libxml2 upstream fixes.
|Reported by:||Owned by:|
In this week's security fixes mentioned at lwn, my first item is libxml2. Fedora re-fixed CVE-2020-24977 (their first patch was incorrect). Looking at what they have, there are 5 upstream fixes (relaxed approach to nested documents, CVE-2019-20388, CVE-2020-7595, integer overflow, CVE-2020-24977). AFAICS the CVEs are only DOS.
Looking at fedora, they also have a fix to build with python-3.10 which only changes generator.py. They do not hack python/types.c. AFAICS, our sed is a better fix for a patch we used to carry which was apparently for a segfault in itstool.
My initial opinion (after only doing a DESTDIR install) is that we don't need this. I have not yet looked at running the tests to see if that sed is needed (fedora don't use anything, but perhaps do not download the extra file).
Sed for ICU-68.1 still needed (fedora were still building with 67 when I first looked at this a few days ago).