Re: Wheezy update of libxml2?

To: Debian LTS <debian-lts@lists.debian.org>
Cc: Ola Lundqvist <ola@inguza.com>, libxml2@packages.debian.org, "Debian XML/SGML Group" <debian-xml-sgml-pkgs@lists.alioth.debian.org>, Aron Xu <aron@debian.org>
Subject: Re: Wheezy update of libxml2?
From: Ola Lundqvist <ola@inguza.com>
Date: Sun, 8 Jan 2017 23:04:11 +0100
Message-id: <[🔎] CABY6=0=q_Rjc+EWT4SGeJwiu3GJZ3D-qNzzus6_8Mg_ARqXehw@mail.gmail.com>
In-reply-to: <[🔎] CAMr=8w6pcPhAd=ZYx8XvJHB9vXB6ocWZw427EW2+xdoZaPyC+g@mail.gmail.com>
References: <20161231205918.GA20795@inguza.net> <[🔎] CAMr=8w6pcPhAd=ZYx8XvJHB9vXB6ocWZw427EW2+xdoZaPyC+g@mail.gmail.com>

Hi LTS team

I have started to look into CVE-2016-9318. The solution to this
problem is to introduce a new option that make it possible to disallow
any external entity references. As this is a library it means that all
applications have to be updated to utilize this. Also in many
situations this is actually not advisable unless this is an admin
decision so a new configuration option is needed for all such
applications.

Unless anyone object I will mark CVE-2016-9318 as no-dsa.

Best regards

// Ola



On 6 January 2017 at 09:33, Aron Xu <aron@debian.org> wrote:
> On Sun, Jan 1, 2017 at 4:59 AM, Ola Lundqvist <ola@inguza.com> wrote:
>> Hello dear maintainer(s),
>>
>> the Debian LTS team would like to fix the security issues which are
>> currently open in the Wheezy version of libxml2:
>> https://security-tracker.debian.org/tracker/CVE-2016-9318
>> https://security-tracker.debian.org/tracker/CVE-2016-9597
>> https://security-tracker.debian.org/tracker/CVE-2016-9598
>>
>> Would you like to take care of this yourself?
>>
>> If yes, please follow the workflow we have defined here:
>> https://wiki.debian.org/LTS/Development
>>
>> If that workflow is a burden to you, feel free to just prepare an
>> updated source package and send it to debian-lts@lists.debian.org
>> (via a debdiff, or with an URL pointing to the source package,
>> or even with a pointer to your packaging repository), and the members
>> of the LTS team will take care of the rest. Indicate clearly whether you
>> have tested the updated package or not.
>>
>> If you don't want to take care of this update, it's not a problem, we
>> will do our best with your package. Just let us know whether you would
>> like to review and/or test the updated package before it gets released.
>>
>> You can also opt-out from receiving future similar emails in your
>> answer and then the LTS Team will take care of libxml2 updates
>> for the LTS releases.
>>
>
> Hi,
>
> I'm not quite interested in backporting the fixes to LTS branch at
> this moment, but CC'ing the XML/SGML group to see if there's anyone
> else interested...
>
> Regards,
> Aron



-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------

Reply to:

References:
- Re: Wheezy update of libxml2?
  - From: Aron Xu <aron@debian.org>

Prev by Date: Re: Wheezy update of icoutils?
Next by Date: Wheezy update of w3m?
Previous by thread: Re: Wheezy update of libxml2?
Next by thread: Re: wheezy update for libav
Index(es):
- Date
- Thread