A CVE has been assigned for a security issue fixed upstream in libxml2: http://openwall.com/lists/oss-security/2014/05/06/4 Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated libxml2 packages fix security vulnerability: It was discovered that libxml2, a library providing support to read, modify and write XML files, incorrectly performs entity substituton in the doctype prolog, even if the application using libxml2 disabled any entity substitution. A remote attacker could provide a specially-crafted XML file that, when processed, would lead to the exhaustion of CPU and memory resources or file descriptors (CVE-2014-0191). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0191 https://bugzilla.redhat.com/show_bug.cgi?id=1090976 ======================== Updated packages in core/updates_testing: ======================== libxml2_2-2.9.0-5.3.mga3 libxml2-utils-2.9.0-5.3.mga3 libxml2-python-2.9.0-5.3.mga3 libxml2-devel-2.9.0-5.3.mga3 libxml2_2-2.9.1-2.1.mga4 libxml2-utils-2.9.1-2.1.mga4 libxml2-python-2.9.1-2.1.mga4 libxml2-devel-2.9.1-2.1.mga4 from SRPMS: libxml2-2.9.0-5.3.mga3.src.rpm libxml2-2.9.1-2.1.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Easy one to test: https://wiki.mageia.org/en/QA_procedure:Libxml2
Whiteboard: MGA3TOO => MGA3TOO has_procedure
Testing complete mga3 32 & 64
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga3-32-ok mga3-64-ok
Testing complete mga4 32 & 64
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0214.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/598319/
Apparently this caused a regression in xmllint, which OpenSuSE has pushed a fix for: http://lists.opensuse.org/opensuse-updates/2014-05/msg00076.html I've added the fix in Cauldron and checked it into Mageia 3 and Mageia 4 SVN.