Comment 15 for bug 1752306

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xmltooling - 1.5.6-2ubuntu0.2

---------------
xmltooling (1.5.6-2ubuntu0.2) xenial-security; urgency=medium

  * SECURITY UPDATE: Upstream patch to fix CVE-2018-0489 (LP: #1752306)
    - d/p/Add-disallowDoctype-to-parser-configuration.patch:
      Generic protection against data forgery. Irrelevant under
      Xerces 3.1, but is a pre-req for the CVE-2018-0489 patch.
    - d/p/CVE-2018-0489-Fix-additional-data-forgery-flaws.patch:
      New patches fixing CVE-2018-0489: additional data forgery flaws.
      These flaws allow for changes to an XML document that do not break a
      digital signature but alter the user data passed through to applications
      enabling impersonation attacks and exposure of protected information.

 -- Ray Link <email address hidden> Thu, 29 Mar 2018 15:17:35 -0400