Bug 1349794
Summary: | CVE-2016-1762 CVE-2016-1833 CVE-2016-1834 CVE-2016-1835 CVE-2016-1836 CVE-2016-1837 CVE-2016-1838 CVE-2016-1839 CVE-2016-1840 CVE-2016-4447 CVE-2016-4448 CVE-2016-4449 libxml2: various flaws [fedora-all] | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Huzaifa S. Sidhpurwala <huzaifas> |
Component: | libxml2 | Assignee: | Daniel Veillard <veillard> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 24 | CC: | athmanem, c.david86, jkurik, mcatanzaro+wrong-account-do-not-cc, rdieter, veillard, yselkowi |
Target Milestone: | --- | Keywords: | Security, SecurityTracking |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | libxml2-2.9.4-2.fc24 libxml2-2.9.4-2.fc25 | Doc Type: | Release Note |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-04-19 07:50:25 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1338682, 1338686, 1338691, 1338696, 1338700, 1338701, 1338702, 1338703, 1338705, 1338706, 1338708, 1338711 |
Description
Huzaifa S. Sidhpurwala
2016-06-24 09:37:50 UTC
Use the following template to for the 'fedpkg update' request to submit an update for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable. ===== # bugfix, security, enhancement, newpackage (required) type=security # testing, stable request=testing # Bug numbers: 1234,9876 bugs=1338682,1338686,1338691,1338696,1338700,1338701,1338702,1338703,1338705,1338706,1338708,1338711,1349794 # Description of your update notes=Security fix for CVE-2016-1833, CVE-2016-4447, CVE-2016-1835, CVE-2016-1837, CVE-2016-4448, CVE-2016-4449, CVE-2016-1836, CVE-2016-1839, CVE-2016-1838, CVE-2016-1840, CVE-2016-1834, CVE-2016-1762 # Enable request automation based on the stable/unstable karma thresholds autokarma=True stable_karma=3 unstable_karma=-3 # Automatically close bugs when this marked as stable close_bugs=True # Suggest that users restart after update suggest_reboot=False ====== Additionally, you may opt to use the bodhi web interface to submit updates: https://bodhi.fedoraproject.org/updates/new This is two months old. Ping? 12 CVEs, security-critical package, tracking bug is ten months old... this is pretty bad. Our security process totally breaks down when we have a single unresponsive maintainer. An update was released for rawhide (and therefore F26) around the end of last year, but both F24 and F25 are still vulnerable. There are four other unresolved security tracking bugs against this product (bug #1421998, bug #1395610, bug #1384427, bug #1361439). Daniel, if you can't respond to these in a timely manner then you really need to orphan the package so someone else can handle it. libxml2-2.9.4-2.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-a3a47973eb libxml2-2.9.4-2.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-be8574d593 libxml2-2.9.4-2.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-be8574d593 libxml2-2.9.4-2.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-a3a47973eb @Michael: as the bug is now in ON_QA state, can we remove the "PrioritizedBug" request ? Yeah, Rex took care of this. Still, this is going to be a big problem again next time we have a libxml2 vulnerability. libxml2-2.9.4-2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. libxml2-2.9.4-2.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. |