Bug#1061473: bookworm-pu: package tinyxml/2.6.2-6+deb12u1
Control: tags -1 + confirmed
On Tue, 2024-01-30 at 00:07 +0100, Guilhem Moulin wrote:
> Control: tags -1 - moreinfo
>
> On Mon, 29 Jan 2024 at 21:55:37 +0000, Adam D. Barratt wrote:
> >
> > On Thu, 2024-01-25 at 04:45 +0100, Guilhem Moulin wrote:
> > > Fix CVE-2023-34194: Reachable assertion (and application exit)
> > > via a
> > > crafted XML document with a '\0' located after whitespace.
> >
> > + * Fix CVE-2023-34194 / CVE-2023-40462: Reachable assertion (and
> > application
> >
> > As far as I can tell from the Security Tracker, CVE-2023-40462
> > specifically refers to TinyXML's use in software that isn't in
> > Debian.
> > Does it make sense to mention it in the changelog?
>
> That CVE was assigned to TinyXML until
> https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e507c932b999df48f808969c00f07a638e3357b
> ,
> see also https://bugs.debian.org/1059315 ;.
>
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059315#54 seems like
they should be considered separate.
> But fair enough, new debiff attached :-)
>
Thanks. Please go ahead.
Regards,
Adam
Reply to: