[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list]
Date: Sun, 24 Aug 2008 16:49:55 +0200
From: Nico Golde <oss-security+ml@...lde.de>
To: oss-security@...ts.openwall.com, vendor-sec@....de
Subject: Re: Re: libxml2 denial of service flaw (CVE-2008-3281)
Hi Robert,
* Robert Buchholz <rbu@...too.org> [2008-08-23 18:06]:
> On Wednesday 20 August 2008, Daniel Veillard wrote:
> > On Wed, Aug 20, 2008 at 12:42:29PM -0400, Josh Bressers wrote:
> > > Yes, this can be considered public. An announcement should be
> > > appearing on the xml list shortly:
> > >
> > > http://mail.gnome.org/archives/xml/
> >
> > It's out:
> >
> > http://mail.gnome.org/archives/xml/2008-August/msg00034.html
> >
> > thanks everybody !
>
> Our gnome maintainers pointed out that the patch (which was also pushed
> upstream) breaks GDM in GNOME 2.22, as can be seen in Gentoo and
> Mandriva:
> https://bugs.gentoo.org/show_bug.cgi?id=235529
> https://qa.mandriva.com/show_bug.cgi?id=43094
>
> upstream bug:
> http://bugzilla.gnome.org/show_bug.cgi?id=549087
>
> Those who did not push updates yet might want to delay this, we have
> been reverting the patch for now.
> I am CC'ing oss-security, please send follow-ups to that list.
Looks like rebuilding librsvg against libxml2 does solve the
problem referring to our bug report:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496125#79
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@...ber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Hosted by DataForce ISP -
Powered by Openwall GNU/*/Linux