Re: [xml] Security Issue - libxml

On Wed, Feb 23, 2011 at 07:47:52PM +0200, Andrew W. Nosenko wrote:
On Wed, Feb 23, 2011 at 18:36, Rodrigo Rubira Branco (BSDaemon)
<rodrigo kernelhacking com> wrote:
Dear All,

I would like to know what is the best way to report security issues
affecting libxml.

I tried the communication thru some Linux Vendors, but it seemed
impossible to move forward.  The issue affects mainly libxml-ruby.

Daniel Veillard <veillard redhat com> is maintainer of libxml2.
Therefore, the most conservative route is to send private e-mail to him.

  Actually, the best way is usually to report the problem to the
vendor-sec mailing-list
and sure put me in copy, but ultimately if this is really about libxml2
I end up getting it (and often providing the fix, at least verifying it).
  In the case of libxml-ruby, it's unclear, a problem could be with the
bindings code, or in libxml2 itself, I would also contact the author(s)
of the ruby bindings too.
  In any case providing a reproducer (even if not systematic) is really
critical, unless it was spotted by code analysis.

  thanks !


Daniel Veillard      | libxml Gnome XML XSLT toolkit
daniel veillard com  | Rpmfind RPM search engine | virtualization library

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]