Re: [xml] Security Issue - libxml

From: Daniel Veillard <veillard redhat com>
To: "Andrew W. Nosenko" <andrew w nosenko gmail com>
Cc: xml gnome org
Subject: Re: [xml] Security Issue - libxml
Date: Sat, 26 Feb 2011 15:43:07 +0100

On Wed, Feb 23, 2011 at 07:47:52PM +0200, Andrew W. Nosenko wrote:

On Wed, Feb 23, 2011 at 18:36, Rodrigo Rubira Branco (BSDaemon)
<rodrigo kernelhacking com> wrote:

Dear All,

I would like to know what is the best way to report security issues
affecting libxml.

I tried the communication thru some Linux Vendors, but it seemed
impossible to move forward.  The issue affects mainly libxml-ruby.


Daniel Veillard <veillard redhat com> is maintainer of libxml2.
Therefore, the most conservative route is to send private e-mail to him.


  Actually, the best way is usually to report the problem to the
vendor-sec mailing-list
   http://en.wikipedia.org/wiki/Vendor-sec
and sure put me in copy, but ultimately if this is really about libxml2
I end up getting it (and often providing the fix, at least verifying it).
  In the case of libxml-ruby, it's unclear, a problem could be with the
bindings code, or in libxml2 itself, I would also contact the author(s)
of the ruby bindings too.
  In any case providing a reproducer (even if not systematic) is really
critical, unless it was spotted by code analysis.

  thanks !

Daniel

-- 
Daniel Veillard      | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
daniel veillard com  | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library  http://libvirt.org/

References:
- Re: [xml] No versioning in 2.7.8 build
  - From: Daniel Veillard
- [xml] Security Issue - libxml
  - From: Rodrigo Rubira Branco (BSDaemon)
- Re: [xml] Security Issue - libxml
  - From: Andrew W. Nosenko

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]