Bug#988070: unblock: libxml2/2.9.10+dfsg-6.5 (pre-approval)
Hi,
On Tue, May 04, 2021 at 09:19:20PM +0200, Salvatore Bonaccorso wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: carnil@debian.org
>
> Dear release team
>
> This is a pre-approval request to please unblock package libxml2 (not
> yet uploaded to unstable, but to experimental so far as
> 2.9.10+dfsg-6.4).
>
> Please unblock package libxml2
>
> [ Reason ]
>
> The update would fix three CVEs recently reported, CVE-2021-3516
> (#987739), CVE-2021-3517 (#987738) and CVE-2021-3518 (#987737).
> Which are not very severe but we still wanted to try to get fixes into
> bullseye.
>
> [ Impact ]
>
> Package still affected by those CVEs.
>
> [ Tests ]
>
> For those three CVEs pocs are available, which I had tested before and
> with the fix, except CVE-2021-3516, which I could not trigger the
> issue, but the change is simple.
>
> Furthermore given I uploaded to experimental there was additional
> exposure by the autopkgtests. From those as you can see from
> https://release.debian.org/britney/pseudo-excuses-experimental.html
> three marked regressions, but both balsa and kopanocore were already
> before failing. For libreoffice the tests somehow are flapping where
> they fail, I do not see a relation to the libxml2 here. libreoffice
> failed there in the last run for uicheck-sc test (triggered by
> python3.9), but in the libxml2 case it failed for the uicheck-sw test
> and for the prvious failure it was again one other test.
To confirm: And in fact just one other run did not fail:
https://ci.debian.net/data/autopkgtest/unstable/amd64/libr/libreoffice/12125523/log.gz
Regards,
Salvatore
Reply to: