Re: MapServer and TinyOWS updates for CVE-2013-0339

To: sebastic <sebastic@xs4all.nl>
Cc: team@security.debian.org, debian-gis@lists.debian.org
Subject: Re: MapServer and TinyOWS updates for CVE-2013-0339
From: Alessandro Ghedini <ghedo@debian.org>
Date: Tue, 7 Jul 2015 15:40:55 +0200
Message-id: <[🔎] 20150707134055.GA4296@kronk.local>
In-reply-to: <[🔎] 60eab6f3a68d9b1188632945a37225a5@xs4all.nl>
References: <CAOM3y2iywqLbYqfD+2VR_Fb4i55680iNvSvFp3Nxcm=tG+1aPg@mail.gmail.com> <[🔎] 60eab6f3a68d9b1188632945a37225a5@xs4all.nl>

On mar, lug 07, 2015 at 03:02:39 +0200, sebastic wrote:
> Dear Security Team,
> 
> Today the MapServer project published new MapServer & TinyOWS releases to
> address CVE-2013-0339 in libxml2.
> 
> Since the issue is only with libxml2 < 2.9, it should only affect wheezy and
> squeeze. But since CVE-2013-0339 is marked fixed in the wheezy & squeeze
> libxml2 packages, I don't think we need these mapserver updates in Debian
> for the security fix.
> 
> Can you confirm we don't to patch mapserver in wheezy & squeeze?

Yes. As far as we know CVE-2013-0339 is fixed in both squeeze and wheezy, so
there's no need to implement mitigations in software using libxml2.

Cheers

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- MapServer and TinyOWS updates for CVE-2013-0339
  - From: sebastic <sebastic@xs4all.nl>

Prev by Date: MapServer and TinyOWS updates for CVE-2013-0339
Next by Date: liblas stuck in built status
Previous by thread: MapServer and TinyOWS updates for CVE-2013-0339
Next by thread: liblas stuck in built status
Index(es):
- Date
- Thread