UbuntuUpdates.org

Package "libxml2-dev"

Name: libxml2-dev

Description:

Development files for the GNOME XML library

Latest version: 2.9.10+dfsg-5ubuntu0.20.04.4
Release: focal (20.04)
Level: security
Repository: main
Head package: libxml2
Homepage: http://xmlsoft.org

Links


Download "libxml2-dev"


Other versions of "libxml2-dev" in Focal

Repository Area Version
base main 2.9.10+dfsg-5
updates main 2.9.10+dfsg-5ubuntu0.20.04.4

Changelog

Version: 2.9.10+dfsg-5ubuntu0.20.04.4 2022-08-04 20:06:33 UTC

  libxml2 (2.9.10+dfsg-5ubuntu0.20.04.4) focal-security; urgency=medium

  * SECURITY UPDATE: Possible cross-site scripting
    - debian/patches/CVE-2016-3709.patch: Revert "do not URI escape
      in server side includes" in HTMLtree.c.
    - CVE-2016-3709

 -- Leonidas Da Silva Barbosa <email address hidden> Mon, 01 Aug 2022 11:05:23 -0300

Source diff to previous version
CVE-2016-3709 Possible cross-site scripting vulnerability in libxml after commit 960f0e2.

Version: 2.9.10+dfsg-5ubuntu0.20.04.3 2022-05-16 19:06:26 UTC

  libxml2 (2.9.10+dfsg-5ubuntu0.20.04.3) focal-security; urgency=medium

  * SECURITY UPDATE: Integer overflows
    - debian/patches/CVE-2022-29824.patch: Fix integer overflows in
      xmlBuf and xmlBuffer in tree.c, buf.c.
    - CVE-2022-29824

 -- Leonidas Da Silva Barbosa <email address hidden> Tue, 10 May 2022 11:13:24 -0300

Source diff to previous version
CVE-2022-29824 In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can re

Version: 2.9.10+dfsg-5ubuntu0.20.04.2 2022-03-14 12:06:24 UTC

  libxml2 (2.9.10+dfsg-5ubuntu0.20.04.2) focal-security; urgency=medium

  * SECURITY UPDATE: use-after-free of ID and IDREF attributes
    - debian/patches/CVE-2022-23308.patch: normalize ID attributes in
      valid.c.
    - CVE-2022-23308

 -- Marc Deslauriers <email address hidden> Thu, 10 Mar 2022 12:59:13 -0500

Source diff to previous version
CVE-2022-23308 valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes.

Version: 2.9.10+dfsg-5ubuntu0.20.04.1 2021-06-17 16:06:23 UTC

  libxml2 (2.9.10+dfsg-5ubuntu0.20.04.1) focal-security; urgency=medium

  * SECURITY UPDATE: out-of-bounds read
    - debian/patches/CVE-2020-24977.patch: Make sure that truncated UTF-8
      sequences don't cause an out-of-bounds array access in xmllint.
    - CVE-2020-24977
  * SECURITY UPDATE: use-after-free in xmlEncodeEntitiesInternal
    - debian/patches/CVE-2021-3516.patch: Call htmlCtxtUseOptions to make sure
      that names aren't stored in dictionaries.
    - CVE-2021-3516
  * SECURITY UPDATE: heap-based buffer overflow in xmlEncodeEntitiesInternal
    - debian/patches/CVE-2021-3517.patch: Add some checks to validate input is
      UTF-8 format, supplementing CVE-2020-24977 fix.
    - CVE-2021-3517
  * SECURITY UPDATE: use-after-free in xmlXIncludeDoProcess
    - debian/patches/CVE-2021-3518.patch: Move from a block list to an allow
      list approach to avoid descending into other node types that can't
      contain elements.
    - CVE-2021-3518
  * SECURITY UPDATE: NULL pointer dereference in xmlValidBuildAContentModel
    - debian/patches/CVE-2021-3537.patch: Check return value of recursive calls
      to xmlParseElementChildrenContentDeclPriv and return immediately in case
      of errors.
    - CVE-2021-3537
  * SECURITY UPDATE: Exponential entity expansion
    - debian/patches/Patch-for-security-issue-CVE-2021-3541.patch: Add check to
      xmlParserEntityCheck to prevent entity exponential.
    - CVE-2021-3541

 -- Avital Ostromich <email address hidden> Wed, 26 May 2021 19:51:20 -0400

CVE-2020-24977 GNOME project libxml2 v2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has been fixe
CVE-2021-3516 There's a flaw in libxml2's xmllint in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by xmllint could trig
CVE-2021-3517 There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be
CVE-2021-3518 There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with l
CVE-2021-3537 A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL der



About   -   Send Feedback to @ubuntu_updates