oss-sec mailing list archives

Re: libxml2 denial of service flaw (CVE-2008-3281)

From: Robert Buchholz <rbu () gentoo org>
Date: Sat, 23 Aug 2008 17:53:16 +0200

On Wednesday 20 August 2008, Daniel Veillard wrote:

On Wed, Aug 20, 2008 at 12:42:29PM -0400, Josh Bressers wrote:

Yes, this can be considered public.  An announcement should be
appearing on the xml list shortly:

http://mail.gnome.org/archives/xml/


  It's out:

   http://mail.gnome.org/archives/xml/2008-August/msg00034.html

thanks everybody !


Our gnome maintainers pointed out that the patch (which was also pushed 
upstream) breaks GDM in GNOME 2.22, as can be seen in Gentoo and 
Mandriva:
  https://bugs.gentoo.org/show_bug.cgi?id=235529
  https://qa.mandriva.com/show_bug.cgi?id=43094

upstream bug:
  http://bugzilla.gnome.org/show_bug.cgi?id=549087

Those who did not push updates yet might want to delay this, we have 
been reverting the patch for now.
I am CC'ing oss-security, please send follow-ups to that list.


Robert

Attachment: signature.asc
Description: This is a digitally signed message part.

Current thread:

Re: libxml2 denial of service flaw (CVE-2008-3281) Robert Buchholz (Aug 23)
- Re: Re: libxml2 denial of service flaw (CVE-2008-3281) Nico Golde (Aug 24)
  - Re: Re: libxml2 denial of service flaw (CVE-2008-3281) Nico Golde (Aug 24)
    - Re: Re: libxml2 denial of service flaw (CVE-2008-3281) Vincent Danen (Aug 25)
    - Re: Re: libxml2 denial of service flaw (CVE-2008-3281) Tomas Hoger (Aug 25)
    - Re: Re: libxml2 denial of service flaw (CVE-2008-3281) Vincent Danen (Aug 25)
    - Re: [vendor-sec] Re: [oss-security] Re: libxml2 denial of service flaw (CVE-2008-3281) Florian Weimer (Aug 25)
    - Re: Re: [vendor-sec] Re: [oss-security] Re: libxml2 denial of service flaw (CVE-2008-3281) Vincent Danen (Aug 25)