Secure testing team - Aug 2009 - RFS: libxml fixing CVE-2009-2414/2416 in etch

Hi,

I have prepared updates for libxml addressing CVE-2009-2414/2416 in
etch (derived from mandriva''s patches).  Attached is the debdiff.
This supports the recent DSA-1859:

  The package can be found on mentors.debian.net:
  - URL: http://mentors.debian.net/debian/pool/main/l/libxml
  - Source repository: deb-src http://mentors.debian.net/debian
unstable main contrib non-free
  - dget
http://mentors.debian.net/debian/pool/main/l/libxml/libxml_1.8.17-15.dsc

I would be glad if someone uploaded this package for me.

Kind regards,
Michael Gilbert
-------------- next part --------------
A non-text attachment was scrubbed...
Name: debdiff
Type: application/octet-stream
Size: 3095 bytes
Desc: not available
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090812/7df6846a/attachment-0001.obj>

Hi,
* Michael S Gilbert <michael.s.gilbert at gmail.com> [2009-08-13
14:13]:
> I have prepared updates for libxml addressing CVE-2009-2414/2416 in
> etch (derived from mandriva''s patches).  Attached is the debdiff.
> This supports the recent DSA-1859:
[...] 
No need, I have a package ready which I only didn''t upload 
yet because I didn''t have the time and this is pretty 
unimportant for libxml.

Thanks anyway.

Cheers
Nico
P.S. by fixing bugs I meant in unstable
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090813/8f859d92/attachment.pgp>

Hi,
* Michael S Gilbert <michael.s.gilbert at gmail.com> [2009-08-13
14:13]:
> I have prepared updates for libxml addressing CVE-2009-2414/2416 in
> etch (derived from mandriva''s patches).  Attached is the debdiff.
> This supports the recent DSA-1859:
Also a small comment:
--- libxml-1.8.17/debian/changelog
+++ libxml-1.8.17/debian/changelog
@@ -1,3 +1,9 @@
+libxml (1:1.8.17-15) oldstable; urgency=low
+
+  * apply patches for CVE-2009-2414 and CVE-2009-2416
+
+ -- Michael Gilbert <michael.s.gilbert at gmail.com>  Wed, 12 Aug 2009
17:28:31 -0400

wrong distribution line, wrong version number and wrong urgency, the latter is
just cosmetical.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090813/6a5d5ed0/attachment.pgp>

On Thu, 13 Aug 2009 17:24:23 +0200 Nico Golde wrote:
>> P.S. by fixing bugs I meant in unstable
>
>Just realized that this may sound a bit harsh. Sorry. But 
>this is really not the place where help is needed, picking 
>up upstream security patches and applying them isn''t the 
>hard part. But there are a lot of bugs in the tracker which 
>need actually people to work on fixes.
obviously; the patch and package were pretty straightforward (and
i''m sure most of these things are), but since you gave me such a hard
time i decided to fix something that needed fixing; and the discussion
the last few days made it look like libxml was not going to get
addressed. 

my interest is in a secure stable (and oldstable) release and not so
much unstable; hence i don''t want to work on that. there are still a
significant number of unadressed issues in the stable releases right
now.  i would like to be permitted to apply patches and create packages
for you for those releases. i have generated a patch for poppler, but
not a package, and i guess that isn''t enough to be useful.  so i will
generate a package for that and packages for other issues in the future.

i am also interested in making sure all security issues are known and
triaged, which is a non-trivial task in and of itself.  it''s
straightforward when issues trickle through the cve list, but less so
when issues are disclosed to the public on other lists, but fall through
the cracks; which is what mostly i have been concerned with.  i would
hope that this is helpful.  the alternative is potentially never knowing
about the flaw and leaving the hole open indefinately (if it never
gets a cve).
> Also a small comment:
> --- libxml-1.8.17/debian/changelog
> +++ libxml-1.8.17/debian/changelog
> @@ -1,3 +1,9 @@
> +libxml (1:1.8.17-15) oldstable; urgency=low
> +
> +  * apply patches for CVE-2009-2414 and CVE-2009-2416
> +
> + -- Michael Gilbert <michael.s.gilbert at gmail.com>  Wed, 12 Aug
2009 17:28:31 -0400
> 
> wrong distribution line, wrong version number and wrong urgency, the latter
is
> just cosmetical.
thanks for the hints; i will do better next time.

mike