Bug 1104864
Summary: | libxml2-2.7.6-14.el6_5.1 fails parsing external resources | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | beckerje |
Component: | libxml2 | Assignee: | Daniel Veillard <veillard> |
Status: | CLOSED WONTFIX | QA Contact: | qe-baseos-tools-bugs |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.7 | CC: | fweimer, jsegitz, me, redhat-bugzilla, sardella |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-12-06 12:57:21 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
beckerje
2014-06-04 20:49:40 UTC
The patch at https://mail.gnome.org/archives/xml/2014-May/txt5nbPSpfgSB.txt looks like it reintroduces the vulnerability. I think it is okay to trust the DTD specified with -dtdvalid, but not the input document, and the patch seems to extend trust to both once DTD validation is enabled. http://www.ubuntu.com/usn/usn-2214-3/ notes "USN-2214-1 fixed vulnerabilities in libxml2. The upstream fix introduced a number of regressions." Are all of those covered by this bug, or is a new one needed? Thanks This claims to have a fix: https://rhn.redhat.com/errata/RHBA-2014-0766.html We're testing it now. Red Hat Enterprise Linux 6 is in the Production 3 Phase. During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available. The official life cycle policy can be reviewed here: http://redhat.com/rhel/lifecycle This issue does not meet the inclusion criteria for the Production 3 Phase and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification. Note that a strong business justification will be required for re-evaluation. Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL: https://access.redhat.com/ |