Re: [xml] Release of libxml2-2.9.9
- From: Alexander Dahl <ada thorsis com>
- To: xml gnome org
- Subject: Re: [xml] Release of libxml2-2.9.9
- Date: Wed, 30 Jan 2019 10:36:56 +0100
Hei hei,
Am Donnerstag, 3. Januar 2019, 20:30:29 CET schrieb Daniel Veillard via xml:
Security:
- CVE-2018-9251 CVE-2018-14567 Fix infinite loop in LZMA decompression (Nick
Wellnhofer) - CVE-2018-14404 Fix nullptr deref with XPath logic ops (Nick
Wellnhofer)
What about CVE-2017-8872?
Debian (and SuSE) have a patch:
https://sources.debian.org/patches/libxml2/2.9.8+dfsg-1/0003-CVE-2017-8872.patch/
https://security-tracker.debian.org/tracker/CVE-2017-8872
According to https://bugzilla.gnome.org/show_bug.cgi?id=775200 and
https://gitlab.gnome.org/GNOME/libxml2/issues/26 that might have been fixed by
accident with git commit v2.9.8-26-g123234f2?
The Debian patch still applies on 2.9.9, but I don't understand libxml2 well
enough to say if it is harmful now and should be dropped? I also can not say
if CVE-2017-8872 is really mitigated with v2.9.8-26-g123234f2?
Anyone else?
Greets
Alex
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]