[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 0/1] Libxml2 CVE-2016-4658 and CVE-2016-5131

From: Leo Famulari
Subject: Re: [PATCH 0/1] Libxml2 CVE-2016-4658 and CVE-2016-5131
Date: Sat, 24 Dec 2016 19:25:58 -0500
User-agent: Mutt/1.7.2 (2016-11-26)

On Sat, Dec 24, 2016 at 03:39:43PM +0100, Marius Bakke wrote:
> Leo Famulari <address@hidden> writes:
> > This patch fixes CVE-2016-4658 and CVE-2016-5131 in libxml2.
> >
> > I noticed that Debian applied several more upstream changes to their
> > package:
> >
> >
> >
> > Here is the upstream repository:
> >
> >
> >
> > Your thoughts?
> The patches LGTM. I'm confused by CVE-2016-4658, the only "affected
> products" seem to be Apple-based platforms, yet the code itself does
> not seem platform-specific. And it looks like a serious vulnerability.
> The other patch is less severe, but at least has some references in free
> software circles. I'd say push them. Should it be grafted, or can we
> wait for the next 'core-updates' evaluation?

I pushed these specific fixes, using grafts.

> I did not look into the other Debian patches.

I'll look into this over the next few days if nobody beats me to it.

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]