Hi Cyril, hi Samuel, On Fri, Apr 03, 2015 at 11:34:06PM +0200, Cyril Brulebois wrote: > Hi people, > > (adding debian-boot@ for reference.) > > Samuel Thibault <sthiba...@debian.org> (2015-03-26): > > Samuel Thibault, le Thu 26 Mar 2015 02:17:01 +0100, a écrit : > > > Control: found -1 2.8.0+dfsg1-7+wheezy3 > > > > > > This is still an issue in stable, the proposed patch was not applied > > > there, and thus installation-guide still FTBFS on wheezy, notably on our > > > dillon.debian.org machine, thus making http://d-i.debian.org/manual/ > > > completely out of date. Could this be proposed for stable update? > > > > > > I have attached the proposed patch again. > > > > Just to insist: while the symptoms of my report (#774358) may look like > > #768089, the *actual* bug is *not* the same. Please read my bug report > > and the proposed patch again: the issue is that the security fix for > > CVE-2014-3660 from a newer version of libxml2 (2.9.x) was backported > > into the libxml2 of wheezy (2.8.x) without noticing the subtle source > > code difference which does matter a lot. > > As one of the guys receiving a notification of the FTBFS every time > the crontab entry is triggered, and who would like to make sure the > installation guide is actually buildable *and* up-to-date, I really > would like to get a fix for this regression ASAP. It's been more than > 3 months since this bug report about ***stable being broken*** has > been opened. > > Thanks already.
I prepared an update adding the two additional commits which seem required as basis for the patch for CVE-2014-3660. I have uploaded it here: https://people.debian.org/~carnil/tmp/libxml2/ Would appreciate some additonal testing to them before we release a regression update for libxml2. The installation guide would build now but a second pair of eyes over the changes would really be appreciated. Regards, Salvatore
signature.asc
Description: Digital signature
