Re: [xml] Release of libxml2-2.9.9

From: Alexander Dahl <ada thorsis com>
To: xml gnome org
Subject: Re: [xml] Release of libxml2-2.9.9
Date: Wed, 30 Jan 2019 10:36:56 +0100

Hei hei,

Am Donnerstag, 3. Januar 2019, 20:30:29 CET schrieb Daniel Veillard via xml:

Security:
- CVE-2018-9251 CVE-2018-14567 Fix infinite loop in LZMA decompression (Nick
Wellnhofer) - CVE-2018-14404 Fix nullptr deref with XPath logic ops (Nick
Wellnhofer)


What about CVE-2017-8872?

Debian (and SuSE) have a patch:

https://sources.debian.org/patches/libxml2/2.9.8+dfsg-1/0003-CVE-2017-8872.patch/

https://security-tracker.debian.org/tracker/CVE-2017-8872

According to https://bugzilla.gnome.org/show_bug.cgi?id=775200 and 
https://gitlab.gnome.org/GNOME/libxml2/issues/26 that might have been fixed by 
accident with git commit v2.9.8-26-g123234f2?

The Debian patch still applies on 2.9.9, but I don't understand libxml2 well 
enough to say if it is harmful now and should be dropped? I also can not say 
if CVE-2017-8872 is really mitigated with v2.9.8-26-g123234f2?

Anyone else?

Greets
Alex

Follow-Ups:
- Re: [xml] Release of libxml2-2.9.9
  - From: Nick Wellnhofer

References:
- [xml] Release of libxml2-2.9.9
  - From: Daniel Veillard

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]