UbuntuUpdates.org

Package "libxml2-utils"

Name: libxml2-utils

Description:

XML utilities

Latest version: 2.9.3+dfsg1-1ubuntu0.7
Release: xenial (16.04)
Level: security
Repository: main
Head package: libxml2
Homepage: http://xmlsoft.org/

Links


Download "libxml2-utils"


Other versions of "libxml2-utils" in Xenial

Repository Area Version
base main 2.9.3+dfsg1-1
updates main 2.9.3+dfsg1-1ubuntu0.7

Changelog

Version: 2.9.3+dfsg1-1ubuntu0.7 2020-02-10 14:06:27 UTC

  libxml2 (2.9.3+dfsg1-1ubuntu0.7) xenial-security; urgency=medium

  * SECURITY UPDATE: Memory leak
    - debian/patches/CVE-2019-19956.patch: fix memory leak in
      xmlParseBalancedChunkMemoryRecover checking if doc is NULL in parser.c.
    - CVE-2019-19956
  * SECURITY UPDATE: Denial of service though an infinite loop
    - debian/patches/CVE-2020-7595.patch: fix infinite loop in
      xmlStringLenDecodeEntities adding checks to ctxt->instate if
      it is == XML_PARSER_EOF in parser.c.
    - CVE-2020-7595

 -- <email address hidden> (Leonidas S. Barbosa) Wed, 05 Feb 2020 14:02:29 -0300

Source diff to previous version
CVE-2019-19956 xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs.
CVE-2020-7595 xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.

Version: 2.9.3+dfsg1-1ubuntu0.6 2018-08-14 20:06:30 UTC

  libxml2 (2.9.3+dfsg1-1ubuntu0.6) xenial-security; urgency=medium

  * SECURITY UPDATE: XXE attacks
    - debian/patches/CVE-2016-9318.patch: fix in parser.c.
    - CVE-2016-9318
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2017-18258.patch: fix in xzlib.c.
    - CVE-2017-18258
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2018-14404.patch: fix in xpath.c.
    - CVE-2018-14404
  * SECURITY UPDATE: Infinite loop in LZMA decompression
    - debian/patches/CVE-2018-14567.patch: fix in xzlib.c.
    - CVE-2018-14567

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 13 Aug 2018 16:49:50 -0300

Source diff to previous version
CVE-2016-9318 libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current docume
CVE-2017-18258 The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA
CVE-2018-14404 A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath e

Version: 2.9.3+dfsg1-1ubuntu0.5 2017-12-13 14:06:45 UTC

  libxml2 (2.9.3+dfsg1-1ubuntu0.5) xenial-security; urgency=medium

  * SECURITY UPDATE: use after-free in xmlXPathCompOpEvalPositionPredicate
    - debian/patches/CVE-2017-15412.patch: fix XPath stack frame logic in
      xpath.c.
    - CVE-2017-15412

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 11 Dec 2017 13:29:09 -0300

Source diff to previous version
CVE-2017-15412 use after free

Version: 2.9.3+dfsg1-1ubuntu0.4 2017-12-05 15:06:39 UTC

  libxml2 (2.9.3+dfsg1-1ubuntu0.4) xenial-security; urgency=medium

  * SECURITY UPDATE: infinite recursion in parameter entities
    - CVE-2017-16932

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 04 Dec 2017 15:20:29 -0300

Source diff to previous version
CVE-2017-16932 parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities.

Version: 2.9.3+dfsg1-1ubuntu0.3 2017-09-19 01:06:42 UTC

  libxml2 (2.9.3+dfsg1-1ubuntu0.3) xenial-security; urgency=medium

  * SECURITY UPDATE: type confusion leading to out-of-bounds write
    - debian/patches/CVE-2017-0663.patch: eliminate cast
    - CVE-2017-0663
  * SECURITY UPDATE: XML external entity (XXE) vulnerability
    - debian/patches/CVE-2017-7375.patch: add validation for parsed
      entity references
    - CVE-2017-7375
  * SECURITY UPDATE: buffer overflow in URL handling
    - debian/patches/CVE-2017-7376.patch: allocate enough memory for
      ports in HTTP redirect support
    - CVE-2017-7376
  * SECURITY UPDATE: buffer overflows in xmlSnprintfElementContent()
    - debian/patches/CVE-2017-9047-9048.patch: ensure enough space
      remains in buffer for copied data
    - CVE-2017-9047, CVE-2017-9048
  * SECURITY UPDATE: heap based buffer overreads in
    xmlDictComputeFastKey()
    - debian/patches/CVE-2017-9049-9050.patch: drop uneccessary
      expansions, add additional sanity check
    - CVE-2017-9049, CVE-2017-9050

 -- Steve Beattie <email address hidden> Fri, 15 Sep 2017 16:00:14 -0700




About   -   Send Feedback to @ubuntu_updates