lsh123
commented
5 months ago Sorry for delay, I was on the road. Please try PR #785 and let me know if this addresses your issue.
Closed mbarova closed 5 months ago
lsh123
commented
5 months ago Sorry for delay, I was on the road. Please try PR #785 and let me know if this addresses your issue.
lsh123
commented
5 months ago Please reopen the bug if you still have problems
mbarova
commented
4 months ago Hi, the fix addresses the issue. Thank you!
The existing CVE-2023-39615 against XML2 function xmlSAX2StartElement() looks like is not going to be fixed because code maintainers claim that this is not a security issue. The vulnerable function is used in a few places if SAX1 is enabled (example: xmlSAXVersion()) . After building xml2 without SAX1 and using it in xmlsec, there are failures for a couple of functions that are deprecated and need to be fixed with more up to date alternatives. The functions are xmlParseFile() and xmlParseMamory(). The alternatives are xmlReadFile() and xmlReadMemory() respectively.