stable

libxml2-2.10.3-1.fc36 and xmlsec1-1.2.33-3.fc36

FEDORA-2022-aeafd24818 created by amigadave 4 months ago for Fedora 36

Update to 2.10.3

  • Fix CVE-2022-40303
  • Fix CVE-2022-40304

Logout Required
After installing this update it is required that you logout of your current user session and log back in to ensure the changes supplied by this update are applied properly.

How to install

sudo dnf upgrade --refresh --advisory=FEDORA-2022-aeafd24818

This update has been submitted for testing by amigadave.

4 months ago

This update's test gating status has been changed to 'waiting'.

4 months ago

This update's test gating status has been changed to 'failed'.

4 months ago

This update's test gating status has been changed to 'passed'.

4 months ago

This update has been pushed to testing.

4 months ago
User Icon bojan commented & provided feedback 4 months ago
karma

Works.

User Icon hwti commented & provided feedback 4 months ago
karma

It breaks openconnect, see https://bugzilla.redhat.com/show_bug.cgi?id=2136800. Either the FTP support needs to be enabled to keep the symbols, or xmlsec1 (at least) need to be rebuilt.

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

4 months ago

amigadave edited this update.

New build(s):

  • xmlsec1-1.2.33-3.fc36

Karma has been reset.

4 months ago

This update has been submitted for testing by amigadave.

4 months ago

This update has been pushed to testing.

4 months ago
User Icon hwti commented & provided feedback 4 months ago
karma

openconnect now works fine with the rebuilt xmlsec1

BZ#2136800 openconnect fails due to missing symbol xmlIOFTPRead
User Icon filiperosset commented & provided feedback 4 months ago
karma

no regressions noted

This update can be pushed to stable now if the maintainer wishes

4 months ago

This update has been submitted for stable by amigadave.

4 months ago

This update has been pushed to stable.

4 months ago
User Icon mjg commented & provided feedback 4 months ago

Note that GraphicsMagick (and users) suffers from a similar problem like xmlsec did: bz#2138022

User Icon ppisar commented & provided feedback 3 months ago
karma

This breaks ABI by removing xmlNanoFTP* symbols. It breaks ImageMagick. You need to renable FTP support.

karma
User Icon mtasaka commented & provided feedback 3 months ago

Unfortunately, this went to stable already....


Please login to add feedback.

Metadata
Type
security
Severity
medium
Karma
-1
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
4 months ago
in testing
4 months ago
in stable
4 months ago
modified
4 months ago
BZ#2119077 libxml2-2.10.2 is available
0
0
BZ#2136274 CVE-2022-40303 libxml2: integer overflows with XML_PARSE_HUGE [fedora-all]
0
0
BZ#2136293 CVE-2022-40304 libxml2: dict corruption caused by entity reference cycles [fedora-all]
0
0
BZ#2136800 openconnect fails due to missing symbol xmlIOFTPRead
0
1

Automated Test Results

passed