See also: https://bugzilla.redhat.com/show_bug.cgi?id=912400 https://pypi.python.org/pypi/defusedxml http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html
Looks like part of this originates with dev-libs/libxml2.
The libxml2 side of things is fixed by dev-libs/libxml2-2.9.0-r2, which needs to be stabilized. (Note: please stabilize evolution-data-server-2.32.3-r3 at the same time - see bug #448798) +*libxml2-2.9.0-r2 (20 Feb 2013) + + 20 Feb 2013; Alexandre Rostovtsev <tetromino@gentoo.org> + -libxml2-2.9.0.ebuild, +libxml2-2.9.0-r2.ebuild, + +files/libxml2-2.9.0-excessive-entity-expansion.patch: + Fix entity expansion DoS vulnerability (CVE-2013-1664, bug #458430, thanks to + Dirkjan Ochtman). Drop old.
Alexandre, is dev-libs/libxml2-2.9 ready for Gnome 2.32? I am still running 2.8 because I read a comment from some gnome herd member (I don't remember who :S) suggesting to wait for Gnome3 for using libxml-2.9 :/
(In reply to comment #3) > Alexandre, is dev-libs/libxml2-2.9 ready for Gnome 2.32? I am still running > 2.8 because I read a comment from some gnome herd member (I don't remember > who :S) suggesting to wait for Gnome3 for using libxml-2.9 :/ The only gnome-2.32 package that I know which used the old libxml2 buffer API is evolution-data-server, and I've fixed it by backporting the libxml2-2.9 compatibility patch from 3.6 to evolution-data-server-2.32.3-r3. If some other packages are affected, we can apply the same basic for fix them. libxml2-2.9 has been unmasked for two months, and the only bug still open for it is games-rpg/eternal-lands (bug #449352) which doesn't have any stable versions in portage and so does not block libxml2-2.9.x stabilization.
CCing arches to stabilize libxml2-2.9.0-r2
(In reply to comment #5) > CCing arches to stabilize libxml2-2.9.0-r2 No, like this, please: Arch teams, please test and mark stable: =dev-libs/libxml2-2.9.0-r2 Stable KEYWORDS : alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86
Stable for HPPA.
amd64 stable
x86 stable
ppc stable
ppc64 stable
alpha stable
ia64 stable
arm stable
sparc stable
s390 stable
sh stable
Added to existing draft.
missing m68k
CVE-2013-1664 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1664): OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; and Cinder Folsom allows remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.
M68K is not anymore a stable arch, removing it from the cc list
This issue was resolved and addressed in GLSA 201311-06 at http://security.gentoo.org/glsa/glsa-201311-06.xml by GLSA coordinator Sean Amoss (ackle).