Wednesday 12th August 2009
Fedora Project
Whilst browsing through LWN, I came across a Red Hat Security Alert on libxml and libxml2 (for RHEL), which was interesting because I hadn't seen any bug reports for libxml. I downloaded the RHEL-3 source package and found that it contained two patches for libxml 1.8.17 (the last release of libxml version 1), neither of which were in the Fedora version, which addressed:
CVE-2004-0110 (arbitrary code execution via a long URL)
CVE-2004-0989 (arbitrary code execution via a long URL)
CVE-2009-2414 (stack consumption DoS vulnerabilities)
CVE-2009-2416 (use-after-free DoS vulnerabilities)
Needless to say I updated the libxml packages in Fedora 10, 11, and Rawhide and submitted updates pronto!
Local Packages
Updated libxml as per Fedora above
Updated libxml2 for the CVE-2009-2414 and CVE-2009-2416 vulnerabilities as per Fedora
Updated tzip to fix some compiler warnings