Re: [PATCH 0/3] Expat and libxslt changes for core-updates

all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed

From: Efraim Flashner <efraim@flashner.co.il>
To: Leo Famulari <leo@famulari.name>
Cc: guix-devel@gnu.org
Subject: Re: [PATCH 0/3] Expat and libxslt changes for core-updates
Date: Wed, 8 Jun 2016 13:10:16 +0300	[thread overview]
Message-ID: <20160608101016.GA20565@debian-netbook> (raw)
In-Reply-To: <cover.1465347219.git.leo@famulari.name>

[-- Attachment #1: Type: text/plain, Size: 2321 bytes --]

On Tue, Jun 07, 2016 at 08:54:05PM -0400, Leo Famulari wrote:
> It was not that simple to make these changes for core-updates, so I'm
> sending the patches for review.
> 
> For expat, I "re-fix" a bug that was fixed on master already. This
> bug-fix is actually reachable from the HEAD of core-updates, but for
> some reason doesn't exist at HEAD. According to MITRE the bug does
> affect all currently released versions of expat:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0718
> 
> I noticed a "left-over" patch for a bug that is apparently fixed in the
> version of expat on core-updates (2.1.1), so it is deleted:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1283
> 
> For libxslt, I update to the latest version and remove patches that are
> no longer needed. The timestamp issue was addressed upstream [0] and the
> bug has been fixed in this version. These patches were strangely no
> longer listed in 'gnu/local.mk'.
> 
> [0]
> https://git.gnome.org/browse/libxslt/commit/?id=e57df303eca25a2a3f9e0625c29f4b20177858cc
> 
> Leo Famulari (3):
>   gnu: expat: Fix CVE-2016-0718.
>   gnu: Remove unused patch.
>   gnu: libxslt: Update to 1.1.29.
> 
>  gnu/local.mk                                       |  1 -
>  .../patches/expat-CVE-2015-1283-refix.patch        | 42 --------------
>  gnu/packages/patches/libxslt-CVE-2015-7995.patch   | 29 ----------
>  .../patches/libxslt-remove-date-timestamps.patch   | 66 ----------------------
>  gnu/packages/xml.scm                               |  9 ++-
>  5 files changed, 4 insertions(+), 143 deletions(-)
>  delete mode 100644 gnu/packages/patches/expat-CVE-2015-1283-refix.patch
>  delete mode 100644 gnu/packages/patches/libxslt-CVE-2015-7995.patch
>  delete mode 100644 gnu/packages/patches/libxslt-remove-date-timestamps.patch
> 
> -- 
> 2.8.3
> 

FWIW debian's expat-2.1.1(-3) still has the cve-2015-1283 applied. Also,
there's 2 new cves, cve-2012-6702 and cve-2016-5300
https://www.debian.org/security/2016/dsa-3597
https://sources.debian.net/src/expat/2.1.1-3/debian/patches/

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

next prev parent reply	other threads:[~2016-06-08 10:10 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-06-08  0:54 [PATCH 0/3] Expat and libxslt changes for core-updates Leo Famulari
2016-06-08  0:54 ` [PATCH 1/3] gnu: expat: Fix CVE-2016-0718 Leo Famulari
2016-06-08 13:25   ` Ludovic Courtès
2016-06-09 16:20     ` Leo Famulari
2016-06-08  0:54 ` [PATCH 2/3] gnu: Remove unused patch Leo Famulari
2016-06-08 13:25   ` Ludovic Courtès
2016-06-08  0:54 ` [PATCH 3/3] gnu: libxslt: Update to 1.1.29 Leo Famulari
2016-06-08 13:26   ` Ludovic Courtès
2016-06-08 10:10 ` Efraim Flashner [this message]
2016-06-08 11:50   ` [PATCH 0/3] Expat and libxslt changes for core-updates Leo Famulari
2016-06-08 11:55     ` Leo Famulari
2016-06-08 13:27   ` Ludovic Courtès
2016-06-09 16:26   ` Leo Famulari
2016-06-09 16:43   ` Leo Famulari
2016-06-09 23:19     ` Leo Famulari
2016-06-10 12:59       ` Ludovic Courtès
2016-06-11  0:49         ` Leo Famulari
2016-06-12 20:26           ` Ludovic Courtès
2016-06-13  2:20             ` Leo Famulari
2016-06-13 15:05               ` Ludovic Courtès

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160608101016.GA20565@debian-netbook \
    --to=efraim@flashner.co.il \
    --cc=guix-devel@gnu.org \
    --cc=leo@famulari.name \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.