UbuntuUpdates.org

Package "python-libxml2"

Name: python-libxml2

Description:

Python bindings for the GNOME XML library

Latest version: 2.9.1+dfsg1-3ubuntu4.13
Release: trusty (14.04)
Level: updates
Repository: main
Head package: libxml2
Homepage: http://xmlsoft.org/

Links


Download "python-libxml2"


Other versions of "python-libxml2" in Trusty

Repository Area Version
base main 2.9.1+dfsg1-3ubuntu4
security main 2.9.1+dfsg1-3ubuntu4.13

Changelog

Version: 2.9.1+dfsg1-3ubuntu4.13 2018-08-14 20:06:23 UTC

  libxml2 (2.9.1+dfsg1-3ubuntu4.13) trusty-security; urgency=medium

  * SECURITY UPDATE: XXE attacks
    - debian/patches/CVE-2016-9318.patch: fix in parser.c.
    - CVE-2016-9318
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2017-18258.patch: fix in xzlib.c.
    - CVE-2017-18258
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2018-14404.patch: fix in xpath.c.
    - CVE-2018-14404
  * SECURITY UPDATE: Infinite loop in LZMA decompression
    - debian/patches/CVE-2018-14567.patch: fix in xzlib.c.
    - CVE-2018-14567

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 13 Aug 2018 17:50:43 -0300

Source diff to previous version
CVE-2016-9318 libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current docume
CVE-2017-18258 The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA
CVE-2018-14404 A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath e

Version: 2.9.1+dfsg1-3ubuntu4.12 2017-12-13 16:06:46 UTC

  libxml2 (2.9.1+dfsg1-3ubuntu4.12) trusty-security; urgency=medium

  * SECURITY UPDATE: use after-free in xmlXPathCompOpEvalPositionPredicate
    - debian/patches/CVE-2017-15412.patch: fix XPath stack frame logic in
      xpath.c.
    - CVE-2017-15412

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 11 Dec 2017 13:31:53 -0300

Source diff to previous version
CVE-2017-15412 use after free

Version: 2.9.1+dfsg1-3ubuntu4.11 2017-12-05 16:06:44 UTC

  libxml2 (2.9.1+dfsg1-3ubuntu4.11) trusty-security; urgency=medium

  * SECURITY UPDATE: infinite recursion in parameter entities
    - CVE-2017-16932

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 04 Dec 2017 15:17:15 -0300

Source diff to previous version
CVE-2017-16932 parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities.

Version: 2.9.1+dfsg1-3ubuntu4.10 2017-09-19 03:06:40 UTC

  libxml2 (2.9.1+dfsg1-3ubuntu4.10) trusty-security; urgency=medium

  * SECURITY UPDATE: type confusion leading to out-of-bounds write
    - debian/patches/CVE-2017-0663.patch: eliminate cast
    - CVE-2017-0663
  * SECURITY UPDATE: XML external entity (XXE) vulnerability
    - debian/patches/CVE-2017-7375.patch: add validation for parsed
      entity references
    - CVE-2017-7375
  * SECURITY UPDATE: buffer overflow in URL handling
    - debian/patches/CVE-2017-7376.patch: allocate enough memory for
      ports in HTTP redirect support
    - CVE-2017-7376
  * SECURITY UPDATE: buffer overflows in xmlSnprintfElementContent()
    - debian/patches/CVE-2017-9047-9048.patch: ensure enough space
      remains in buffer for copied data
    - CVE-2017-9047, CVE-2017-9048
  * SECURITY UPDATE: heap based buffer overreads in
    xmlDictComputeFastKey()
    - debian/patches/CVE-2017-9049-9050.patch: drop uneccessary
      expansions, add additional sanity check
    - CVE-2017-9049, CVE-2017-9050

 -- Steve Beattie <email address hidden> Fri, 15 Sep 2017 16:19:46 -0700

Source diff to previous version

Version: 2.9.1+dfsg1-3ubuntu4.9 2017-03-16 13:06:48 UTC

  libxml2 (2.9.1+dfsg1-3ubuntu4.9) trusty-security; urgency=medium

  * SECURITY UPDATE: format string vulnerabilities
    - debian/patches/CVE-2016-4448-1.patch: fix format string warnings in
      HTMLparser.c, SAX2.c, catalog.c, configure.in, debugXML.c,
      encoding.c, entities.c, error.c, include/libxml/parserInternals.h,
      include/libxml/xmlerror.h, include/libxml/xmlstring.h, libxml.h,
      parser.c, parserInternals.c, relaxng.c, schematron.c, testModule.c,
      valid.c, xinclude.c, xmlIO.c, xmllint.c, xmlreader.c, xmlschemas.c,
      xmlstring.c, xmlwriter.c, xpath.c, xpointer.c.
    - debian/patches/CVE-2016-4448-2.patch: fix format string warnings in
      libxml.h, relaxng.c, xmlschemas.c, xmlstring.c.
    - debian/patches/CVE-2016-4448-3.patch: fix build on pre-C99 compilers
      in relaxng.c, xmlschemas.c.
    - debian/libxml2.symbols: added new symbol.
    - CVE-2016-4448
  * SECURITY UPDATE: use-after-free via namespace nodes in XPointer ranges
    - debian/patches/CVE-2016-4658.patch: disallow namespace nodes in
      XPointer ranges in xpointer.c.
    - CVE-2016-4658
  * SECURITY UPDATE: use-after-free in XPointer range-to function
    - debian/patches/CVE-2016-5131-1.patch: fix XPointer paths beginning
      with range-to in xpath.c, xpointer.c.
    - debian/patches/CVE-2016-5131-2.patch: fix comparison with root node
      in xmlXPathCmpNodes in xpath.c.
    - CVE-2016-5131

 -- Marc Deslauriers <email address hidden> Wed, 15 Mar 2017 07:54:26 -0400

CVE-2016-4448 Format string vulnerability in libxml2 before 2.9.4 allows attackers to have unspecified impact via format string specifiers in unknown vectors.
CVE-2016-4658 libxml2 in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or cause a
CVE-2016-5131 Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of ser



About   -   Send Feedback to @ubuntu_updates