[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 0/3] Expat and libxslt changes for core-updates
|
From: |
Efraim Flashner |
|
Subject: |
Re: [PATCH 0/3] Expat and libxslt changes for core-updates |
|
Date: |
Wed, 8 Jun 2016 13:10:16 +0300 |
|
User-agent: |
Mutt/1.6.1 (2016-04-27) |
On Tue, Jun 07, 2016 at 08:54:05PM -0400, Leo Famulari wrote:
> It was not that simple to make these changes for core-updates, so I'm
> sending the patches for review.
>
> For expat, I "re-fix" a bug that was fixed on master already. This
> bug-fix is actually reachable from the HEAD of core-updates, but for
> some reason doesn't exist at HEAD. According to MITRE the bug does
> affect all currently released versions of expat:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0718
>
> I noticed a "left-over" patch for a bug that is apparently fixed in the
> version of expat on core-updates (2.1.1), so it is deleted:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1283
>
> For libxslt, I update to the latest version and remove patches that are
> no longer needed. The timestamp issue was addressed upstream [0] and the
> bug has been fixed in this version. These patches were strangely no
> longer listed in 'gnu/local.mk'.
>
> [0]
> https://git.gnome.org/browse/libxslt/commit/?id=e57df303eca25a2a3f9e0625c29f4b20177858cc
>
> Leo Famulari (3):
> gnu: expat: Fix CVE-2016-0718.
> gnu: Remove unused patch.
> gnu: libxslt: Update to 1.1.29.
>
> gnu/local.mk | 1 -
> .../patches/expat-CVE-2015-1283-refix.patch | 42 --------------
> gnu/packages/patches/libxslt-CVE-2015-7995.patch | 29 ----------
> .../patches/libxslt-remove-date-timestamps.patch | 66
> ----------------------
> gnu/packages/xml.scm | 9 ++-
> 5 files changed, 4 insertions(+), 143 deletions(-)
> delete mode 100644 gnu/packages/patches/expat-CVE-2015-1283-refix.patch
> delete mode 100644 gnu/packages/patches/libxslt-CVE-2015-7995.patch
> delete mode 100644 gnu/packages/patches/libxslt-remove-date-timestamps.patch
>
> --
> 2.8.3
>
FWIW debian's expat-2.1.1(-3) still has the cve-2015-1283 applied. Also,
there's 2 new cves, cve-2012-6702 and cve-2016-5300
https://www.debian.org/security/2016/dsa-3597
https://sources.debian.net/src/expat/2.1.1-3/debian/patches/
--
Efraim Flashner <address@hidden> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
signature.asc
Description: PGP signature
- [PATCH 0/3] Expat and libxslt changes for core-updates, Leo Famulari, 2016/06/07
- [PATCH 1/3] gnu: expat: Fix CVE-2016-0718., Leo Famulari, 2016/06/07
- [PATCH 2/3] gnu: Remove unused patch., Leo Famulari, 2016/06/07
- [PATCH 3/3] gnu: libxslt: Update to 1.1.29., Leo Famulari, 2016/06/07
- Re: [PATCH 0/3] Expat and libxslt changes for core-updates,
Efraim Flashner <=
- Re: [PATCH 0/3] Expat and libxslt changes for core-updates, Leo Famulari, 2016/06/08
- Re: [PATCH 0/3] Expat and libxslt changes for core-updates, Ludovic Courtès, 2016/06/08
- Re: [PATCH 0/3] Expat and libxslt changes for core-updates, Leo Famulari, 2016/06/09
- Re: [PATCH 0/3] Expat and libxslt changes for core-updates, Leo Famulari, 2016/06/09
- Re: [PATCH 0/3] Expat and libxslt changes for core-updates, Leo Famulari, 2016/06/09
- Re: [PATCH 0/3] Expat and libxslt changes for core-updates, Ludovic Courtès, 2016/06/10
- Re: [PATCH 0/3] Expat and libxslt changes for core-updates, Leo Famulari, 2016/06/10
- Re: [PATCH 0/3] Expat and libxslt changes for core-updates, Ludovic Courtès, 2016/06/12
- Re: [PATCH 0/3] Expat and libxslt changes for core-updates, Leo Famulari, 2016/06/12