oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Please reject duplicate CVE for libxml2

From: Salvatore Bonaccorso <carnil () debian org>
Date: Tue, 7 Jun 2016 09:49:00 +0200
Hi,

On Tue, Jun 07, 2016 at 09:34:51AM +0200, Martin Prpic wrote:

Hi, it seems two CVEs were assigned for the same issue in libxml2:

http://seclists.org/oss-sec/2016/q1/683
http://seclists.org/oss-sec/2016/q2/214

Daniel Veillard reported to us that these issues are the same and fixed
by:

https://git.gnome.org/browse/libxml2/commit/?id=bdd66182ef53fe1f7209ab6535fda56366bd7ac9

The upstream bug is:

https://bugzilla.gnome.org/show_bug.cgi?id=762100

Can CVE-2016-4483 please be rejected as a duplicate of CVE-2016-3627?


What though is confusing is that the two commits are tagged
accordingly in the upstream git repository:

Tagged for CVE-2016-4483:
https://git.gnome.org/browse/libxml2/commit/?id=c97750d11bb8b6f3303e7131fe526a61ac65bcfd

Tagged for CVE-2016-3627:
https://git.gnome.org/browse/libxml2/commit/?id=bdd66182ef53fe1f7209ab6535fda56366bd7ac9

For the updates in Debian thus we have used both and referenced both
CVEs, think Ubuntu has done the same in USN 2994
(http://www.ubuntu.com/usn/usn-2994-1/)

Regards,
Salvatore
Previous By Date Next
Previous By Thread Next

Current thread: