[SECURITY] [DSA 4407-1] xmltooling security update

2019-03-1221:26:18

lists.debian.org

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.026 Low

EPSS

Percentile

90.4%

JSON

Debian Security Advisory DSA-4407-1 [email protected]
https://www.debian.org/security/ Moritz Muehlenhoff
March 12, 2019 https://www.debian.org/security/faq

Package : xmltooling
CVE ID : CVE-2019-9628

Ross Geerlings discovered that the XMLTooling library didn't correctly
handle exceptions on malformed XML declarations, which could result in
denial of service against the application using XMLTooling.

For the stable distribution (stretch), this problem has been fixed in
version 1.6.0-4+deb9u2.

We recommend that you upgrade your xmltooling packages.

For the detailed security status of xmltooling please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/xmltooling

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian9arm64libxmltooling-dev< 1.6.0-4+deb9u2libxmltooling-dev_1.6.0-4+deb9u2_arm64.deb
Debian8i386libxmltooling6< 1.5.3-2+deb8u4libxmltooling6_1.5.3-2+deb8u4_i386.deb
Debian9i386libxmltooling-dev< 1.6.0-4+deb9u2libxmltooling-dev_1.6.0-4+deb9u2_i386.deb
Debian9mipsellibxmltooling-dev< 1.6.0-4+deb9u2libxmltooling-dev_1.6.0-4+deb9u2_mipsel.deb
Debian9s390xlibxmltooling-dev< 1.6.0-4+deb9u2libxmltooling-dev_1.6.0-4+deb9u2_s390x.deb
Debian9ppc64ellibxmltooling7-dbgsym< 1.6.0-4+deb9u2libxmltooling7-dbgsym_1.6.0-4+deb9u2_ppc64el.deb
Debian9armhflibxmltooling-dev< 1.6.0-4+deb9u2libxmltooling-dev_1.6.0-4+deb9u2_armhf.deb
Debian9mips64ellibxmltooling7< 1.6.0-4+deb9u2libxmltooling7_1.6.0-4+deb9u2_mips64el.deb
Debian9mipsellibxmltooling7-dbgsym< 1.6.0-4+deb9u2libxmltooling7-dbgsym_1.6.0-4+deb9u2_mipsel.deb
Debian9armhflibxmltooling7-dbgsym< 1.6.0-4+deb9u2libxmltooling7-dbgsym_1.6.0-4+deb9u2_armhf.deb

OS	Version	Architecture	Package	Version	Filename
Debian	9	arm64	libxmltooling-dev	< 1.6.0-4+deb9u2	libxmltooling-dev_1.6.0-4+deb9u2_arm64.deb
Debian	8	i386	libxmltooling6	< 1.5.3-2+deb8u4	libxmltooling6_1.5.3-2+deb8u4_i386.deb
Debian	9	i386	libxmltooling-dev	< 1.6.0-4+deb9u2	libxmltooling-dev_1.6.0-4+deb9u2_i386.deb
Debian	9	mipsel	libxmltooling-dev	< 1.6.0-4+deb9u2	libxmltooling-dev_1.6.0-4+deb9u2_mipsel.deb
Debian	9	s390x	libxmltooling-dev	< 1.6.0-4+deb9u2	libxmltooling-dev_1.6.0-4+deb9u2_s390x.deb
Debian	9	ppc64el	libxmltooling7-dbgsym	< 1.6.0-4+deb9u2	libxmltooling7-dbgsym_1.6.0-4+deb9u2_ppc64el.deb
Debian	9	armhf	libxmltooling-dev	< 1.6.0-4+deb9u2	libxmltooling-dev_1.6.0-4+deb9u2_armhf.deb
Debian	9	mips64el	libxmltooling7	< 1.6.0-4+deb9u2	libxmltooling7_1.6.0-4+deb9u2_mips64el.deb
Debian	9	mipsel	libxmltooling7-dbgsym	< 1.6.0-4+deb9u2	libxmltooling7-dbgsym_1.6.0-4+deb9u2_mipsel.deb
Debian	9	armhf	libxmltooling7-dbgsym	< 1.6.0-4+deb9u2	libxmltooling7-dbgsym_1.6.0-4+deb9u2_armhf.deb