[Secure-testing-team] RFS: libxml fixing CVE-2009-2414/2416 in etch
Michael S. Gilbert
michael.s.gilbert at gmail.com
Thu Aug 13 21:15:05 UTC 2009
On Thu, 13 Aug 2009 17:24:23 +0200 Nico Golde wrote:
>> P.S. by fixing bugs I meant in unstable
>
>Just realized that this may sound a bit harsh. Sorry. But
>this is really not the place where help is needed, picking
>up upstream security patches and applying them isn't the
>hard part. But there are a lot of bugs in the tracker which
>need actually people to work on fixes.
obviously; the patch and package were pretty straightforward (and
i'm sure most of these things are), but since you gave me such a hard
time i decided to fix something that needed fixing; and the discussion
the last few days made it look like libxml was not going to get
addressed.
my interest is in a secure stable (and oldstable) release and not so
much unstable; hence i don't want to work on that. there are still a
significant number of unadressed issues in the stable releases right
now. i would like to be permitted to apply patches and create packages
for you for those releases. i have generated a patch for poppler, but
not a package, and i guess that isn't enough to be useful. so i will
generate a package for that and packages for other issues in the future.
i am also interested in making sure all security issues are known and
triaged, which is a non-trivial task in and of itself. it's
straightforward when issues trickle through the cve list, but less so
when issues are disclosed to the public on other lists, but fall through
the cracks; which is what mostly i have been concerned with. i would
hope that this is helpful. the alternative is potentially never knowing
about the flaw and leaving the hole open indefinately (if it never
gets a cve).
> Also a small comment:
> --- libxml-1.8.17/debian/changelog
> +++ libxml-1.8.17/debian/changelog
> @@ -1,3 +1,9 @@
> +libxml (1:1.8.17-15) oldstable; urgency=low
> +
> + * apply patches for CVE-2009-2414 and CVE-2009-2416
> +
> + -- Michael Gilbert <michael.s.gilbert at gmail.com> Wed, 12 Aug 2009 17:28:31 -0400
>
> wrong distribution line, wrong version number and wrong urgency, the latter is
> just cosmetical.
thanks for the hints; i will do better next time.
mike
More information about the Secure-testing-team
mailing list