[xml/sgml-pkgs] Bug#774358: libxml2: CVE-2014-3660 patch makes installation-guide FTBFS

Samuel Thibault sthibault at debian.org
Thu Mar 26 07:53:00 UTC 2015


Control: found -1 2.7.8.dfsg-2+squeeze11

Samuel Thibault, le Thu 26 Mar 2015 08:45:46 +0100, a écrit :
> Samuel Thibault, le Thu 26 Mar 2015 02:17:01 +0100, a écrit :
> > Control: found -1 2.8.0+dfsg1-7+wheezy3
> > 
> > This is still an issue in stable, the proposed patch was not applied
> > there, and thus installation-guide still FTBFS on wheezy, notably on our
> > dillon.debian.org machine, thus making http://d-i.debian.org/manual/
> > completely out of date. Could this be proposed for stable update?
> > 
> > I have attached the proposed patch again.
> 
> Just to insist: while the symptoms of my report (#774358) may look like
> #768089, the *actual* bug is *not* the same. Please read my bug report
> and the proposed patch again: the issue is that the security fix for
> CVE-2014-3660 from a newer version of libxml2 (2.9.x) was backported
> into the libxml2 of wheezy (2.8.x) without noticing the subtle source
> code difference which does matter a lot.

Of course, the squeeze version still suffers from the same bug for the
same reason.

Samuel



More information about the debian-xml-sgml-pkgs mailing list