FEDORA-2022-aeafd24818 — security update for libxml2 and xmlsec1 — Fedora Updates System

stable

libxml2-2.10.3-1.fc36 and xmlsec1-1.2.33-3.fc36

FEDORA-2022-aeafd24818 created by amigadave 8 months ago for Fedora 36

Update to 2.10.3

Fix CVE-2022-40303
Fix CVE-2022-40304

Logout Required

After installing this update it is required that you logout of your current user session and log back in to ensure the changes supplied by this update are applied properly.

How to install

sudo dnf upgrade --refresh --advisory=FEDORA-2022-aeafd24818

This update has been submitted for testing by amigadave.

This update's test gating status has been changed to 'waiting'.

This update's test gating status has been changed to 'failed'.

This update's test gating status has been changed to 'passed'.

This update has been pushed to testing.

bojan commented & provided feedback 8 months ago

karma

Works.

hwti commented & provided feedback 8 months ago

karma

It breaks openconnect, see https://bugzilla.redhat.com/show_bug.cgi?id=2136800. Either the FTP support needs to be enabled to keep the symbols, or xmlsec1 (at least) need to be rebuilt.

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

amigadave edited this update.

New build(s):

xmlsec1-1.2.33-3.fc36

Karma has been reset.

This update has been submitted for testing by amigadave.

This update has been pushed to testing.

hwti commented & provided feedback 8 months ago

karma

openconnect now works fine with the rebuilt xmlsec1

BZ#2136800 openconnect fails due to missing symbol xmlIOFTPRead

filiperosset commented & provided feedback 8 months ago

karma

no regressions noted

This update can be pushed to stable now if the maintainer wishes

This update has been submitted for stable by amigadave.

This update has been pushed to stable.

mjg commented & provided feedback 8 months ago

Note that GraphicsMagick (and users) suffers from a similar problem like xmlsec did: bz#2138022

ppisar commented & provided feedback 7 months ago

karma

This breaks ABI by removing xmlNanoFTP* symbols. It breaks ImageMagick. You need to renable FTP support.

dustymabe commented & provided feedback 7 months ago

karma

https://bugzilla.redhat.com/show_bug.cgi?id=2139546

decathorpe provided feedback 7 months ago

karma

mtasaka commented & provided feedback 7 months ago

Unfortunately, this went to stable already....

Please login to add feedback.

Metadata

Type

security

Severity

medium

Karma

-1

Signed

Content Type

RPM

Test Gating

passed

Builds

2

libxml2-2.10.3-1.fc36

xmlsec1-1.2.33-3.fc36

Settings

Unstable by Karma

-3

Stable by Karma

disabled

Stable by Time

disabled

Dates

submitted

8 months ago

in testing

8 months ago

in stable

8 months ago

modified

8 months ago

BZ#2119077 libxml2-2.10.2 is available

0

0

BZ#2136274 CVE-2022-40303 libxml2: integer overflows with XML_PARSE_HUGE [fedora-all]

0

0

BZ#2136293 CVE-2022-40304 libxml2: dict corruption caused by entity reference cycles [fedora-all]

0

0

BZ#2136800 openconnect fails due to missing symbol xmlIOFTPRead

0

1

libxml2-2.10.3-1.fc36

xmlsec1-1.2.33-3.fc36

Automated Test Results

passed

Copyright © 2007-2023 Red Hat, Inc. and others.

Running bodhi-server 7.2.0^202305170827gitb1d8280 on bodhi-web-95-lw97w.

bodhi is Free Software. Please file issues if you have any problems. Read the documentation.

• Composes • Legal • Privacy policy •