
oss-sec mailing list archives
Re: Please reject duplicate CVE for libxml2
From: Salvatore Bonaccorso <carnil () debian org>
Date: Tue, 7 Jun 2016 09:49:00 +0200
Hi, On Tue, Jun 07, 2016 at 09:34:51AM +0200, Martin Prpic wrote:
Hi, it seems two CVEs were assigned for the same issue in libxml2: http://seclists.org/oss-sec/2016/q1/683 http://seclists.org/oss-sec/2016/q2/214 Daniel Veillard reported to us that these issues are the same and fixed by: https://git.gnome.org/browse/libxml2/commit/?id=bdd66182ef53fe1f7209ab6535fda56366bd7ac9 The upstream bug is: https://bugzilla.gnome.org/show_bug.cgi?id=762100 Can CVE-2016-4483 please be rejected as a duplicate of CVE-2016-3627?
What though is confusing is that the two commits are tagged accordingly in the upstream git repository: Tagged for CVE-2016-4483: https://git.gnome.org/browse/libxml2/commit/?id=c97750d11bb8b6f3303e7131fe526a61ac65bcfd Tagged for CVE-2016-3627: https://git.gnome.org/browse/libxml2/commit/?id=bdd66182ef53fe1f7209ab6535fda56366bd7ac9 For the updates in Debian thus we have used both and referenced both CVEs, think Ubuntu has done the same in USN 2994 (http://www.ubuntu.com/usn/usn-2994-1/) Regards, Salvatore
Current thread:
- Please reject duplicate CVE for libxml2 Martin Prpic (Jun 07)
- Re: Please reject duplicate CVE for libxml2 Salvatore Bonaccorso (Jun 07)