group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1819912] Re: CVE-2019-9628 XML parser class fails to trap exceptions on malformed XML declaration

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1819912@xxxxxxxxxxxxxxxxxx>
Date: Tue, 26 Mar 2019 12:46:14 -0000
Reply-to: Bug 1819912 <1819912@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package xmltooling - 1.6.4-1ubuntu2.1

---------------
xmltooling (1.6.4-1ubuntu2.1) bionic-security; urgency=high

  * SECURITY UPDATE: uncaught exception on malformed XML declaration
    Invalid data in the XML declaration causes an exception of a type that
    was not handled properly in the parser class and propagates an
    unexpected exception type.
    This generally manifests as a crash in the calling code, which in the
    Service Provider software's case is usually the shibd daemon process,
    but can be Apache in some cases. Note that the crash occurs prior to
    evaluation of a message's authenticity, so can be exploited by an
    untrusted attacker.
    - debian/patches/CVE-2019-9628.patch
    - CVE-2019-9628
    - https://shibboleth.net/community/advisories/secadv_20190311.txt
    - LP: #1819912

 -- Etienne Dysli Metref <etienne.dysli-metref@xxxxxxxxx>  Thu, 14 Mar
2019 11:56:34 +0100

** Changed in: xmltooling (Ubuntu Bionic)
       Status: In Progress => Fix Released

** Changed in: xmltooling (Ubuntu Xenial)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1819912

Title:
  CVE-2019-9628 XML parser class fails to trap exceptions on malformed
  XML declaration

Status in xmltooling package in Ubuntu:
  Fix Released
Status in xmltooling source package in Trusty:
  Fix Released
Status in xmltooling source package in Xenial:
  Fix Released
Status in xmltooling source package in Bionic:
  Fix Released
Status in xmltooling package in Debian:
  Fix Released

Bug description:
  https://shibboleth.net/community/advisories/secadv_20190311.txt
  https://issues.shibboleth.net/jira/browse/CPPXT-143
  https://git.shibboleth.net/view/?p=cpp-xmltooling.git;a=commit;h=af27c422f551e16989ff6f1722d83614c8550eb5
  https://security-tracker.debian.org/tracker/CVE-2019-9628

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1819912/+subscriptions