[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#988070: unblock: libxml2/2.9.10+dfsg-6.5 (pre-approval)

Hi Emilio,

On Thu, May 06, 2021 at 11:27:50AM +0200, Emilio Pozuelo Monfort wrote:
> Control: tags -1 confirmed
> 
> Hi Salvatore,
> 
> On 06/05/2021 10:56, Salvatore Bonaccorso wrote:
> > Control: retitle -1 unblock: libxml2/2.9.10+dfsg-6.6
> > (pre-approval)
> > On Tue, May 04, 2021 at 11:04:52PM +0200, Salvatore Bonaccorso wrote:
> > > Hi,
> > > 
> > > On Tue, May 04, 2021 at 09:19:20PM +0200, Salvatore Bonaccorso wrote:
> > > > Package: release.debian.org
> > > > Severity: normal
> > > > User: release.debian.org@packages.debian.org
> > > > Usertags: unblock
> > > > X-Debbugs-Cc: carnil@debian.org
> > > > 
> > > > Dear release team
> > > > 
> > > > This is a pre-approval request to please unblock package libxml2 (not
> > > > yet uploaded to unstable, but to experimental so far as
> > > > 2.9.10+dfsg-6.4).
> > > > 
> > > > Please unblock package libxml2
> > > > 
> > > > [ Reason ]
> > > > 
> > > > The update would fix three CVEs recently reported, CVE-2021-3516
> > > > (#987739), CVE-2021-3517 (#987738) and CVE-2021-3518 (#987737).
> > > > Which are not very severe but we still wanted to try to get fixes into
> > > > bullseye.
> > > > 
> > > > [ Impact ]
> > > > 
> > > > Package still affected by those CVEs.
> > > > 
> > > > [ Tests ]
> > > > 
> > > > For those three CVEs pocs are available, which I had tested before and
> > > > with the fix, except CVE-2021-3516, which I could not trigger the
> > > > issue, but the change is simple.
> > > > 
> > > > Furthermore given I uploaded to experimental there was additional
> > > > exposure by the autopkgtests. From those as you can see from
> > > > https://release.debian.org/britney/pseudo-excuses-experimental.html
> > > > three marked regressions, but both balsa and kopanocore were already
> > > > before failing.  For libreoffice the tests somehow are flapping where
> > > > they fail, I do not see a relation to the libxml2 here. libreoffice
> > > > failed there in the last run for uicheck-sc test (triggered by
> > > > python3.9), but in the libxml2 case it failed for the uicheck-sw  test
> > > > and for the prvious failure it was again one other test.
> > > 
> > > To confirm: And in fact just one other run did not fail:
> > > https://ci.debian.net/data/autopkgtest/unstable/amd64/libr/libreoffice/12125523/log.gz
> > 
> > Another CVE popped up, which I have included in a new upload, thus
> > retitling the bug and attaching the new debdiff.
> 
> Please go ahead and let us know once the package has been accepted.

Thank you very much. I have uploaded and it got accepted, and all
architectures built. 

Regards,
Salvatore
Reply to: