Bug 48367 – xml-security-c: Multiple issues (4.2)

Bug 48367 - xml-security-c: Multiple issues (4.2)


Summary:	xml-security-c: Multiple issues (4.2)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.2-5-errata
Assigned To:	Quality Assurance
QA Contact:	Philipp Hahn

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2018-12-18 09:26 CET by Philipp Hahn
Modified:	2019-01-16 13:40 CET (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:	3.7 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) PMH

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Philipp Hahn

2018-12-18 09:26:33 CET

1.7.2-3+deb8u2fixes
<https://issues.apache.org/jira/browse/SANTUARIO-496>

This security still has noe official CVE identifier:
<https://security-tracker.debian.org/tracker/TEMP-0913136-041770>

cd $BS2/apt/ucs_4.2-0-errata4.2-5 && repo-copy-dsc -cpvvvv $U/debian-security/pool/updates/main/x/xml-security-c/xml-security-c_1.7.2-3+deb8u2.dsc

Comment 1 Quality Assurance

2018-12-18 17:22:58 CET

--- mirror/ftp/4.2/unmaintained/4.2-5/source/xml-security-c_1.7.2-3+deb8u1.dsc
+++ apt/ucs_4.2-0-errata4.2-5/source/xml-security-c_1.7.2-3+deb8u2.dsc
@@ -1,3 +1,11 @@
+1.7.2-3+deb8u2 [Fri, 23 Nov 2018 19:03:02 +0100] Thorsten Alteholz <debian@alteholz.de>:
+
+  * Non-maintainer upload by the LTS Team. 
+  * temporary issue, no CVE assigned yet
+    Different KeyInfo combinations, like signatures without public key,
+    result in incomplete DSA structures that crash openssl during
+    verification.
+ 
 1.7.2-3+deb8u1 [Sun, 05 Aug 2018 20:01:03 +0200] Ferenc Wágner <wferi@debian.org>:
 
   * [109db8e] New patch: Default KeyInfo resolver doesn't check for empty

<http://10.200.17.11/4.2-5/#2268654937859581810>

Comment 2 Philipp Hahn

2018-12-18 17:27:11 CET

OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[4.2-5] d2ac5fdf21 Bug #48367: xml-security-c 1.7.2-3+deb8u2
 doc/errata/staging/xml-security-c.yaml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

Comment 3 Erik Damrose

2019-01-09 10:28:16 CET

Repen: YAML not ok:
[SKIP] cve.TEMP-0913136-041770: Not in description: TEMP-0913136-041770
[FAIL] bug.48367.scope+version: Bug 48367 scope: ---
[SKIP] cve.TEMP-0913136-041770.bugzilla: TEMP-0913136-041770 in bugzilla comment

Comment 4 Philipp Hahn

2019-01-09 12:33:09 CET

(In reply to Erik Damrose from comment #3)
> Repen: YAML not ok:
> [FAIL] bug.48367.scope+version: Bug 48367 scope: ---

You fixed it yourself:
> damrose@univention.de	2019-01-09 10:28:25 CET	Target Milestone	---	UCS 4.2-5-errata

Comment 5 Arvid Requate

2019-01-16 13:40:06 CET

<http://errata.software-univention.de/ucs/4.2/584.html>