Hi,
On Tue, May 04, 2021 at 09:19:20PM +0200, Salvatore Bonaccorso wrote:
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: carnil@debian.org
Dear release team
This is a pre-approval request to please unblock package libxml2 (not
yet uploaded to unstable, but to experimental so far as
2.9.10+dfsg-6.4).
Please unblock package libxml2
[ Reason ]
The update would fix three CVEs recently reported, CVE-2021-3516
(#987739), CVE-2021-3517 (#987738) and CVE-2021-3518 (#987737).
Which are not very severe but we still wanted to try to get fixes into
bullseye.
[ Impact ]
Package still affected by those CVEs.
[ Tests ]
For those three CVEs pocs are available, which I had tested before and
with the fix, except CVE-2021-3516, which I could not trigger the
issue, but the change is simple.
Furthermore given I uploaded to experimental there was additional
exposure by the autopkgtests. From those as you can see from
https://release.debian.org/britney/pseudo-excuses-experimental.html
three marked regressions, but both balsa and kopanocore were already
before failing. For libreoffice the tests somehow are flapping where
they fail, I do not see a relation to the libxml2 here. libreoffice
failed there in the last run for uicheck-sc test (triggered by
python3.9), but in the libxml2 case it failed for the uicheck-sw test
and for the prvious failure it was again one other test.
To confirm: And in fact just one other run did not fail:
https://ci.debian.net/data/autopkgtest/unstable/amd64/libr/libreoffice/12125523/log.gz