[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 0/1] Libxml2 CVE-2016-4658 and CVE-2016-5131
|
From: |
Leo Famulari |
|
Subject: |
Re: [PATCH 0/1] Libxml2 CVE-2016-4658 and CVE-2016-5131 |
|
Date: |
Sat, 24 Dec 2016 19:25:58 -0500 |
|
User-agent: |
Mutt/1.7.2 (2016-11-26) |
On Sat, Dec 24, 2016 at 03:39:43PM +0100, Marius Bakke wrote:
> Leo Famulari <address@hidden> writes:
>
> > This patch fixes CVE-2016-4658 and CVE-2016-5131 in libxml2.
> >
> > I noticed that Debian applied several more upstream changes to their
> > package:
> >
> > https://anonscm.debian.org/cgit/debian-xml-sgml/libxml2.git/tree/debian/patches
> >
> > Here is the upstream repository:
> >
> > https://git.gnome.org/browse/libxml2/log/
> >
> > Your thoughts?
>
> The patches LGTM. I'm confused by CVE-2016-4658, the only "affected
> products" seem to be Apple-based platforms, yet the code itself does
> not seem platform-specific. And it looks like a serious vulnerability.
>
> The other patch is less severe, but at least has some references in free
> software circles. I'd say push them. Should it be grafted, or can we
> wait for the next 'core-updates' evaluation?
I pushed these specific fixes, using grafts.
> I did not look into the other Debian patches.
I'll look into this over the next few days if nobody beats me to it.
signature.asc
Description: PGP signature