Package "libxml2"
Name: |
libxml2
|
Description: |
GNOME XML library
|
Latest version: |
2.9.4+dfsg1-6.1ubuntu1.9 |
Release: |
bionic (18.04) |
Level: |
updates |
Repository: |
main |
Homepage: |
http://xmlsoft.org |
Links
Download "libxml2"
Other versions of "libxml2" in Bionic
Packages in group
Deleted packages are displayed in grey.
Changelog
libxml2 (2.9.4+dfsg1-6.1ubuntu1.4) bionic-security; urgency=medium
* debian/patches/fix-error-handler-bug.patch: Add extra missing commit to
previous CVE-2017-8872 fix, halt immediately when the error handler
attempts to stop the parser.
* SECURITY UPDATE: memory leak
- debian/patches/CVE-2019-20388.patch: Memory leak in
xmlSchemaValidateStream function in xmlschemas.c.
- CVE-2019-20388
* SECURITY UPDATE: out-of-bounds read
- debian/patches/CVE-2020-24977.patch: Make sure that truncated UTF-8
sequences don't cause an out-of-bounds array access in xmllint.
- CVE-2020-24977
* SECURITY UPDATE: use-after-free in xmlEncodeEntitiesInternal
- debian/patches/CVE-2021-3516.patch: Call htmlCtxtUseOptions to make sure
that names aren't stored in dictionaries.
- CVE-2021-3516
* SECURITY UPDATE: heap-based buffer overflow in xmlEncodeEntitiesInternal
- debian/patches/CVE-2021-3517.patch: Add some checks to validate input is
UTF-8 format, supplementing CVE-2020-24977 fix.
- CVE-2021-3517
* SECURITY UPDATE: use-after-free in xmlXIncludeDoProcess
- debian/patches/CVE-2021-3518.patch: Move from a block list to an allow
list approach to avoid descending into other node types that can't
contain elements.
- CVE-2021-3518
* SECURITY UPDATE: NULL pointer dereference in xmlValidBuildAContentModel
- debian/patches/CVE-2021-3537.patch: Check return value of recursive calls
to xmlParseElementChildrenContentDeclPriv and return immediately in case
of errors.
- CVE-2021-3537
-- Avital Ostromich <email address hidden> Thu, 22 Apr 2021 19:26:37 -0400
|
Source diff to previous version |
CVE-2017-8872 |
The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information di |
CVE-2019-20388 |
xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak. |
CVE-2020-24977 |
GNOME project libxml2 v2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has been fixe |
CVE-2021-3516 |
There's a flaw in libxml2's xmllint in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by xmllint could trig |
CVE-2021-3517 |
There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be |
CVE-2021-3518 |
There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with l |
CVE-2021-3537 |
A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL der |
|
libxml2 (2.9.4+dfsg1-6.1ubuntu1.3) bionic-security; urgency=medium
* SECURITY UPDATE: Memory leak
- debian/patches/CVE-2019-19956.patch: fix memory leak in
xmlParseBalancedChunkMemoryRecover checking if doc is NULL in parser.c.
- CVE-2019-19956
* SECURITY UPDATE: Denial of service though an infinite loop
- debian/patches/CVE-2020-7595.patch: fix infinite loop in
xmlStringLenDecodeEntities adding checks to ctxt->instate if
it is == XML_PARSER_EOF in parser.c.
- CVE-2020-7595
-- <email address hidden> (Leonidas S. Barbosa) Wed, 05 Feb 2020 14:08:34 -0300
|
Source diff to previous version |
CVE-2019-19956 |
xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs. |
CVE-2020-7595 |
xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. |
|
libxml2 (2.9.4+dfsg1-6.1ubuntu1.2) bionic-security; urgency=medium
* SECURITY UPDATE: XXE attacks
- debian/patches/CVE-2016-9318.patch: fix in parser.c.
- CVE-2016-9318
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2017-18258.patch: fix in xzlib.c.
- CVE-2017-18258
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2018-14404.patch: fix in xpath.c.
- CVE-2018-14404
* SECURITY UPDATE: Infinite loop in LZMA decompression
- debian/patches/CVE-2018-14567.patch: fix in xzlib.c.
- CVE-2018-14567
* SECURITY UPDATE: Infinite recursion/Denial of service
- debian/patches/CVE-2017-16932.patch: fix in parser.c and
add some error check files result/errors/759579.xml,
result/errors/759579.xml.err, result/errors/759579.xml.str,
test/errors/759579.xml.
- CVE-2017-16932
-- <email address hidden> (Leonidas S. Barbosa) Fri, 10 Aug 2018 15:30:23 -0300
|
CVE-2016-9318 |
libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current docume |
CVE-2017-18258 |
The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA |
CVE-2018-14404 |
A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath e |
CVE-2017-16932 |
parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities. |
|
About
-
Send Feedback to @ubuntu_updates