Debdiff attached which fixes the problem for Xenial. Since there is no corresponding Debian release to fakesync this from for Xenial, I've just recreated the patch sequence against the version already in Xenial. It includes the same two quilt patches which have been fake-synced into Trusty, and already exist in Bionic:
- A one-line patch to add 'disallowDoctype' to the parser configuration. While this does nothing under the Xerces 3.1 in Xenial, it provides generic impersonation protection for Xerces 3.2. This patch is a pre- req to get the upstream CVE-2018-0489 patch to apply cleanly. - Upstream's patch for CVE-2018-0489. ** Patch added: "debdiff for Xenial" https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+attachment/5095295/+files/CVE-2018-0489-xenial.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1752306 Title: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
