group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1752306] Re: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1752306@xxxxxxxxxxxxxxxxxx>
Date: Mon, 02 Apr 2018 13:38:21 -0000
Reply-to: Bug 1752306 <1752306@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package xmltooling - 1.5.6-2ubuntu0.2

---------------
xmltooling (1.5.6-2ubuntu0.2) xenial-security; urgency=medium

  * SECURITY UPDATE: Upstream patch to fix CVE-2018-0489 (LP: #1752306)
    - d/p/Add-disallowDoctype-to-parser-configuration.patch:
      Generic protection against data forgery.  Irrelevant under
      Xerces 3.1, but is a pre-req for the CVE-2018-0489 patch.
    - d/p/CVE-2018-0489-Fix-additional-data-forgery-flaws.patch:
      New patches fixing CVE-2018-0489: additional data forgery flaws.
      These flaws allow for changes to an XML document that do not break a
      digital signature but alter the user data passed through to applications
      enabling impersonation attacks and exposure of protected information.

 -- Ray Link <rlink+launchpad@xxxxxxxxxx>  Thu, 29 Mar 2018 15:17:35
-0400

** Changed in: xmltooling (Ubuntu Xenial)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1752306

Title:
  Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]

Status in xmltooling package in Ubuntu:
  Fix Released
Status in xmltooling source package in Trusty:
  Fix Released
Status in xmltooling source package in Xenial:
  Fix Released
Status in xmltooling source package in Artful:
  Incomplete
Status in xmltooling source package in Bionic:
  Fix Released

Bug description:
  From the Debian security advisory at
  https://www.debian.org/security/2018/dsa-4126

      Kelby Ludwig and Scott Cantor discovered that the Shibboleth
  service provider is vulnerable to impersonation attacks and
  information disclosure due to incorrect XML parsing. For additional
  details please refer to the upstream advisory at
  https://shibboleth.net/community/advisories/secadv_20180227.txt

      For the oldstable distribution (jessie), this problem has been
  fixed in version 1.5.3-2+deb8u3.

      For the stable distribution (stretch), this problem has been fixed
  in version 1.6.0-4+deb9u1.

      We recommend that you upgrade your xmltooling packages.

      For the detailed security status of xmltooling please refer to its
  security tracker page at: https://security-
  tracker.debian.org/tracker/xmltooling

  This bug is fixed upstream in Debian

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+subscriptions