Hei hei, Am Donnerstag, 3. Januar 2019, 20:30:29 CET schrieb Daniel Veillard via xml: > Security: > - CVE-2018-9251 CVE-2018-14567 Fix infinite loop in LZMA decompression (Nick > Wellnhofer) - CVE-2018-14404 Fix nullptr deref with XPath logic ops (Nick > Wellnhofer)
What about CVE-2017-8872? Debian (and SuSE) have a patch: https://sources.debian.org/patches/libxml2/2.9.8+dfsg-1/0003-CVE-2017-8872.patch/ https://security-tracker.debian.org/tracker/CVE-2017-8872 According to https://bugzilla.gnome.org/show_bug.cgi?id=775200 and https://gitlab.gnome.org/GNOME/libxml2/issues/26 that might have been fixed by accident with git commit v2.9.8-26-g123234f2? The Debian patch still applies on 2.9.9, but I don't understand libxml2 well enough to say if it is harmful now and should be dropped? I also can not say if CVE-2017-8872 is really mitigated with v2.9.8-26-g123234f2? Anyone else? Greets Alex _______________________________________________ xml mailing list, project page http://xmlsoft.org/ xml@gnome.org https://mail.gnome.org/mailman/listinfo/xml