Ubuntu has issued an advisory on August 4: https://ubuntu.com/security/notices/USN-5548-1 The issue is fixed upstream in 2.9.11.
Status comment: (none) => Patches available from upstream and Ubuntu
This SRPM is maintained by various people, so have to assign this update globally. Curious about the need for the patch if the newest version 2.9.11 fixes it.
Assignee: bugsquad => pkg-bugs
We have 2.9.10 in Mageia 8.
Also 2.9.11 isn't the newest version.
Updated package built for Mageia 8 Advisory: ======================== Patched libxml2 package fixes security vulnerability: It was discovered that libxml2 incorrectly handled certain XML files. An attacker could possibly use this issue to execute arbitrary code (CVE-2016-3709). References: https://ubuntu.com/security/notices/USN-5548-1 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3709 ======================== Updated packages in core/updates_testing: ======================== lib64xml2_2-2.9.10-7.5.mga8 lib64xml2-devel-2.9.10-7.5.mga8 libxml2-python3-2.9.10-7.5.mga8 libxml2-utils-2.9.10-7.5.mga8 from libxml2-2.9.10-7.5.mga8.src.rpm Test procedure: https://bugs.mageia.org/show_bug.cgi?id=30094#c3
Keywords: (none) => has_procedureCVE: (none) => CVE-2016-3709Assignee: pkg-bugs => qa-bugsStatus comment: Patches available from upstream and Ubuntu => (none)CC: (none) => mhrambo3501
mga8, x64 Packages updated OK. Referring to the earlier bug, ran the simple test script which uses testdata.xml. $ cat testdata.xml <?xml version="1.0" encoding="UTF-8"?> <testsuites tests="10" failures="0" disabled="0" errors="0" time="0.001" name="AllTests"> <testsuite name="TestOne" tests="5" failures="0" disabled="0" errors="0" time="0.001"> <testcase name="DefaultConstructor" status="run" time="0" classname="TestOne" /> <testcase name="DefaultDestructor" status="run" time="0" classname="TestOne" /> <testcase name="VHDL_EMIT_Passthrough" status="run" time="0" classname="TestOne" /> <testcase name="VHDL_BUILD_Passthrough" status="Tested OK" time="0" classname="TestOne" /> <testcase name="VHDL_SIMULATE_Passthrough" status="run" time="0.001" classname="TestOne" /> </testsuite> </testsuites> $ python testxml.py Tested OK Installed chromium-browser and ran it under strace. Tried a few websites like the XML examples at w3schools.com, APOD and some of the 4K images of the Martian surface provided by NASA. $ grep lib chromium.trace | grep xmlopenat(AT_FDCWD, "/lib64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib64/libxml2.so.2.9.10", O_RDONLY|O_CLOEXEC) = 89 This looks good for release.
Whiteboard: (none) => MGA8-64-OKCC: (none) => tarazed25
Validating. Advisory in Comment 4.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0290.html
Status: NEW => RESOLVEDResolution: (none) => FIXED