On 2021-09-20 12:11:17 +0200, Mattia Rizzolo wrote: > On Mon, Sep 20, 2021 at 11:41:38AM +0200, Vincent Lefevre wrote: > > Please also make sure that the NEWS file is up-to-date; see my other > > message. This is also useful for the user when getting regressions > > in general (possibly from bug fixes like here). > > I'm not sure I'd like to add such item to the Debian's NEWS.
Note that for this one, I was talking about the upstream NEWS. But this may be an upstream bug. The NEWS file hasn't been regenerated in the git repository. I don't know about the tarball. But the announce message *does* contain the release notes. So I'm wondering. Well, there is already an upstream bug for this one: https://gitlab.gnome.org/GNOME/libxml2/-/issues/171 This was for 2.9.10, but is still a valid issue; I've added a comment. > It would stop updates for too many users that most likely are not > affected. For now, you are really the only one that brought up this > issue. Concerning Debian's NEWS, it is difficult to know, as I fear that this hasn't been tested by most users. I could detect the issue, because I use a machine more recent than Debian/stable and because I have a cron job that does a check everyday. > > I'm wondering whether this check for invalid redeclarations of > > predefined entities should also go to Debian/stable since it fixes > > an integer overflow at the same time: > > > > https://gitlab.gnome.org/GNOME/libxml2/-/issues/217 > > > > Any security issue related to that? > > AFAIK not yet at least. This is the opposite: things like integer overflows (in particular when they occur on untrusted data like here) should be regarded as security issues by default, but it can be found later that they have no security implications. -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
