stable

libxml2-2.10.3-1.fc36 and xmlsec1-1.2.33-3.fc36

FEDORA-2022-aeafd24818 created by amigadave 2 years ago for Fedora 36

Update to 2.10.3

  • Fix CVE-2022-40303
  • Fix CVE-2022-40304

Logout Required
After installing this update it is required that you logout of your current user session and log back in to ensure the changes supplied by this update are applied properly.

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2022-aeafd24818

This update has been submitted for testing by amigadave.

2 years ago

This update's test gating status has been changed to 'waiting'.

2 years ago

This update's test gating status has been changed to 'failed'.

2 years ago

This update's test gating status has been changed to 'passed'.

2 years ago

This update has been pushed to testing.

2 years ago
User Icon bojan commented & provided feedback 2 years ago
karma

Works.

User Icon hwti commented & provided feedback 2 years ago
karma

It breaks openconnect, see https://bugzilla.redhat.com/show_bug.cgi?id=2136800. Either the FTP support needs to be enabled to keep the symbols, or xmlsec1 (at least) need to be rebuilt.

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

2 years ago

amigadave edited this update.

New build(s):

  • xmlsec1-1.2.33-3.fc36

Karma has been reset.

2 years ago

This update has been submitted for testing by amigadave.

2 years ago

This update has been pushed to testing.

2 years ago
User Icon hwti commented & provided feedback 2 years ago
karma

openconnect now works fine with the rebuilt xmlsec1

BZ#2136800 openconnect fails due to missing symbol xmlIOFTPRead
User Icon filiperosset commented & provided feedback 2 years ago
karma

no regressions noted

This update can be pushed to stable now if the maintainer wishes

2 years ago

This update has been submitted for stable by amigadave.

2 years ago

This update has been pushed to stable.

2 years ago
User Icon mjg commented & provided feedback 2 years ago

Note that GraphicsMagick (and users) suffers from a similar problem like xmlsec did: bz#2138022

User Icon ppisar commented & provided feedback 2 years ago
karma

This breaks ABI by removing xmlNanoFTP* symbols. It breaks ImageMagick. You need to renable FTP support.

User Icon decathorpe provided feedback 2 years ago
karma
User Icon mtasaka commented & provided feedback 2 years ago

Unfortunately, this went to stable already....


Please login to add feedback.

Metadata
Type
security
Severity
medium
Karma
-1
Signed
Content Type
RPM
Test Gating
Autopush Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
2 years ago
in testing
2 years ago
in stable
2 years ago
modified
2 years ago
BZ#2119077 libxml2-2.10.2 is available
0
0
BZ#2136274 CVE-2022-40303 libxml2: integer overflows with XML_PARSE_HUGE [fedora-all]
0
0
BZ#2136293 CVE-2022-40304 libxml2: dict corruption caused by entity reference cycles [fedora-all]
0
0
BZ#2136800 openconnect fails due to missing symbol xmlIOFTPRead
0
1

Automated Test Results