Hi LTS team I have started to look into CVE-2016-9318. The solution to this problem is to introduce a new option that make it possible to disallow any external entity references. As this is a library it means that all applications have to be updated to utilize this. Also in many situations this is actually not advisable unless this is an admin decision so a new configuration option is needed for all such applications.
Unless anyone object I will mark CVE-2016-9318 as no-dsa. Best regards // Ola On 6 January 2017 at 09:33, Aron Xu <[email protected]> wrote: > On Sun, Jan 1, 2017 at 4:59 AM, Ola Lundqvist <[email protected]> wrote: >> Hello dear maintainer(s), >> >> the Debian LTS team would like to fix the security issues which are >> currently open in the Wheezy version of libxml2: >> https://security-tracker.debian.org/tracker/CVE-2016-9318 >> https://security-tracker.debian.org/tracker/CVE-2016-9597 >> https://security-tracker.debian.org/tracker/CVE-2016-9598 >> >> Would you like to take care of this yourself? >> >> If yes, please follow the workflow we have defined here: >> https://wiki.debian.org/LTS/Development >> >> If that workflow is a burden to you, feel free to just prepare an >> updated source package and send it to [email protected] >> (via a debdiff, or with an URL pointing to the source package, >> or even with a pointer to your packaging repository), and the members >> of the LTS team will take care of the rest. Indicate clearly whether you >> have tested the updated package or not. >> >> If you don't want to take care of this update, it's not a problem, we >> will do our best with your package. Just let us know whether you would >> like to review and/or test the updated package before it gets released. >> >> You can also opt-out from receiving future similar emails in your >> answer and then the LTS Team will take care of libxml2 updates >> for the LTS releases. >> > > Hi, > > I'm not quite interested in backporting the fixes to LTS branch at > this moment, but CC'ing the XML/SGML group to see if there's anyone > else interested... > > Regards, > Aron -- --- Inguza Technology AB --- MSc in Information Technology ---- / [email protected] Folkebogatan 26 \ | [email protected] 654 68 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------
