On Tue, Jun 07, 2016 at 08:54:05PM -0400, Leo Famulari wrote:
> It was not that simple to make these changes for core-updates, so I'm
> sending the patches for review.
> 
> For expat, I "re-fix" a bug that was fixed on master already. This
> bug-fix is actually reachable from the HEAD of core-updates, but for
> some reason doesn't exist at HEAD. According to MITRE the bug does
> affect all currently released versions of expat:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0718
> 
> I noticed a "left-over" patch for a bug that is apparently fixed in the
> version of expat on core-updates (2.1.1), so it is deleted:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1283
> 
> For libxslt, I update to the latest version and remove patches that are
> no longer needed. The timestamp issue was addressed upstream [0] and the
> bug has been fixed in this version. These patches were strangely no
> longer listed in 'gnu/local.mk'.
> 
> [0]
> https://git.gnome.org/browse/libxslt/commit/?id=e57df303eca25a2a3f9e0625c29f4b20177858cc
> 
> Leo Famulari (3):
>   gnu: expat: Fix CVE-2016-0718.
>   gnu: Remove unused patch.
>   gnu: libxslt: Update to 1.1.29.
> 
>  gnu/local.mk                                       |  1 -
>  .../patches/expat-CVE-2015-1283-refix.patch        | 42 --------------
>  gnu/packages/patches/libxslt-CVE-2015-7995.patch   | 29 ----------
>  .../patches/libxslt-remove-date-timestamps.patch   | 66 ----------------------
>  gnu/packages/xml.scm                               |  9 ++-
>  5 files changed, 4 insertions(+), 143 deletions(-)
>  delete mode 100644 gnu/packages/patches/expat-CVE-2015-1283-refix.patch
>  delete mode 100644 gnu/packages/patches/libxslt-CVE-2015-7995.patch
>  delete mode 100644 gnu/packages/patches/libxslt-remove-date-timestamps.patch
> 
> -- 
> 2.8.3
> 

FWIW debian's expat-2.1.1(-3) still has the cve-2015-1283 applied. Also,
there's 2 new cves, cve-2012-6702 and cve-2016-5300
https://www.debian.org/security/2016/dsa-3597
https://sources.debian.net/src/expat/2.1.1-3/debian/patches/

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted