ESB-2019.0786 - [Debian] xmltooling: Denial of service - Remote/unauthenticated 2019-03-13

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.0786
                        xmltooling security update
                               13 March 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           xmltooling
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-9628  

Reference:         ESB-2019.0765

Original Bulletin: 
   http://www.debian.org/security/2019/dsa-4407

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4407-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 12, 2019                        https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : xmltooling
CVE ID         : CVE-2019-9628

Ross Geerlings discovered that the XMLTooling library didn't correctly
handle exceptions on malformed XML declarations, which could result in
denial of service against the application using XMLTooling.

For the stable distribution (stretch), this problem has been fixed in
version 1.6.0-4+deb9u2.

We recommend that you upgrade your xmltooling packages.

For the detailed security status of xmltooling please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/xmltooling

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlyII8sACgkQEMKTtsN8
TjaCAg/+NuYO7gqcYZ0ji1AXLo3hYJ0QXqxHaDXQ9wBRziO7m8sd47+3KGYUevEQ
UV/QZ3u2siqwb9URPtWhKGLHeAVzBKdhF+vFBMQquG+7Zp43vuLOpQyYWT8799Gp
6mH1RZYSMofNGY5Lv6FecmAL0IBteFCFH2DRTEvXEUX+0GbM8/KKtPvXL8Z0PV6u
Z9g16+ygB7JdRW7tzf4nJ10KSFSVTG7NIhh/CqfbNJbFkI/wlsEVjyVIjob5abc8
VI9faNBGlA3CmKtdKXGKmoKFJxzDVDq7uLoGzippH97RSyhaaQ/xXpJUsuHV0y9P
pNLRRRzQEd4SqQF2PF9F5Pe+TIxHHeuDU33DpGHUU5IaKYDBs+bAJyw/zT9FVhg+
wv6rVo6DgvX8UDrK7P8f+SPvtEvA+oC5uORguqKO5Ir6OLs2O2XgGO8D4vI5Een5
V3pz+NLEpPMRXHBLLGnkeliYqgKAwq0AvKvnUgyjIVjQ7XxFgG3/DEJMiU4o8GM4
4IhCzPtIVqLsJJ8eM8RXvMEhHytBGXclwdfsoano0VMI5kESJ1HuWpTOcNGVGQaD
dX3hejMcZsbors3JTwVKMbRx/l0rjhAu2SAOsMFdVszj0+A/bi/sHGP7/6k88Nmt
+tZ+2Kv/GmM9bwDLLiEJ8N7HUgNbmdzaa3b7R6obKZs7ORb8azY=
=JlOC
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXIiAUGaOgq3Tt24GAQixwhAAgKpdJNlH7pBngeX9pTJZiYLHHGgRUqze
Lijvygnuqo10Rk8ackS+tLcmIcFc2ocmtqRfjjPuqTGwjeaYbJBzZwjw+hGnt9mh
1rB1lkoExxE80NKxJArVpG981qnmOizVs5XOyXjTUsKViJwkr9FvzqB1M49xZ32C
PkriaK9Es3QWO6xYxo1x402dU1MVE6zNOKGkhsG2sYHhFFg39Zep5ZiPsmJeNzV2
Vyi2Ginc41YhwNpnwqwvdu5slyGw9XSlk6iEaFFD/ZxIpCcMog3lHd4zCE5PHKVv
THo3x1QJCo+ifExw92VjLOJuSBbjLZJfZMYQ8cWWR2GGzqYiml3fL/1lxq/M2Y8N
44X2MAzl4CYmX/hP5Kmv+k1Dxk5wQ1hdTLWgh5uNWDrDlqx6BrhNjY+hqO5NQa2Z
yy1S0J1wFkUPJl0pG2th+TMeq6yCKKMTYEkDSR4KgbliZULruFx+nybxz81Z577i
yQ5KKo1kzASE+KESzeFC3k7bXCp8rusl6uf+wPHTmjlqcwz7jnO2v0ErScPlAZNv
FoJQ/QoMFvcNjS8YXnEZeWG6LeIg2ruSpMphXi9wUoOWsci8+OHzh6nsKOB8VSpy
iEr57YnTrkBOFkJgDr4ZaYLIKxg7+fX/pqsBZYh2AOAGVTGcrh/TI5jrYuob/FLE
mNOaGz7TeY4=
=qddJ
-----END PGP SIGNATURE-----

« Back to bulletins