Bugzilla – Bug 809917
VUL-1: CVE-2013-1864: libpt2/ekiga: fix for XML denial of service (billion laughs) attack
Last modified: 2016-10-20 10:24:03 UTC
is public, via oss-sec CVE-2013-1864 From: Vincent Danen <vdanen@redhat.com> Date: Fri, 15 Mar 2013 10:42:38 -0600 Subject: [oss-security] CVE request: billion laughs flaw in ptlib Ekiga 4.0.1 was released and noted a security fix in ptlib (seems to be embedded in Ekiga) for a "billion laughs" style attack. Could a CVE be assigned to this? Thanks. References: http://www.ekiga.org/news/2013-02-21/ekiga-4.0.1-stable-available http://opalvoip.svn.sourceforge.net/viewvc/opalvoip?view=revision&revision=28856 https://bugzilla.redhat.com/show_bug.cgi?id=922177
ptlib seems to be in "pwlib" for SLE 10 SP4.
bugbot adjusting priority
The code changes a lot. Try to understand the patch and back port it. Hi Marcus, The pwlib package did not update from sle10 (1.10) and now it is 2.13 in the upstream. Should we update it?
hmm, we can leave sle10 pwlib for now. sle11 is more important as first step.
submitted to sle11
The SWAMPID for this issue is 56023. This issue was rated as moderate. Please submit fixed packages until 2014-02-10. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
Update released for: pwlib, pwlib-debuginfo, pwlib-debugsource, pwlib-devel, pwlib-plugins-avc, pwlib-plugins-dc, pwlib-plugins-v4l2 Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SUSE-SU-2014:0237-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 809917 CVE References: CVE-2013-1864 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): pwlib-1.10.10-120.35.1 SUSE Linux Enterprise Desktop 11 SP3 (src): pwlib-1.10.10-120.35.1
close