Ubuntu
libxml2 package

Change logs for libxml2 source package in Hardy

  1. Hardy (8.04)
  2. Change log 
  • libxml2 (2.6.31.dfsg-2ubuntu1.12) hardy-security; urgency=low

  * SECURITY UPDATE: denial of service via entity expansion
    - include/libxml/parser.h, parser.c, parserInternals.c: limit number of
      entity expansions, thanks to Daniel Veillard.
    - http://git.gnome.org/browse/libxml2/commit/?id=23f05e0c33987d6605387b300c4be5da2120a7ab
    - CVE-2013-0338
 -- Marc Deslauriers <email address hidden>   Tue, 26 Mar 2013 10:31:51 -0400
  • libxml2 (2.6.31.dfsg-2ubuntu1.11) hardy-security; urgency=low

  * SECURITY UPDATE: buffer underflow in xmlParseAttValueComplex()
    - debian/patches/CVE-2012-5134.patch: add array bounds checking in
      parser.c, thanks to Daniel Veillard
    - http://git.gnome.org/browse/libxml2/commit/?id=6a36fbe3b3e001a8a840b5c1fdd81cefc9947f0d
    - CVE-2012-5134
 -- Seth Arnold <email address hidden>   Tue, 04 Dec 2012 12:58:08 -0800
  • libxml2 (2.6.31.dfsg-2ubuntu1.10) hardy-security; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via
    incorrect buffer sizes.
    - http://git.gnome.org/browse/libxml2/commit/?id=459eeb9dc752d5185f57ff6b135027f11981a626
    - http://git.gnome.org/browse/libxml2/commit/?id=4f9fdc709c4861c390cd84e2ed1fd878b3442e28
    - http://git.gnome.org/browse/libxml2/commit/?id=baaf03f80f817bb34c421421e6cb4d68c353ac9a
    - CVE-2012-2807
 -- Marc Deslauriers <email address hidden>   Wed, 26 Sep 2012 13:25:11 -0400
  • libxml2 (2.6.31.dfsg-2ubuntu1.9) hardy-security; urgency=low

  * SECURITY UPDATE: Fix an off by one pointer access in xpointer.c
    - d8e1faeaa99c7a7c07af01c1c72de352eb590a3e
    - CVE-2011-3102
 -- Jamie Strandboge <email address hidden>   Fri, 18 May 2012 09:00:44 -0500
  • libxml2 (2.6.31.dfsg-2ubuntu1.8) hardy-security; urgency=low

  * SECURITY UPDATE: add randomization to dictionaries with hash tables
    help prevent denial of service via hash algorithm collision
    - configure.in: lookup for rand, srand and time
    - dict.c: add randomization to dictionaries hash tables
    - hash.c: add randomization to normal hash tables
    - CVE-2012-0841
    This patch based on RedHat's 2.6 patch which includes the following
    commits:
    - b242b08831637432984439729a170153bdc3ed8d
    - e9100a589d9dc97a09b2295db18657ce31adee65
    - 424785e793a77c1f35898aeb31fc7cd64ba57334
    - ffda65f0e6447eba3807d04bf670243702da026b
    - d68f8912c46a01f6c200e1414d290947b7db630e
    - 523e63559961f31e142c72049bb9b2595974c82f
 -- Jamie Strandboge <email address hidden>   Fri, 24 Feb 2012 15:42:31 -0600
  • libxml2 (2.6.31.dfsg-2ubuntu1.7) hardy-security; urgency=low

  * SECURITY UPDATE: fix off-by-one leading to denial of service
    - encoding.c: adjust calculation of space available
    - 69f04562f75212bfcabecd190ea8b06ace28ece2
    - CVE-2011-0216
  * SECURITY UPDATE: fix double free in XPath evaluation
    - xpath.c: fix missing error status in XPath evaluation
    - 1d4526f6f4ec8d18c40e2a09b387652a6c1aa2cd
    - CVE-2011-2834
  * SECURITY UPDATE: fix out of bounds read
    - parser.c: make sure the parser returns when getting a Stop order
    - 77404b8b69bc122d12231807abf1a837d121b551
    - CVE-2011-3905
  * SECURITY UPDATE: fix heap overflow
    - parser.c: fix an allocation error when copying entities
    - 5bd3c061823a8499b27422aee04ea20aae24f03e
    - CVE-2011-3919
 -- Jamie Strandboge <email address hidden>   Wed, 18 Jan 2012 14:20:37 -0600
  • libxml2 (2.6.31.dfsg-2ubuntu1.6) hardy-security; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via
    specially crafted xml file
    - xpath.c: update count only if allocation succeeds.
    - http://git.gnome.org/browse/libxml2/commit/?id=d7958b21e7f8c447a26bb2436f08402b2c308be4
    - CVE-2011-1944
 -- Marc Deslauriers <email address hidden>   Thu, 16 Jun 2011 09:30:30 -0400
  • libxml2 (2.6.31.dfsg-2ubuntu1.5) hardy-security; urgency=low

  * SECURITY UPDATE: fix invalid memory read by fixing the semantic of XPath
    axis for namespace/attribute context nodes
    - http://git.gnome.org/browse/libxml2/patch/?id=91d19754d46acd4a639a8b9e31f50f31c78f8c9c
    - http://git.gnome.org/browse/libxml2/patch/?id=ea90b894146030c214a7df6d8375310174f134b9
    - CVE-2010-4008
 -- Jamie Strandboge <email address hidden>   Mon, 08 Nov 2010 13:00:19 -0600
  • libxml2 (2.6.31.dfsg-2ubuntu1.4) hardy-security; urgency=low

  * SECURITY UPDATE: denial of service via stack overflow from crafted
    root XML document element DTD definition
    - parser.c: validate ctxt->depth isn't too deep
    - CVE-2009-2414
  * SECURITY UPDATE: denial of service via use-after-frees when parsing
    Notation and Enumeration attribute types
    - parser.c: use xmlFreeEnumeration before returning.
    - CVE-2009-2416

 -- Marc Deslauriers <email address hidden>   Mon, 10 Aug 2009 16:32:39 -0400
  • libxml2 (2.6.31.dfsg-2ubuntu1.3) hardy-security; urgency=low

  * SECURITY UPDATE: infinite loop, integer overflow, and double-free.
    - parserInternals.c: upstream fix for double-free (svn rev 3741).
    - tree.c: fix for infinite loop, thanks to Mike Hommey (CVE-2008-4225).
    - SAX2.c: fix for integer overflow, thanks to Mike Hommey CVE-2008-4226).

 -- Kees Cook <email address hidden>   Tue, 18 Nov 2008 09:01:05 -0800
  • libxml2 (2.6.31.dfsg-2ubuntu1.2) hardy-security; urgency=low

  * SECURITY UPDATE: heap overflow in entity name parsing.
  * parser.c: upstream fixes thanks to Tomas Hoger.
  * include/libxml/parser.h, parser.c: improvements to CVE-2008-3281 fix,
    thanks to Tomas Hoger.
  * References
    CVE-2008-3529

 -- Kees Cook <email address hidden>   Thu, 11 Sep 2008 09:41:33 -0700
  • libxml2 (2.6.31.dfsg-2ubuntu1.1) hardy-security; urgency=low

  * SECURITY UPDATE: DoS via recursive entity evaluation.
  * entities.c, include/libxml/parser.h, parser.c, parserInternals.c:
    non-ABI-breaking version of upstream changes, thanks to Mike Hommey.
  * References
    CVE-2008-3281

 -- Kees Cook <email address hidden>   Tue, 02 Sep 2008 14:25:35 -0700
  • libxml2 (2.6.31.dfsg-2ubuntu1) hardy; urgency=low

  * Merge with Debian; remaining changes:
    - debian/rules: create a udeb for debian-installer, correct libxml2-dev
      Depends to include zlib1g-dev.
    - Build a python-libxml2-dbg package.
    - Link using -Bsymbolic-functions.
  * Fixed: USN-569-1, denial of service bug in UTF-8 handling. LP: #181985.

libxml2 (2.6.31.dfsg-2) unstable; urgency=low

  * debian/rules: Brown paper bag: uncomment $(MAKE) distclean.
    Closes: #442656.
  * xstc/Makefile.am, xstc/Makefile.in: Properly clean generated files.
  * nanohttp.c: Apply fix from svn revision 3685 to allocate enough memory
    for the Host HTTP header when containing a port number. Closes: #464173.
  * error.c: Don't grow error buffer indefinitely when vsnprintf returns -1,
    which, if it happens, on glibc-based systems, will happen indefinitely.
    Closes: #456653.

 -- Matthias Klose <email address hidden>   Wed, 12 Mar 2008 10:25:35 +0000
  • libxml2 (2.6.31.dfsg-1ubuntu1) hardy; urgency=low

  * Merge with Debian; remaining changes:
    - debian/rules: create a udeb for debian-installer, correct libxml2-dev
      Depends to include zlib1g-dev.
    - Build a python-libxml2-dbg package.
    - Link using -Bsymbolic-functions.

libxml2 (2.6.31.dfsg-1) unstable; urgency=low

  * New upstream release.
  * Acknowledged NMU.
  * testModule.c: Revert our change to add PATH_MAX for the Hurd, since we now
    don't even build this file.
  * debian/rules: bump shlibs to current version, since a new symbol was added.
  * debian/libxml2.symbols: Reference the new symbol.
  * autogen.sh: Switch to automake1.10 to follow upstream.

libxml2 (2.6.30.dfsg-3.1) unstable; urgency=high

  * Non-maintainer upload by security team.
  * This update addresses the following security issue:
    - CVE-2007-6284: The xmlCurrentChar function allows context-dependent
      attackers to cause a denial of service (infinite loop) via XML
      containing invalid UTF-8 sequences (Closes: #460292).

 -- Matthias Klose <email address hidden>   Tue, 29 Jan 2008 16:24:13 +0100
  • libxml2 (2.6.30.dfsg-3ubuntu1) hardy; urgency=low

  * Merge with Debian; remaining changes:
    - debian/rules: create a udeb for debian-installer, correct libxml2-dev
      Depends to include zlib1g-dev.
    - Build a python-libxml2-dbg package.
    - Fix a regression using XSLT copy element. LP: #147144.
  * Link using -Bsymbolic-functions.

libxml2 (2.6.30.dfsg-3) unstable; urgency=low

  * debian/libxml2.symbols: Add a symbols file to benefit from the new
    features in dpkg-shlibdeps.
  * debian/control: Build depend on debhelper (>= 5.0.61) and dpkg-dev (>=
    1.14.9), accordingly.
  * debian/rules:
    + Apply rules suggested in autotools-dev documentation.
    + Add -Wl,--as-needed to LDFLAGS so that useless dependencies are not
    added.
  * Makefile.am, Makefile.in: Don't build noinst targets.

 -- Matthias Klose <email address hidden>   Wed, 05 Dec 2007 19:50:33 +0000
  • libxml2 (2.6.30.dfsg-2ubuntu1) gutsy; urgency=low

  * Merge with Debian; remaining changes:
    - debian/rules: create a udeb for debian-installer, correct libxml2-dev
      Depends to include zlib1g-dev.
    - Build a python-libxml2-dbg package.
  * Fixes a regression using XSLT copy element. LP: #147144.

libxml2 (2.6.30.dfsg-2) unstable; urgency=low

  * libxml.h: define _LARGEFILE64_SOURCE to properly get gzopen64 defines in
    zlib.h. Closes: #439843. Thanks Dann Frazier.

libxml2 (2.6.30.dfsg-1) unstable; urgency=low

  * New upstream release.

 -- Matthias Klose <email address hidden>   Wed, 03 Oct 2007 14:35:16 +0200