Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [thread-next>] [month] [year] [list] 
Date: Sat, 23 Aug 2008 17:53:16 +0200
From: Robert Buchholz <rbu@...too.org>
To: vendor-sec@....de,
 veillard@...hat.com
Cc: gnome@...too.org,
 oss-security@...ts.openwall.com
Subject: Re: libxml2 denial of service flaw (CVE-2008-3281)

On Wednesday 20 August 2008, Daniel Veillard wrote:
> On Wed, Aug 20, 2008 at 12:42:29PM -0400, Josh Bressers wrote:
> > Yes, this can be considered public.  An announcement should be
> > appearing on the xml list shortly:
> >
> > http://mail.gnome.org/archives/xml/
>
>   It's out:
>
>    http://mail.gnome.org/archives/xml/2008-August/msg00034.html
>
> thanks everybody !

Our gnome maintainers pointed out that the patch (which was also pushed 
upstream) breaks GDM in GNOME 2.22, as can be seen in Gentoo and 
Mandriva:
  https://bugs.gentoo.org/show_bug.cgi?id=235529
  https://qa.mandriva.com/show_bug.cgi?id=43094

upstream bug:
  http://bugzilla.gnome.org/show_bug.cgi?id=549087

Those who did not push updates yet might want to delay this, we have 
been reverting the patch for now.
I am CC'ing oss-security, please send follow-ups to that list.


Robert

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux