UbuntuUpdates.org

Package "libxml2"

Name: libxml2

Description:

GNOME XML library

Latest version: 2.9.3+dfsg1-1ubuntu0.7
Release: xenial (16.04)
Level: updates
Repository: main
Homepage: http://xmlsoft.org/

Links


Download "libxml2"


Other versions of "libxml2" in Xenial

Repository Area Version
base main 2.9.3+dfsg1-1
security main 2.9.3+dfsg1-1ubuntu0.7

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 2.9.3+dfsg1-1ubuntu0.2 2017-03-16 13:06:51 UTC

  libxml2 (2.9.3+dfsg1-1ubuntu0.2) xenial-security; urgency=medium

  * SECURITY UPDATE: format string vulnerabilities
    - debian/patches/CVE-2016-4448-1.patch: fix format string warnings in
      HTMLparser.c, SAX2.c, catalog.c, configure.ac, debugXML.c,
      encoding.c, entities.c, error.c, include/libxml/parserInternals.h,
      include/libxml/xmlerror.h, include/libxml/xmlstring.h, libxml.h,
      parser.c, parserInternals.c, relaxng.c, schematron.c, testModule.c,
      valid.c, xinclude.c, xmlIO.c, xmllint.c, xmlreader.c, xmlschemas.c,
      xmlstring.c, xmlwriter.c, xpath.c, xpointer.c.
    - debian/patches/CVE-2016-4448-2.patch: fix format string warnings in
      libxml.h, relaxng.c, xmlschemas.c, xmlstring.c.
    - debian/libxml2.symbols: added new symbol.
    - CVE-2016-4448
  * SECURITY UPDATE: use-after-free via namespace nodes in XPointer ranges
    - debian/patches/CVE-2016-4658.patch: disallow namespace nodes in
      XPointer ranges in xpointer.c.
    - CVE-2016-4658
  * SECURITY UPDATE: use-after-free in XPointer range-to function
    - debian/patches/CVE-2016-5131-1.patch: fix XPointer paths beginning
      with range-to in xpath.c, xpointer.c.
    - debian/patches/CVE-2016-5131-2.patch: fix comparison with root node
      in xmlXPathCmpNodes in xpath.c.
    - CVE-2016-5131
  * debian/patches/lp1652325.patch: XML push parser fails with bogus
    UTF-8 encoding error when multi-byte character in large CDATA section
    is split across buffer (LP: #1652325)

 -- Marc Deslauriers <email address hidden> Tue, 14 Mar 2017 16:06:13 -0400

Source diff to previous version
1652325 Libxml2 2.9.3 fails to parse multi-byte character in large CDATA section that is split across buffer
CVE-2016-4448 Format string vulnerability in libxml2 before 2.9.4 allows attackers to have unspecified impact via format string specifiers in unknown vectors.
CVE-2016-4658 libxml2 in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or cause a
CVE-2016-5131 Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of ser

Version: 2.9.3+dfsg1-1ubuntu0.1 2016-06-06 19:06:33 UTC

  libxml2 (2.9.3+dfsg1-1ubuntu0.1) xenial-security; urgency=medium

  * SECURITY UPDATE: heap-based buffer overread in xmlNextChar
    - debian/patches/CVE-2016-1762.patch: return after error in parser.c.
    - CVE-2016-1762
  * SECURITY UPDATE: heap-based buffer overread in htmlCurrentChar
    - debian/patches/CVE-2016-1833.patch: fix tests in parserInternals.c.
    - CVE-2016-1833
  * SECURITY UPDATE: heap-buffer-overflow in xmlStrncat
    - debian/patches/CVE-2016-1834.patch: check for negative lengths in
      xmlstring.c.
    - CVE-2016-1834
  * SECURITY UPDATE: heap use-after-free in xmlSAX2AttributeNs
    - debian/patches/CVE-2016-1835.patch: add check to parser.c, add tests
      to result/errors/759020.xml.err, result/errors/759020.xml.str,
      test/errors/759020.xml.
    - CVE-2016-1835
  * SECURITY UPDATE: heap use-after-free in xmlDictComputeFastKey
    - debian/patches/CVE-2016-1836.patch: prevent stale pointer usage in
      parser.c, added tests to result/errors/759398.xml.err,
      result/errors/759398.xml.str, test/errors/759398.xml.
    - CVE-2016-1836
  * SECURITY UPDATE: heap use-after-free in htmlParsePubidLiteral and
    htmlParseSystemiteral
    - debian/patches/CVE-2016-1837.patch: prevent stable pointer usage in
      HTMLparser.c.
    - CVE-2016-1837
  * SECURITY UPDATE: heap-based buffer overread in
    xmlParserPrintFileContextInternal
    - debian/patches/CVE-2016-1838.patch: add bounds check to parser.c,
      add tests to result/errors/758588.xml.err,
      result/errors/758588.xml.str, test/errors/758588.xml.
    - CVE-2016-1838
  * SECURITY UPDATE: heap-based buffer overread in xmlDictAddString
    - debian/patches/CVE-2016-1839.patch: add bounds check to HTMLparser.c.
    - CVE-2015-8806
    - CVE-2016-1839
    - CVE-2016-2073
  * SECURITY UPDATE: heap-buffer-overflow in xmlFAParsePosCharGroup
    - debian/patches/CVE-2016-1840.patch: properly handle error in
      xmlregexp.c.
    - CVE-2016-1840
  * SECURITY UPDATE: avoid building recursive entities
    - debian/patches/CVE-2016-3627.patch: properly handle recursion in
      parser.c, tree.c.
    - CVE-2016-3627
  * SECURITY UPDATE: recursion depth counter issue
    - debian/patches/CVE-2016-3705.patch: properly could recursion depth in
      parser.c.
    - CVE-2016-3705
  * SECURITY UPDATE: heap-based buffer-underreads due to xmlParseName
    - debian/patches/CVE-2016-4447.patch: improve error handling in
      parser.c.
    - CVE-2016-4447
  * SECURITY UPDATE: inappropriate fetch of entities content
    - debian/patches/CVE-2016-4449.patch: fix another external entity fetch
      in parser.c.
    - CVE-2016-4449
  * SECURITY UPDATE: out of bound access when serializing malformed strings
    - debian/patches/CVE-2016-4483.patch: improve string handling in
      xmlsave.c.
    - CVE-2016-4483

 -- Marc Deslauriers <email address hidden> Fri, 03 Jun 2016 08:05:40 -0400

CVE-2016-1762 libxml2 in Apple iOS before 9.3, OS X before 10.11.4, Safari before 9.1, tvOS before 9.2, and watchOS before 2.2 allows remote attackers to execute a
CVE-2016-1833 libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbi
CVE-2016-1834 libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbi
CVE-2016-1835 libxml2, as used in Apple iOS before 9.3.2 and OS X before 10.11.5, allows remote attackers to execute arbitrary code or cause a denial of service (m
CVE-2016-1836 libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbi
CVE-2016-1837 libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbi
CVE-2016-1838 libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbi
CVE-2016-1839 libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbi
CVE-2015-8806 dict.c in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via an unexpected characte
CVE-2016-2073 The htmlParseNameComplex function in HTMLparser.c in libxml2 allows attackers to cause a denial of service (out-of-bounds read) via a crafted XML doc
CVE-2016-1840 libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbi
CVE-2016-3627 The xmlStringGetNodeList function in tree.c in libxml2 2.9.3 and earlier, when used in recovery mode, allows context-dependent attackers to cause a d
CVE-2016-3705 The (1) xmlParserEntityCheck and (2) xmlParseAttValueComplex functions in parser.c in libxml2 2.9.3 do not properly keep track of the recursion depth



About   -   Send Feedback to @ubuntu_updates