-
libxml2 (2.6.31.dfsg-2ubuntu1.12) hardy-security; urgency=low
* SECURITY UPDATE: denial of service via entity expansion
- include/libxml/parser.h, parser.c, parserInternals.c: limit number of
entity expansions, thanks to Daniel Veillard.
- http://git.gnome.org/browse/libxml2/commit/?id=23f05e0c33987d6605387b300c4be5da2120a7ab
- CVE-2013-0338
-- Marc Deslauriers <email address hidden> Tue, 26 Mar 2013 10:31:51 -0400
-
libxml2 (2.6.31.dfsg-2ubuntu1.11) hardy-security; urgency=low
* SECURITY UPDATE: buffer underflow in xmlParseAttValueComplex()
- debian/patches/CVE-2012-5134.patch: add array bounds checking in
parser.c, thanks to Daniel Veillard
- http://git.gnome.org/browse/libxml2/commit/?id=6a36fbe3b3e001a8a840b5c1fdd81cefc9947f0d
- CVE-2012-5134
-- Seth Arnold <email address hidden> Tue, 04 Dec 2012 12:58:08 -0800
-
libxml2 (2.6.31.dfsg-2ubuntu1.10) hardy-security; urgency=low
* SECURITY UPDATE: denial of service and possible code execution via
incorrect buffer sizes.
- http://git.gnome.org/browse/libxml2/commit/?id=459eeb9dc752d5185f57ff6b135027f11981a626
- http://git.gnome.org/browse/libxml2/commit/?id=4f9fdc709c4861c390cd84e2ed1fd878b3442e28
- http://git.gnome.org/browse/libxml2/commit/?id=baaf03f80f817bb34c421421e6cb4d68c353ac9a
- CVE-2012-2807
-- Marc Deslauriers <email address hidden> Wed, 26 Sep 2012 13:25:11 -0400
-
libxml2 (2.6.31.dfsg-2ubuntu1.9) hardy-security; urgency=low
* SECURITY UPDATE: Fix an off by one pointer access in xpointer.c
- d8e1faeaa99c7a7c07af01c1c72de352eb590a3e
- CVE-2011-3102
-- Jamie Strandboge <email address hidden> Fri, 18 May 2012 09:00:44 -0500
-
libxml2 (2.6.31.dfsg-2ubuntu1.8) hardy-security; urgency=low
* SECURITY UPDATE: add randomization to dictionaries with hash tables
help prevent denial of service via hash algorithm collision
- configure.in: lookup for rand, srand and time
- dict.c: add randomization to dictionaries hash tables
- hash.c: add randomization to normal hash tables
- CVE-2012-0841
This patch based on RedHat's 2.6 patch which includes the following
commits:
- b242b08831637432984439729a170153bdc3ed8d
- e9100a589d9dc97a09b2295db18657ce31adee65
- 424785e793a77c1f35898aeb31fc7cd64ba57334
- ffda65f0e6447eba3807d04bf670243702da026b
- d68f8912c46a01f6c200e1414d290947b7db630e
- 523e63559961f31e142c72049bb9b2595974c82f
-- Jamie Strandboge <email address hidden> Fri, 24 Feb 2012 15:42:31 -0600
-
libxml2 (2.6.31.dfsg-2ubuntu1.7) hardy-security; urgency=low
* SECURITY UPDATE: fix off-by-one leading to denial of service
- encoding.c: adjust calculation of space available
- 69f04562f75212bfcabecd190ea8b06ace28ece2
- CVE-2011-0216
* SECURITY UPDATE: fix double free in XPath evaluation
- xpath.c: fix missing error status in XPath evaluation
- 1d4526f6f4ec8d18c40e2a09b387652a6c1aa2cd
- CVE-2011-2834
* SECURITY UPDATE: fix out of bounds read
- parser.c: make sure the parser returns when getting a Stop order
- 77404b8b69bc122d12231807abf1a837d121b551
- CVE-2011-3905
* SECURITY UPDATE: fix heap overflow
- parser.c: fix an allocation error when copying entities
- 5bd3c061823a8499b27422aee04ea20aae24f03e
- CVE-2011-3919
-- Jamie Strandboge <email address hidden> Wed, 18 Jan 2012 14:20:37 -0600
-
libxml2 (2.6.31.dfsg-2ubuntu1.6) hardy-security; urgency=low
* SECURITY UPDATE: denial of service and possible code execution via
specially crafted xml file
- xpath.c: update count only if allocation succeeds.
- http://git.gnome.org/browse/libxml2/commit/?id=d7958b21e7f8c447a26bb2436f08402b2c308be4
- CVE-2011-1944
-- Marc Deslauriers <email address hidden> Thu, 16 Jun 2011 09:30:30 -0400
-
libxml2 (2.6.31.dfsg-2ubuntu1.5) hardy-security; urgency=low
* SECURITY UPDATE: fix invalid memory read by fixing the semantic of XPath
axis for namespace/attribute context nodes
- http://git.gnome.org/browse/libxml2/patch/?id=91d19754d46acd4a639a8b9e31f50f31c78f8c9c
- http://git.gnome.org/browse/libxml2/patch/?id=ea90b894146030c214a7df6d8375310174f134b9
- CVE-2010-4008
-- Jamie Strandboge <email address hidden> Mon, 08 Nov 2010 13:00:19 -0600
-
libxml2 (2.6.31.dfsg-2ubuntu1.4) hardy-security; urgency=low
* SECURITY UPDATE: denial of service via stack overflow from crafted
root XML document element DTD definition
- parser.c: validate ctxt->depth isn't too deep
- CVE-2009-2414
* SECURITY UPDATE: denial of service via use-after-frees when parsing
Notation and Enumeration attribute types
- parser.c: use xmlFreeEnumeration before returning.
- CVE-2009-2416
-- Marc Deslauriers <email address hidden> Mon, 10 Aug 2009 16:32:39 -0400
-
libxml2 (2.6.31.dfsg-2ubuntu1.3) hardy-security; urgency=low
* SECURITY UPDATE: infinite loop, integer overflow, and double-free.
- parserInternals.c: upstream fix for double-free (svn rev 3741).
- tree.c: fix for infinite loop, thanks to Mike Hommey (CVE-2008-4225).
- SAX2.c: fix for integer overflow, thanks to Mike Hommey CVE-2008-4226).
-- Kees Cook <email address hidden> Tue, 18 Nov 2008 09:01:05 -0800
-
libxml2 (2.6.31.dfsg-2ubuntu1.2) hardy-security; urgency=low
* SECURITY UPDATE: heap overflow in entity name parsing.
* parser.c: upstream fixes thanks to Tomas Hoger.
* include/libxml/parser.h, parser.c: improvements to CVE-2008-3281 fix,
thanks to Tomas Hoger.
* References
CVE-2008-3529
-- Kees Cook <email address hidden> Thu, 11 Sep 2008 09:41:33 -0700
-
libxml2 (2.6.31.dfsg-2ubuntu1.1) hardy-security; urgency=low
* SECURITY UPDATE: DoS via recursive entity evaluation.
* entities.c, include/libxml/parser.h, parser.c, parserInternals.c:
non-ABI-breaking version of upstream changes, thanks to Mike Hommey.
* References
CVE-2008-3281
-- Kees Cook <email address hidden> Tue, 02 Sep 2008 14:25:35 -0700
-
libxml2 (2.6.31.dfsg-2ubuntu1) hardy; urgency=low
* Merge with Debian; remaining changes:
- debian/rules: create a udeb for debian-installer, correct libxml2-dev
Depends to include zlib1g-dev.
- Build a python-libxml2-dbg package.
- Link using -Bsymbolic-functions.
* Fixed: USN-569-1, denial of service bug in UTF-8 handling. LP: #181985.
libxml2 (2.6.31.dfsg-2) unstable; urgency=low
* debian/rules: Brown paper bag: uncomment $(MAKE) distclean.
Closes: #442656.
* xstc/Makefile.am, xstc/Makefile.in: Properly clean generated files.
* nanohttp.c: Apply fix from svn revision 3685 to allocate enough memory
for the Host HTTP header when containing a port number. Closes: #464173.
* error.c: Don't grow error buffer indefinitely when vsnprintf returns -1,
which, if it happens, on glibc-based systems, will happen indefinitely.
Closes: #456653.
-- Matthias Klose <email address hidden> Wed, 12 Mar 2008 10:25:35 +0000
-
libxml2 (2.6.31.dfsg-1ubuntu1) hardy; urgency=low
* Merge with Debian; remaining changes:
- debian/rules: create a udeb for debian-installer, correct libxml2-dev
Depends to include zlib1g-dev.
- Build a python-libxml2-dbg package.
- Link using -Bsymbolic-functions.
libxml2 (2.6.31.dfsg-1) unstable; urgency=low
* New upstream release.
* Acknowledged NMU.
* testModule.c: Revert our change to add PATH_MAX for the Hurd, since we now
don't even build this file.
* debian/rules: bump shlibs to current version, since a new symbol was added.
* debian/libxml2.symbols: Reference the new symbol.
* autogen.sh: Switch to automake1.10 to follow upstream.
libxml2 (2.6.30.dfsg-3.1) unstable; urgency=high
* Non-maintainer upload by security team.
* This update addresses the following security issue:
- CVE-2007-6284: The xmlCurrentChar function allows context-dependent
attackers to cause a denial of service (infinite loop) via XML
containing invalid UTF-8 sequences (Closes: #460292).
-- Matthias Klose <email address hidden> Tue, 29 Jan 2008 16:24:13 +0100
-
libxml2 (2.6.30.dfsg-3ubuntu1) hardy; urgency=low
* Merge with Debian; remaining changes:
- debian/rules: create a udeb for debian-installer, correct libxml2-dev
Depends to include zlib1g-dev.
- Build a python-libxml2-dbg package.
- Fix a regression using XSLT copy element. LP: #147144.
* Link using -Bsymbolic-functions.
libxml2 (2.6.30.dfsg-3) unstable; urgency=low
* debian/libxml2.symbols: Add a symbols file to benefit from the new
features in dpkg-shlibdeps.
* debian/control: Build depend on debhelper (>= 5.0.61) and dpkg-dev (>=
1.14.9), accordingly.
* debian/rules:
+ Apply rules suggested in autotools-dev documentation.
+ Add -Wl,--as-needed to LDFLAGS so that useless dependencies are not
added.
* Makefile.am, Makefile.in: Don't build noinst targets.
-- Matthias Klose <email address hidden> Wed, 05 Dec 2007 19:50:33 +0000
-
libxml2 (2.6.30.dfsg-2ubuntu1) gutsy; urgency=low
* Merge with Debian; remaining changes:
- debian/rules: create a udeb for debian-installer, correct libxml2-dev
Depends to include zlib1g-dev.
- Build a python-libxml2-dbg package.
* Fixes a regression using XSLT copy element. LP: #147144.
libxml2 (2.6.30.dfsg-2) unstable; urgency=low
* libxml.h: define _LARGEFILE64_SOURCE to properly get gzopen64 defines in
zlib.h. Closes: #439843. Thanks Dann Frazier.
libxml2 (2.6.30.dfsg-1) unstable; urgency=low
* New upstream release.
-- Matthias Klose <email address hidden> Wed, 03 Oct 2007 14:35:16 +0200