-
libxml2 (2.9.4+dfsg1-6.1ubuntu1.9) bionic-security; urgency=medium
* SECURITY UPDATE: Null dereference
- debian/patches/CVE-2023-28484-*.patch: Fix null-pointer-deref in
xmlSchemaCheckCOSSTDerivedOK and xmlSchemaFixupComplexType
when parsing (invalid) XML schemas in
result/schemas/oss-fuzz-51295_0_0.err,
test/schemas/oss-fuzz-51295_0.xml,
test/schemas/oss-fuzz-51295_0.xsd,
xmlschemas.c.
- CVE-2023-28484
* SECURITY UPDATE: Logic or memory errors and double frees
- debian/patches/CVE-2023-29469.patch: check namelen less equal zero in
dict.c.
- CVE-2023-29469
-- Leonidas Da Silva Barbosa <email address hidden> Fri, 14 Apr 2023 10:26:30 -0300
-
libxml2 (2.9.4+dfsg1-6.1ubuntu1.8) bionic-security; urgency=medium
* SECURITY UPDATE: NULL pointer dereference
- debian/patches/CVE-2022-2309.patch: reset nsNr in
xmlCtxReset in parser.c (LP: #1996494).
- CVE-2022-2309
* SECURITY UPDATE: Integer overflow
- debian/patches/CVE-2022-40303.patch: fix integer overflows
with XML_PARSE_HUGE in parser.c.
- CVE-2022-40303
* SECURITY UPDATE: Double-free
- debian/patches/CVE-2022-40304.patch: fix dict
corruption caused by entity ref cycles in
entities.c.
- CVE-2022-40304
-- Leonidas Da Silva Barbosa <email address hidden> Thu, 01 Dec 2022 09:38:39 -0300
-
libxml2 (2.9.4+dfsg1-6.1ubuntu1.7) bionic-security; urgency=medium
* SECURITY UPDATE: Possible cross-site scripting
- debian/patches/CVE-2016-3709.patch: Revert "do not URI escape
in server side includes" in HTMLtree.c.
- CVE-2016-3709
-- Leonidas Da Silva Barbosa <email address hidden> Mon, 01 Aug 2022 11:25:53 -0300
-
libxml2 (2.9.4+dfsg1-6.1ubuntu1.6) bionic-security; urgency=medium
* SECURITY UPDATE: Integer overflows
- debian/patches/CVE-2022-29824.patch: Fix integer overflows in
xmlBuf and xmlBuffer in tree.c, buf.c.
- CVE-2022-29824
-- Leonidas Da Silva Barbosa <email address hidden> Tue, 10 May 2022 11:18:33 -0300
-
libxml2 (2.9.4+dfsg1-6.1ubuntu1.5) bionic-security; urgency=medium
* SECURITY UPDATE: use-after-free of ID and IDREF attributes
- debian/patches/CVE-2022-23308.patch: normalize ID attributes in
valid.c.
- CVE-2022-23308
-- Marc Deslauriers <email address hidden> Thu, 10 Mar 2022 13:00:02 -0500
-
libxml2 (2.9.4+dfsg1-6.1ubuntu1.4) bionic-security; urgency=medium
* debian/patches/fix-error-handler-bug.patch: Add extra missing commit to
previous CVE-2017-8872 fix, halt immediately when the error handler
attempts to stop the parser.
* SECURITY UPDATE: memory leak
- debian/patches/CVE-2019-20388.patch: Memory leak in
xmlSchemaValidateStream function in xmlschemas.c.
- CVE-2019-20388
* SECURITY UPDATE: out-of-bounds read
- debian/patches/CVE-2020-24977.patch: Make sure that truncated UTF-8
sequences don't cause an out-of-bounds array access in xmllint.
- CVE-2020-24977
* SECURITY UPDATE: use-after-free in xmlEncodeEntitiesInternal
- debian/patches/CVE-2021-3516.patch: Call htmlCtxtUseOptions to make sure
that names aren't stored in dictionaries.
- CVE-2021-3516
* SECURITY UPDATE: heap-based buffer overflow in xmlEncodeEntitiesInternal
- debian/patches/CVE-2021-3517.patch: Add some checks to validate input is
UTF-8 format, supplementing CVE-2020-24977 fix.
- CVE-2021-3517
* SECURITY UPDATE: use-after-free in xmlXIncludeDoProcess
- debian/patches/CVE-2021-3518.patch: Move from a block list to an allow
list approach to avoid descending into other node types that can't
contain elements.
- CVE-2021-3518
* SECURITY UPDATE: NULL pointer dereference in xmlValidBuildAContentModel
- debian/patches/CVE-2021-3537.patch: Check return value of recursive calls
to xmlParseElementChildrenContentDeclPriv and return immediately in case
of errors.
- CVE-2021-3537
-- Avital Ostromich <email address hidden> Thu, 22 Apr 2021 19:26:37 -0400
-
libxml2 (2.9.4+dfsg1-6.1ubuntu1.3) bionic-security; urgency=medium
* SECURITY UPDATE: Memory leak
- debian/patches/CVE-2019-19956.patch: fix memory leak in
xmlParseBalancedChunkMemoryRecover checking if doc is NULL in parser.c.
- CVE-2019-19956
* SECURITY UPDATE: Denial of service though an infinite loop
- debian/patches/CVE-2020-7595.patch: fix infinite loop in
xmlStringLenDecodeEntities adding checks to ctxt->instate if
it is == XML_PARSER_EOF in parser.c.
- CVE-2020-7595
-- <email address hidden> (Leonidas S. Barbosa) Wed, 05 Feb 2020 14:08:34 -0300
-
libxml2 (2.9.4+dfsg1-6.1ubuntu1.2) bionic-security; urgency=medium
* SECURITY UPDATE: XXE attacks
- debian/patches/CVE-2016-9318.patch: fix in parser.c.
- CVE-2016-9318
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2017-18258.patch: fix in xzlib.c.
- CVE-2017-18258
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2018-14404.patch: fix in xpath.c.
- CVE-2018-14404
* SECURITY UPDATE: Infinite loop in LZMA decompression
- debian/patches/CVE-2018-14567.patch: fix in xzlib.c.
- CVE-2018-14567
* SECURITY UPDATE: Infinite recursion/Denial of service
- debian/patches/CVE-2017-16932.patch: fix in parser.c and
add some error check files result/errors/759579.xml,
result/errors/759579.xml.err, result/errors/759579.xml.str,
test/errors/759579.xml.
- CVE-2017-16932
-- <email address hidden> (Leonidas S. Barbosa) Fri, 10 Aug 2018 15:30:23 -0300
-
libxml2 (2.9.4+dfsg1-6.1ubuntu1) bionic; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/{rules,control}: Drop dep on libicu-dbg, icu59 doesn't ship it.
libxml2 (2.9.4+dfsg1-6.1) unstable; urgency=medium
* Non-maintainer upload.
* Out-of-bounds read in htmlParseTryOrFinish (CVE-2017-8872)
(Closes: #862450)
libxml2 (2.9.4+dfsg1-6) unstable; urgency=medium
* Team upload.
* d/watch: bump to version 4, wrap lines, and limit matching to released
stable versions.
* Drop libxml2-udeb. The package has been broken in Ubuntu for a while
already, and nobody seems to care anyway.
* d/copyright: Rewrite using copyright-format 1.0.
* Employ automatic upstream tarball repacking.
* Bump debhelper compat level to 11.
* Remove old upgrade code dealing with symlinks-to-dir in /usr/share/doc.
* d/control:
+ Bump Standards-Version to 4.1.3, no changes needed.
+ Set Rules-Requires-Root: no.
+ Move from the deprecated priority:extra to priority:optional also for the
-dbg packages.
+ Lower the priority of the libxml2 package to optional.
Since Policy 4.0.1 library packages should not have a priority higher
than optional. See #886039 for the override change.
* d/rules:
+ Stop installing the TODO files.
+ Install the AUTHORS and README files only on the main libxml2 binary.
+ Workaround debhelper bug #886037 by reshuffling the dh_strip calls.
-- Gianfranco Costamagna <email address hidden> Tue, 02 Jan 2018 10:35:09 +0100
-
libxml2 (2.9.4+dfsg1-5.2ubuntu1) bionic; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/{rules,control}: Drop dep on libicu-dbg, icu59 doesn't ship it.
libxml2 (2.9.4+dfsg1-5.2) unstable; urgency=medium
* Non-maintainer upload.
* Fix XPath stack frame logic (CVE-2017-15412) (Closes: #883790)
-- Gianfranco Costamagna <email address hidden> Mon, 18 Dec 2017 19:20:37 +0100
-
libxml2 (2.9.4+dfsg1-5.1ubuntu1) bionic; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/{rules,control}: Drop dep on libicu-dbg, icu59 doesn't ship it.
libxml2 (2.9.4+dfsg1-5.1) unstable; urgency=medium
* Non-maintainer upload.
* Fix NULL pointer deref in xmlDumpElementContent (CVE-2017-5969)
(Closes: #855001)
* Check for integer overflow in memory debug code (CVE-2017-5130)
(Closes: #880000)
* Fix copy-paste errors in error messages
* python: remove single use of _PyVerify_fd (Closes: #878684)
-- Gianfranco Costamagna <email address hidden> Mon, 27 Nov 2017 10:26:16 +0100
-
libxml2 (2.9.4+dfsg1-5ubuntu2) bionic; urgency=medium
* No-change rebuild for icu soname change.
-- Matthias Klose <email address hidden> Tue, 07 Nov 2017 08:54:26 +0000
-
libxml2 (2.9.4+dfsg1-5ubuntu1) bionic; urgency=medium
* debian/{rules,control}: Drop dep on libicu-dbg, icu59 doesn't ship it.
libxml2 (2.9.4+dfsg1-5) unstable; urgency=medium
* Team upload.
* d/control: Bump Standards-Version to 4.1.1, no changes needed.
* d/rules:
+ Use `rename` instead of `prename`, and separate the -v and -f options.
Closes: #876308
+ Fix usage of debhelper's -N and -p options: newer debhelper doesn't
accept specifying packages not present in d/control.
-- Adam Conrad <email address hidden> Thu, 26 Oct 2017 01:32:39 -0600
-
libxml2 (2.9.4+dfsg1-4ubuntu2) bionic; urgency=medium
* No-change rebuild for libicu soname change.
-- Matthias Klose <email address hidden> Wed, 25 Oct 2017 15:45:15 +0000
-
libxml2 (2.9.4+dfsg1-4ubuntu1) artful; urgency=medium
* Fix FTBFS: Fix debhelper -p and -N flags.
*
-- Matthias Klose <email address hidden> Wed, 11 Oct 2017 11:06:37 +0200
