Control: tags -1 + confirmed On Tue, 2024-01-30 at 00:07 +0100, Guilhem Moulin wrote: > Control: tags -1 - moreinfo > > On Mon, 29 Jan 2024 at 21:55:37 +0000, Adam D. Barratt wrote: > > > > On Thu, 2024-01-25 at 04:45 +0100, Guilhem Moulin wrote: > > > Fix CVE-2023-34194: Reachable assertion (and application exit) > > > via a > > > crafted XML document with a '\0' located after whitespace. > > > > + * Fix CVE-2023-34194 / CVE-2023-40462: Reachable assertion (and > > application > > > > As far as I can tell from the Security Tracker, CVE-2023-40462 > > specifically refers to TinyXML's use in software that isn't in > > Debian. > > Does it make sense to mention it in the changelog? > > That CVE was assigned to TinyXML until > https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e507c932b999df48f808969c00f07a638e3357b > , > see also https://bugs.debian.org/1059315 . >
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059315#54 seems like they should be considered separate. > But fair enough, new debiff attached :-) > Thanks. Please go ahead. Regards, Adam