UbuntuUpdates.org

Package "libxml2"

Name: libxml2

Description:

GNOME XML library

Latest version: 2.9.3+dfsg1-1ubuntu0.7
Release: xenial (16.04)
Level: updates
Repository: main
Homepage: http://xmlsoft.org/

Links


Download "libxml2"


Other versions of "libxml2" in Xenial

Repository Area Version
base main 2.9.3+dfsg1-1
security main 2.9.3+dfsg1-1ubuntu0.7

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 2.9.3+dfsg1-1ubuntu0.7 2020-02-10 15:07:06 UTC

  libxml2 (2.9.3+dfsg1-1ubuntu0.7) xenial-security; urgency=medium

  * SECURITY UPDATE: Memory leak
    - debian/patches/CVE-2019-19956.patch: fix memory leak in
      xmlParseBalancedChunkMemoryRecover checking if doc is NULL in parser.c.
    - CVE-2019-19956
  * SECURITY UPDATE: Denial of service though an infinite loop
    - debian/patches/CVE-2020-7595.patch: fix infinite loop in
      xmlStringLenDecodeEntities adding checks to ctxt->instate if
      it is == XML_PARSER_EOF in parser.c.
    - CVE-2020-7595

 -- <email address hidden> (Leonidas S. Barbosa) Wed, 05 Feb 2020 14:02:29 -0300

Source diff to previous version
CVE-2019-19956 xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs.
CVE-2020-7595 xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.

Version: 2.9.3+dfsg1-1ubuntu0.6 2018-08-14 21:07:37 UTC

  libxml2 (2.9.3+dfsg1-1ubuntu0.6) xenial-security; urgency=medium

  * SECURITY UPDATE: XXE attacks
    - debian/patches/CVE-2016-9318.patch: fix in parser.c.
    - CVE-2016-9318
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2017-18258.patch: fix in xzlib.c.
    - CVE-2017-18258
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2018-14404.patch: fix in xpath.c.
    - CVE-2018-14404
  * SECURITY UPDATE: Infinite loop in LZMA decompression
    - debian/patches/CVE-2018-14567.patch: fix in xzlib.c.
    - CVE-2018-14567

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 13 Aug 2018 16:49:50 -0300

Source diff to previous version
CVE-2016-9318 libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current docume
CVE-2017-18258 The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA
CVE-2018-14404 A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath e

Version: 2.9.3+dfsg1-1ubuntu0.5 2017-12-13 16:06:49 UTC

  libxml2 (2.9.3+dfsg1-1ubuntu0.5) xenial-security; urgency=medium

  * SECURITY UPDATE: use after-free in xmlXPathCompOpEvalPositionPredicate
    - debian/patches/CVE-2017-15412.patch: fix XPath stack frame logic in
      xpath.c.
    - CVE-2017-15412

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 11 Dec 2017 13:29:09 -0300

Source diff to previous version
CVE-2017-15412 use after free

Version: 2.9.3+dfsg1-1ubuntu0.4 2017-12-05 16:06:46 UTC

  libxml2 (2.9.3+dfsg1-1ubuntu0.4) xenial-security; urgency=medium

  * SECURITY UPDATE: infinite recursion in parameter entities
    - CVE-2017-16932

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 04 Dec 2017 15:20:29 -0300

Source diff to previous version
CVE-2017-16932 parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities.

Version: 2.9.3+dfsg1-1ubuntu0.3 2017-09-19 03:06:41 UTC

  libxml2 (2.9.3+dfsg1-1ubuntu0.3) xenial-security; urgency=medium

  * SECURITY UPDATE: type confusion leading to out-of-bounds write
    - debian/patches/CVE-2017-0663.patch: eliminate cast
    - CVE-2017-0663
  * SECURITY UPDATE: XML external entity (XXE) vulnerability
    - debian/patches/CVE-2017-7375.patch: add validation for parsed
      entity references
    - CVE-2017-7375
  * SECURITY UPDATE: buffer overflow in URL handling
    - debian/patches/CVE-2017-7376.patch: allocate enough memory for
      ports in HTTP redirect support
    - CVE-2017-7376
  * SECURITY UPDATE: buffer overflows in xmlSnprintfElementContent()
    - debian/patches/CVE-2017-9047-9048.patch: ensure enough space
      remains in buffer for copied data
    - CVE-2017-9047, CVE-2017-9048
  * SECURITY UPDATE: heap based buffer overreads in
    xmlDictComputeFastKey()
    - debian/patches/CVE-2017-9049-9050.patch: drop uneccessary
      expansions, add additional sanity check
    - CVE-2017-9049, CVE-2017-9050

 -- Steve Beattie <email address hidden> Fri, 15 Sep 2017 16:00:14 -0700




About   -   Send Feedback to @ubuntu_updates