[ooo-build] security fix for CVE-2009-3736
Rene Engelhard
rene at debian.org
Wed Dec 16 15:30:10 PST 2009
Hi again,
On Thu, Dec 17, 2009 at 12:24:38AM +0100, Rene Engelhard wrote:
> There isn't. There was one once, but it will not work ever unless
> the whole stuff is drastically changed. (Or you patch your xmlsec
> with all the intrusive changes OOo did on xmlsec). At least it got
> updated to a current upstream in 3.2, but still with an intrusive patch...
Actually, 1.2.12 instead of 1.2.14 (which has that CVE fixed), but as
said, we're probably not affected anyhow
> If there was one, distros would already be using it, be sure :-)
>
> > dealing with the CVE-2009-3736 [1] that affects libltd and which is
> > bundled in the xmlsec. As far as I didn't find any option to link
> > ooo-build 3.1.1 with a fixed system version I've adapted a patch our
> > secteam has done to fix xmlsec 1.2.10 based on [2].
>
> OOo builds do *not* use --enable-crypto_dl for xmlsec.
> So no ltdl usage afaics -> not affected.
FTR, this was discussed in
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559831
Grüße/Regards,
Rene
--
.''`. René Engelhard -- Debian GNU/Linux Developer
: :' : http://www.debian.org | http://people.debian.org/~rene/
`. `' rene at debian.org | GnuPG-Key ID: D03E3E70
`- Fingerprint: E12D EA46 7506 70CF A960 801D 0AA0 4571 D03E 3E70
More information about the ooo-build
mailing list