On Sat, Dec 24, 2016 at 03:39:43PM +0100, Marius Bakke wrote:
> Leo Famulari <leo@famulari.name> writes:
> 
> > This patch fixes CVE-2016-4658 and CVE-2016-5131 in libxml2.
> >
> > I noticed that Debian applied several more upstream changes to their
> > package:
> >
> > https://anonscm.debian.org/cgit/debian-xml-sgml/libxml2.git/tree/debian/patches
> >
> > Here is the upstream repository:
> >
> > https://git.gnome.org/browse/libxml2/log/
> >
> > Your thoughts?
> 
> The patches LGTM. I'm confused by CVE-2016-4658, the only "affected
> products" seem to be Apple-based platforms, yet the code itself does
> not seem platform-specific. And it looks like a serious vulnerability.
> 
> The other patch is less severe, but at least has some references in free
> software circles. I'd say push them. Should it be grafted, or can we
> wait for the next 'core-updates' evaluation?

I pushed these specific fixes, using grafts.

> I did not look into the other Debian patches.

I'll look into this over the next few days if nobody beats me to it.