openSUSE has issued an advisory on October 21: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GF5AQ5CKRNM4375JOAHV5NMVNYQGEASN/ The issues are fixed upstream in 2.10.3. Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 2.10.3Whiteboard: (none) => MGA8TOO
Fedora has issued an advisory for this today (October 25): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MNZAUJGHSPCIYDNVSWTSDYNJMQW7Z2JZ/
Various packagers deal with this SRPM, so assigning globally.
Assignee: bugsquad => pkg-bugs
SUSE has issued an advisory for this on October 25: https://lists.suse.com/pipermail/sle-security-updates/2022-October/012663.html We may be missing the fix for CVE-2016-3709 in Mageia 8.
Debian-LTS has issued an advisory for this on October 30: https://www.debian.org/lts/security/2022/dla-3172
(In reply to David Walser from comment #3) > SUSE has issued an advisory for this on October 25: > https://lists.suse.com/pipermail/sle-security-updates/2022-October/012663. > html > > We may be missing the fix for CVE-2016-3709 in Mageia 8. I found that CVE-2016-3709 was fixed in bug 30712.
CC: (none) => nicolas.salguero
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Integer overflows with XML_PARSE_HUGE. (CVE-2022-40303) Dict corruption caused by entity reference cycles. (CVE-2022-40304) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40303 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40304 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GF5AQ5CKRNM4375JOAHV5NMVNYQGEASN/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MNZAUJGHSPCIYDNVSWTSDYNJMQW7Z2JZ/ https://lists.suse.com/pipermail/sle-security-updates/2022-October/012663.html https://www.debian.org/lts/security/2022/dla-3172 ======================== Updated packages in core/updates_testing: ======================== lib(64)xml2_2-2.9.10-7.6.mga8 lib(64)xml2-devel-2.9.10-7.6.mga8 libxml2-python3-2.9.10-7.6.mga8 libxml2-utils-2.9.10-7.6.mga8 from SRPM: libxml2-2.9.10-7.6.mga8.src.rpm
CVE: (none) => CVE-2022-40303, CVE-2022-40304Status: NEW => ASSIGNEDStatus comment: Fixed upstream in 2.10.3 => (none)Version: Cauldron => 8Whiteboard: MGA8TOO => (none)Source RPM: libxml2-2.10.2-1.mga9.src.rpm => libxml2-2.9.10-7.5.mga8.src.rpmAssignee: pkg-bugs => qa-bugs
MGA8-64 MATE on Acer Aspire 5253 No installation issues. Followed the wiki, but the last line of the py script throws an error now. I will upload the files as I used them here. $ python testxml.py Tested OK $ python3 testxml.py Tested OK $ xmllint --auto <?xml version="1.0"?> <info>abc</info> $ xmlcatalog --create <?xml version="1.0"?> <!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd"> <catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"/> This all looks OK. Took Len's suggestion and used chromium to browse around in the libxml2 tutorial, worked perfectly OK.
Whiteboard: (none) => MGA8-64-OKCC: (none) => herman.viaene
Created attachment 13474 [details] py script to run
Created attachment 13475 [details] testdata for py script
Validating. Advisory in Comment 6.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0412.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
Created attachment 14078 [details] Correct testdata for py script Original testdata file was actually a second copy of the py script.
Attachment 13475 is obsolete: 0 => 1