
- CVE-2016-5300, use of too little entropy
-- Laszlo Boszormenyi (GCS) <gcs at debian.org> Sun, 05 Jun 2016
00:17:46 +0000
expat (2.1.1-2) unstable; urgency=high
* Avoid relying on undefined behavior in CVE-2015-1283 fix.
* Apply upstream patch to fix the root cause of CVE-2016-0718 and
CVE-2016-0719 vulnerabilities.
* Update Standards-Version to 3.9.8 .
-- Laszlo Boszormenyi (GCS) <gcs at debian.org> Mon, 16 May 2016
05:35:08 +0000
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/expat/+bug/1600717/+subscriptions
More information about the Ubuntu-sponsors
mailing list