On Sun, Dec 31, 2023 at 11:45:06AM +0100, Guilhem Moulin wrote:
>
> Thanks for the fast reply! 3.2.4+debian-1.1 is now in trixie, you'll
> find the commits and tag at
> https://salsa.debian.org/lts-team/packages/xerces-c.git
>
> I also filed a MR to update your repository with that NMU:
>
Hi,
On Thu, 28 Dec 2023 at 13:28:53 -0500, de...@blough.us wrote:
> Thanks for doing this.
>
> I don't have a lot of free time at the moment, so please feel free to NMU.
Thanks for the fast reply! 3.2.4+debian-1.1 is now in trixie, you'll
find the commits and tag at
On Thu, Dec 28, 2023 at 05:41:52PM +0100, Guilhem Moulin wrote:
> Hi,
>
> Upstream has now released 3.2.5 which fixes the issue
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12352411=Text=10510
>
> The fix can be found at
>
> https://github.com/apache/xerces-c/pull/54
>
Hi,
Upstream has now released 3.2.5 which fixes the issue
https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12352411=Text=10510
The fix can be found at
https://github.com/apache/xerces-c/pull/54
Excellent!
I just re-uploaded 3.2.2+debian-1+deb10u1 with the updated patch.
(and tested in a i386 chroot for good measure)
I'm now adapting for stretch-lts (which has a monolithic test result).
Cheers!
Sylvain
I've uploaded 3.2.3+debian-3 to unstable with a fix for the test failure
on 32-bit archs.
They're still building, but several of the 32-bit archs have already
completed successfully, and I fully expect the others to complete as
well.
The updated quilt patch is attached.
On 11/12 18:59, Sylvain Beucler wrote:
> I did more tests during the past few hours (checking that
> XERCES_DISABLE_DTD does address the memory leak and using a couple
> reverse dependencies) and just uploaded the buster update to security
> master.
I've just rejected this upload, so you can
FYI, it looks like the test suite is failing on 32-bit architectures
due to different amounts of memory being leaked than what the updated
leak test is expecting. (I'm guessing due to pointer size differences)
I'll try to figure out a solution that will pass everywhere, but if all
else fails, I
On 11/12/2020 18:40, Bill Blough wrote:
This patch has been applied in 3.2.3+debian-2 which has been uploaded to
unstable.
I'll leave this bug open in hopes of an eventual upstream fix.
Great!
On 10/12/2020 09:44, Sébastien Delafond wrote:
> thanks for the debdiff, it looks good and the
This patch has been applied in 3.2.3+debian-2 which has been uploaded to
unstable.
I'll leave this bug open in hopes of an eventual upstream fix.
On Wed, Dec 09, 2020 at 05:46:33PM +0100, Sylvain Beucler wrote:
> Hi,
>
> Here's a debdiff against buster.
>
> The testsuite passes, provided we
On 09/12 17:46, Sylvain Beucler wrote:
> Here's a debdiff against buster.
>
> The testsuite passes, provided we modify MemHandlerTest1 to take the
> leak into account.
Hi Sylvain,
thanks for the debdiff, it looks good and the trade-off makes sense. You
can upload to security-master and I'll
Looks good to me. Thanks.
Hi,
Here's a debdiff against buster.
The testsuite passes, provided we modify MemHandlerTest1 to take the
leak into account.
What do you think?
Cheers!
Sylvain Beucler
Debian LTS Team
On 24/11/2020 17:39, Bill Blough wrote:
The package has a test suite, so that's probably the minimum. But
The package has a test suite, so that's probably the minimum. But I'm
not sure how much it exercises the DTD code, if at all.
I also typically test with some of our internal code at work. But
again, no DTDs in use there, either.
On Mon, Nov 23, 2020 at 03:56:37PM +0100, Sylvain Beucler wrote:
Hi,
I can assist with this, notably a LTS upload - not necessarily
immediately either.
Bill, do you have testing procedures to recommend for this package?
Security Team, before issuing a LTS upload, what is your view on a
Stable upload for this issue?
Cheers!
Sylvain Beucler
Debian LTS
Yes, this seems reasonable.
I'll prepare an upload to unstable prior to the freeze. But it likely
won't be for a couple of weeks due to my current workload.
Since I assume one of your concerns is for LTS, feel free to do the LTS
upload. Or, if you'd rather, I can make an attempt at that in a
Hi,
It seems likely that this issue won't get a proper fix soon, due to
upstream inactivity in that area, and the requirement of breaking binary
compatibility.
Use-after-free is a serious vulnerability as it can lead to various
issues including code execution, and the issue was rated 8.1/10
Source: xerces-c
Version: 3.2.2+debian-1
Severity: important
Tags: security upstream
Forwarded: https://issues.apache.org/jira/browse/XERCESC-2188
Control: found -1 3.1.4+debian-2+deb9u1
Control: found -1 3.1.4+debian-1
Hi,
The following vulnerability was published for xerces-c. There is no
18 matches
Mail list logo