Re: [xml] Security Issue - libxml



On Wed, Feb 23, 2011 at 07:47:52PM +0200, Andrew W. Nosenko wrote:
On Wed, Feb 23, 2011 at 18:36, Rodrigo Rubira Branco (BSDaemon)
<rodrigo kernelhacking com> wrote:
Dear All,

I would like to know what is the best way to report security issues
affecting libxml.

I tried the communication thru some Linux Vendors, but it seemed
impossible to move forward.  The issue affects mainly libxml-ruby.


Daniel Veillard <veillard redhat com> is maintainer of libxml2.
Therefore, the most conservative route is to send private e-mail to him.

  Actually, the best way is usually to report the problem to the
vendor-sec mailing-list
   http://en.wikipedia.org/wiki/Vendor-sec
and sure put me in copy, but ultimately if this is really about libxml2
I end up getting it (and often providing the fix, at least verifying it).
  In the case of libxml-ruby, it's unclear, a problem could be with the
bindings code, or in libxml2 itself, I would also contact the author(s)
of the ruby bindings too.
  In any case providing a reproducer (even if not systematic) is really
critical, unless it was spotted by code analysis.

  thanks !

Daniel

-- 
Daniel Veillard      | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
daniel veillard com  | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library  http://libvirt.org/



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]