[MIR] open-vm-tools 10.0.x build dependencies: xml-security-c and xerces-c
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
xerces-c (Ubuntu) |
Won't Fix
|
High
|
Ubuntu Security Team | ||
xml-security-c (Ubuntu) |
Won't Fix
|
High
|
Unassigned |
Bug Description
Explanation: open-vm-tools 9.10.2 synced from Debian introduces two new build dependencies. This MIR requests that both
libxerces-c and libxml-security-c be promoted to main.
These build dependencies support the SAML based guest authentication.
open-vm-tools was MIR with Bug #1220950
[PACKAGE: xml-security-c ]
Apache XML Security for C++ is a library for the XML Digital Security specification. It provides processing and handling of XML Key Management Specifications (XKMS) messages.
Availability: universe, Debian
Rationale: build dependency for SAML Based guest authentication in open-vm-tools
Security: There have been 5 CVE's, with four in 2013:
[1] CVE-2013-2153 - signature validation bypass issue
[2] CVE-2013-2154 - stack overflow during XPointer evaluation
[3] CVE-2013-2155 - DoS attack through crafted HMAC authenticatoin
[4] CVE-2013-2156 - heap overflow potentially allow arbitrary code execution
[1] http://
[2] http://
[3] http://
[4] http://
QA: This is an official project under the Apache foundation. The project is actively maintained. See: https:/
[ PACKAGE: xerces-c ]
Xerces-C++ is a validating XML parser written in a portable subset of C++.
Availability: universe, Debian
Rationale: build dependency for SAML Based guest authentication in open-vm-tools
Security: A review of the CVE history shows 3 CVE's since 2004. There was one CVE in 2015 (CVE-2015-0252) and before that in 2009 (CVE-2009-1885). CVE-2009-1885 was a DoS vector caused with malformed DTD's.
QA: This package is an official project under the Apache foundation and has been around since 2004. The project is actively maintained. See https:/
Dependencies: Package is maintained in Debian and Ubuntu.
affects: | open-vm-tools (Ubuntu) → xml-security-c (Ubuntu) |
Changed in xerces-c (Ubuntu): | |
importance: | Critical → Medium |
Changed in xml-security-c (Ubuntu): | |
importance: | Critical → High |
importance: | High → Medium |
Changed in xerces-c (Ubuntu): | |
importance: | Medium → High |
Changed in xml-security-c (Ubuntu): | |
importance: | Medium → High |
Changed in xml-security-c (Ubuntu): | |
status: | New → In Progress |
assignee: | Ubuntu Security Team (ubuntu-security) → Seth Arnold (seth-arnold) |
Changed in xml-security-c (Ubuntu): | |
status: | In Progress → Won't Fix |
Changed in xerces-c (Ubuntu): | |
status: | New → Won't Fix |
both packages don't have bug subscribers, this is incomplete. However it blocks GCC 5, so lets go ahead with it, requesting a review from the security team.