Re: [xml] Release of libxml2-2.9.9



Hei hei,

Am Donnerstag, 3. Januar 2019, 20:30:29 CET schrieb Daniel Veillard via xml:
Security:
- CVE-2018-9251 CVE-2018-14567 Fix infinite loop in LZMA decompression (Nick
Wellnhofer) - CVE-2018-14404 Fix nullptr deref with XPath logic ops (Nick
Wellnhofer)

What about CVE-2017-8872?

Debian (and SuSE) have a patch:

https://sources.debian.org/patches/libxml2/2.9.8+dfsg-1/0003-CVE-2017-8872.patch/

https://security-tracker.debian.org/tracker/CVE-2017-8872

According to https://bugzilla.gnome.org/show_bug.cgi?id=775200 and 
https://gitlab.gnome.org/GNOME/libxml2/issues/26 that might have been fixed by 
accident with git commit v2.9.8-26-g123234f2?

The Debian patch still applies on 2.9.9, but I don't understand libxml2 well 
enough to say if it is harmful now and should be dropped? I also can not say 
if CVE-2017-8872 is really mitigated with v2.9.8-26-g123234f2?

Anyone else?

Greets
Alex



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]