Package "libxml2"
| Name: |
libxml2
|
Description: |
GNOME XML library
|
| Latest version: |
2.9.4+dfsg1-6.1ubuntu1.8 |
| Release: |
bionic (18.04) |
| Level: |
security |
| Repository: |
main |
| Homepage: |
http://xmlsoft.org |
Links
Download "libxml2"
Other versions of "libxml2" in Bionic
Packages in group
Deleted packages are displayed in grey.
Changelog
|
libxml2 (2.9.4+dfsg1-6.1ubuntu1.8) bionic-security; urgency=medium
* SECURITY UPDATE: NULL pointer dereference
- debian/patches/CVE-2022-2309.patch: reset nsNr in
xmlCtxReset in parser.c (LP: #1996494).
- CVE-2022-2309
* SECURITY UPDATE: Integer overflow
- debian/patches/CVE-2022-40303.patch: fix integer overflows
with XML_PARSE_HUGE in parser.c.
- CVE-2022-40303
* SECURITY UPDATE: Double-free
- debian/patches/CVE-2022-40304.patch: fix dict
corruption caused by entity ref cycles in
entities.c.
- CVE-2022-40304
-- Leonidas Da Silva Barbosa <email address hidden> Thu, 01 Dec 2022 09:38:39 -0300
|
| Source diff to previous version |
| 1996494 |
CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash) |
| CVE-2022-2309 |
NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libx |
| CVE-2022-40303 |
An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE parser option enabled, several i |
| CVE-2022-40304 |
An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequ |
|
|
libxml2 (2.9.4+dfsg1-6.1ubuntu1.7) bionic-security; urgency=medium
* SECURITY UPDATE: Possible cross-site scripting
- debian/patches/CVE-2016-3709.patch: Revert "do not URI escape
in server side includes" in HTMLtree.c.
- CVE-2016-3709
-- Leonidas Da Silva Barbosa <email address hidden> Mon, 01 Aug 2022 11:25:53 -0300
|
| Source diff to previous version |
| CVE-2016-3709 |
Possible cross-site scripting vulnerability in libxml after commit 960f0e2. |
|
|
libxml2 (2.9.4+dfsg1-6.1ubuntu1.6) bionic-security; urgency=medium
* SECURITY UPDATE: Integer overflows
- debian/patches/CVE-2022-29824.patch: Fix integer overflows in
xmlBuf and xmlBuffer in tree.c, buf.c.
- CVE-2022-29824
-- Leonidas Da Silva Barbosa <email address hidden> Tue, 10 May 2022 11:18:33 -0300
|
| Source diff to previous version |
| CVE-2022-29824 |
In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can re |
|
|
libxml2 (2.9.4+dfsg1-6.1ubuntu1.5) bionic-security; urgency=medium
* SECURITY UPDATE: use-after-free of ID and IDREF attributes
- debian/patches/CVE-2022-23308.patch: normalize ID attributes in
valid.c.
- CVE-2022-23308
-- Marc Deslauriers <email address hidden> Thu, 10 Mar 2022 13:00:02 -0500
|
| Source diff to previous version |
| CVE-2022-23308 |
valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes. |
|
|
libxml2 (2.9.4+dfsg1-6.1ubuntu1.4) bionic-security; urgency=medium
* debian/patches/fix-error-handler-bug.patch: Add extra missing commit to
previous CVE-2017-8872 fix, halt immediately when the error handler
attempts to stop the parser.
* SECURITY UPDATE: memory leak
- debian/patches/CVE-2019-20388.patch: Memory leak in
xmlSchemaValidateStream function in xmlschemas.c.
- CVE-2019-20388
* SECURITY UPDATE: out-of-bounds read
- debian/patches/CVE-2020-24977.patch: Make sure that truncated UTF-8
sequences don't cause an out-of-bounds array access in xmllint.
- CVE-2020-24977
* SECURITY UPDATE: use-after-free in xmlEncodeEntitiesInternal
- debian/patches/CVE-2021-3516.patch: Call htmlCtxtUseOptions to make sure
that names aren't stored in dictionaries.
- CVE-2021-3516
* SECURITY UPDATE: heap-based buffer overflow in xmlEncodeEntitiesInternal
- debian/patches/CVE-2021-3517.patch: Add some checks to validate input is
UTF-8 format, supplementing CVE-2020-24977 fix.
- CVE-2021-3517
* SECURITY UPDATE: use-after-free in xmlXIncludeDoProcess
- debian/patches/CVE-2021-3518.patch: Move from a block list to an allow
list approach to avoid descending into other node types that can't
contain elements.
- CVE-2021-3518
* SECURITY UPDATE: NULL pointer dereference in xmlValidBuildAContentModel
- debian/patches/CVE-2021-3537.patch: Check return value of recursive calls
to xmlParseElementChildrenContentDeclPriv and return immediately in case
of errors.
- CVE-2021-3537
-- Avital Ostromich <email address hidden> Thu, 22 Apr 2021 19:26:37 -0400
|
| CVE-2017-8872 |
The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information di |
| CVE-2019-20388 |
xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak. |
| CVE-2020-24977 |
GNOME project libxml2 v2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has been fixe |
| CVE-2021-3516 |
There's a flaw in libxml2's xmllint in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by xmllint could trig |
| CVE-2021-3517 |
There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be |
| CVE-2021-3518 |
There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with l |
| CVE-2021-3537 |
A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL der |
|
About
-
Send Feedback to @ubuntu_updates
