-
libxml2 (2.9.10+dfsg-5ubuntu0.20.04.7) focal-security; urgency=medium
* SECURITY UPDATE: use-after-free via XInclude expansion
- debian/patches/CVE-2024-25062-pre1.patch: avoid call stack overflow
with XML reader and recursive XIncludes in xmlreader.c.
- debian/patches/CVE-2024-25062.patch: don't expand XIncludes when
backtracking in xmlreader.c.
- CVE-2024-25062
-- Marc Deslauriers <email address hidden> Fri, 16 Feb 2024 13:19:13 -0500
-
libxml2 (2.9.10+dfsg-5ubuntu0.20.04.6) focal-security; urgency=medium
* SECURITY UPDATE: Null dereference
- debian/patches/CVE-2023-28484-*.patch: Fix null-pointer-deref in
xmlSchemaCheckCOSSTDerivedOK and xmlSchemaFixupComplexType
when parsing (invalid) XML schemas in
result/schemas/oss-fuzz-51295_0_0.err,
test/schemas/oss-fuzz-51295_0.xml,
test/schemas/oss-fuzz-51295_0.xsd,
xmlschemas.c.
- CVE-2023-28484
* SECURITY UPDATE: Logic or memory errors and double frees
- debian/patches/CVE-2023-29469.patch: check namelen less equal zero in
dict.c.
- CVE-2023-29469
-- Leonidas Da Silva Barbosa <email address hidden> Fri, 14 Apr 2023 09:29:46 -0300
-
libxml2 (2.9.10+dfsg-5ubuntu0.20.04.5) focal-security; urgency=medium
* SECURITY UPDATE: NULL pointer dereference
- debian/patches/CVE-2022-2309.patch: reset nsNr in
xmlCtxReset in parser.c (LP: #1996494).
- CVE-2022-2309
* SECURITY UPDATE: Integer overflow
- debian/patches/CVE-2022-40303.patch: fix integer overflows
with XML_PARSE_HUGE in parser.c.
- CVE-2022-40303
* SECURITY UPDATE: Double-free
- debian/patches/CVE-2022-40304.patch: fix dict
corruption caused by entity ref cycles in
entities.c.
- CVE-2022-40304
-- Leonidas Da Silva Barbosa <email address hidden> Wed, 30 Nov 2022 09:53:52 -0300
-
libxml2 (2.9.10+dfsg-5ubuntu0.20.04.4) focal-security; urgency=medium
* SECURITY UPDATE: Possible cross-site scripting
- debian/patches/CVE-2016-3709.patch: Revert "do not URI escape
in server side includes" in HTMLtree.c.
- CVE-2016-3709
-- Leonidas Da Silva Barbosa <email address hidden> Mon, 01 Aug 2022 11:05:23 -0300
-
libxml2 (2.9.10+dfsg-5ubuntu0.20.04.3) focal-security; urgency=medium
* SECURITY UPDATE: Integer overflows
- debian/patches/CVE-2022-29824.patch: Fix integer overflows in
xmlBuf and xmlBuffer in tree.c, buf.c.
- CVE-2022-29824
-- Leonidas Da Silva Barbosa <email address hidden> Tue, 10 May 2022 11:13:24 -0300
-
libxml2 (2.9.10+dfsg-5ubuntu0.20.04.2) focal-security; urgency=medium
* SECURITY UPDATE: use-after-free of ID and IDREF attributes
- debian/patches/CVE-2022-23308.patch: normalize ID attributes in
valid.c.
- CVE-2022-23308
-- Marc Deslauriers <email address hidden> Thu, 10 Mar 2022 12:59:13 -0500
-
libxml2 (2.9.10+dfsg-5ubuntu0.20.04.1) focal-security; urgency=medium
* SECURITY UPDATE: out-of-bounds read
- debian/patches/CVE-2020-24977.patch: Make sure that truncated UTF-8
sequences don't cause an out-of-bounds array access in xmllint.
- CVE-2020-24977
* SECURITY UPDATE: use-after-free in xmlEncodeEntitiesInternal
- debian/patches/CVE-2021-3516.patch: Call htmlCtxtUseOptions to make sure
that names aren't stored in dictionaries.
- CVE-2021-3516
* SECURITY UPDATE: heap-based buffer overflow in xmlEncodeEntitiesInternal
- debian/patches/CVE-2021-3517.patch: Add some checks to validate input is
UTF-8 format, supplementing CVE-2020-24977 fix.
- CVE-2021-3517
* SECURITY UPDATE: use-after-free in xmlXIncludeDoProcess
- debian/patches/CVE-2021-3518.patch: Move from a block list to an allow
list approach to avoid descending into other node types that can't
contain elements.
- CVE-2021-3518
* SECURITY UPDATE: NULL pointer dereference in xmlValidBuildAContentModel
- debian/patches/CVE-2021-3537.patch: Check return value of recursive calls
to xmlParseElementChildrenContentDeclPriv and return immediately in case
of errors.
- CVE-2021-3537
* SECURITY UPDATE: Exponential entity expansion
- debian/patches/Patch-for-security-issue-CVE-2021-3541.patch: Add check to
xmlParserEntityCheck to prevent entity exponential.
- CVE-2021-3541
-- Avital Ostromich <email address hidden> Wed, 26 May 2021 19:51:20 -0400
-
libxml2 (2.9.10+dfsg-5) unstable; urgency=medium
* Team upload.
[ Mattia Rizzolo ]
* d/rules:
+ Drop --disable-silent-rules, already passed by dh_auto_configure.
+ Drop --parallel, now default with debhelper compat > 10.
+ Use dh_installdocs and dh_installexamples to install docs and examples.
+ Use dh_missing --fail-missing (and add the relevant d/not-installed).
+ Minimize indep build to build only the docs.
* d/watch: fix an option to avoid a warning message.
* d/control:
+ Move most of the build-deps to Build-Depends-Arch.
+ Use ${python:Depends} also for python-libxml2-dbg.
* Add a lintian override for
debian-rules-uses-supported-python-versions-without-python-all-build-depends
[ Gunnar Hjalmarsson ]
* d/p/python3-unicode-errors.patch:
Fix segfault issue with itstool and py3. LP: #1869814
-- Mattia Rizzolo <email address hidden> Fri, 10 Apr 2020 14:53:23 +0200
-
libxml2 (2.9.10+dfsg-4build1) focal; urgency=medium
* No-change rebuild for icu soname change.
-- Matthias Klose <email address hidden> Tue, 03 Mar 2020 21:48:24 +0100
-
libxml2 (2.9.10+dfsg-4) unstable; urgency=medium
* Team upload.
* Add patch from upstream to prevent a segfault in some platforms with
illegal documents.
-- Mattia Rizzolo <email address hidden> Thu, 27 Feb 2020 19:21:45 +0100
-
libxml2 (2.9.10+dfsg-1ubuntu3) focal; urgency=medium
* debian/patches/0001-Check-the-type-of-each-node-in-xmlFreeNodeList-
not-j.patch: Check the type of each node in xmlFreeNodeList, not just
the parent node.
-- Steve Langasek <email address hidden> Sat, 22 Feb 2020 23:58:06 -0800
-
libxml2 (2.9.10+dfsg-1ubuntu2) focal; urgency=medium
* Restore the old xml2-config behaviour to print the shared libs by default.
xml2-config --libs --static still can be used for the private libs.
-- Matthias Klose <email address hidden> Thu, 20 Feb 2020 10:56:09 +0100
-
libxml2 (2.9.10+dfsg-1ubuntu1) focal; urgency=medium
* Restore the xml2-config binary for now.
-- Matthias Klose <email address hidden> Tue, 18 Feb 2020 09:41:38 +0100
-
libxml2 (2.9.4+dfsg1-8ubuntu4) focal; urgency=medium
* No-change rebuild for icu soname change.
-- Matthias Klose <email address hidden> Thu, 13 Feb 2020 09:00:31 +0100
-
libxml2 (2.9.4+dfsg1-8ubuntu3) focal; urgency=medium
* debian/patches/python3-unicode-errors.patch:
- use a patch from opensuse/fedora to fix a segfault issue with
python3, fix itstool and the ubuntu-docs build
-- Sebastien Bacher <email address hidden> Wed, 15 Jan 2020 16:40:02 +0100
-
libxml2 (2.9.4+dfsg1-8ubuntu2) focal; urgency=medium
* python-libxml2-dbg: Depend on python2-dbg instead of python-dbg.
-- Matthias Klose <email address hidden> Thu, 09 Jan 2020 14:02:41 +0100
-
libxml2 (2.9.4+dfsg1-8ubuntu1) focal; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/patches/CVE-2016-9318.patch: fix in parser.c.
- debian/patches/CVE-2017-18258.patch: fix in xzlib.c.
- debian/patches/CVE-2018-14404.patch: fix in xpath.c.
- debian/patches/CVE-2018-14567.patch: fix in xzlib.c.
- debian/patches/CVE-2017-16932.patch: fix in parser.c and
add some error check files result/errors/759579.xml,
result/errors/759579.xml.err, result/errors/759579.xml.str,
test/errors/759579.xml.
libxml2 (2.9.4+dfsg1-8) unstable; urgency=medium
* Team upload.
* Fix autopkgtest: use `python2` instead of `python` and actually run the
`python3` test. Closes: #943386
-- Gianfranco Costamagna <email address hidden> Thu, 21 Nov 2019 06:28:07 +0100
-
libxml2 (2.9.4+dfsg1-7ubuntu5) focal; urgency=medium
* Adjust testsuite for python->python2 move
-- Gianfranco Costamagna <email address hidden> Thu, 24 Oct 2019 11:06:28 +0200
-
libxml2 (2.9.4+dfsg1-7ubuntu4) focal; urgency=medium
* No-change rebuild to build with python3.8.
-- Matthias Klose <email address hidden> Fri, 18 Oct 2019 18:08:14 +0000
-
libxml2 (2.9.4+dfsg1-7ubuntu3) disco; urgency=medium
* No-change rebuild for icu soname changes.
-- Matthias Klose <email address hidden> Tue, 13 Nov 2018 08:14:59 +0000
