Control: severity -1 serious On Sun, Apr 08, 2018 at 11:42:11AM +0200, Salvatore Bonaccorso wrote: > I'm currently clarifying the scope for CVE-2018-9251 with MITRE. > Basically before e2a9122b8dde53d320750451e9907a7dcb2ca8bb upstrema > commit the limiter was disabled effecitively. I'm trying to clarify if > thus the scope CVE-2018-9251 should be consider only for libxml2 > version which did apply e2a9122b8dde53d320750451e9907a7dcb2ca8bb. The > question on e2a9122b8dde53d320750451e9907a7dcb2ca8bb is another one, > since it has potential for denial of service, and asked for if that > should get a separate CVE id.
This has been clarified. So CVE-2018-9251 is only an issue if upstream commit e2a9122b8dde53d320750451e9907a7dcb2ca8bb has been applied. See details in https://bugzilla.gnome.org/show_bug.cgi?id=794914 . I'm raising the severity to RC so that (since it only affects experimental), does not enter unstable in this form. There is though no upstream fix accepted yet, although the reporter has proposed a solution. Regards, Salvatore
