Format: 1.8 Date: Wed, 06 May 2020 11:53:20 +0200 Source: libxml2 Architecture: source Version: 2.9.10+dfsg-5+ubuntu16.04.1+deb.sury.org+3 Distribution: xenial Urgency: medium Maintainer: Debian XML/SGML Group Changed-By: Ondřej Surý Closes: 737774 806065 808372 812807 813613 819006 823405 823414 829718 832602 832864 836698 840553 840554 844581 855001 862450 862867 863018 863019 863021 863022 864328 869744 870865 870867 870870 874211 876308 878684 880000 882074 882613 883790 895195 895245 900113 901817 936941 943386 948493 949582 949583 952115 Changes: libxml2 (2.9.10+dfsg-5+ubuntu16.04.1+deb.sury.org+3) xenial; urgency=medium . * No-change backport to xenial . libxml2 (2.9.10+dfsg-5) unstable; urgency=medium . * Team upload. . [ Mattia Rizzolo ] * d/rules: + Drop --disable-silent-rules, already passed by dh_auto_configure. + Drop --parallel, now default with debhelper compat > 10. + Use dh_installdocs and dh_installexamples to install docs and examples. + Use dh_missing --fail-missing (and add the relevant d/not-installed). + Minimize indep build to build only the docs. * d/watch: fix an option to avoid a warning message. * d/control: + Move most of the build-deps to Build-Depends-Arch. + Use ${python:Depends} also for python-libxml2-dbg. * Add a lintian override for debian-rules-uses-supported-python-versions-without-python-all-build-depends . [ Gunnar Hjalmarsson ] * d/p/python3-unicode-errors.patch: Fix segfault issue with itstool and py3. LP: #1869814 . libxml2 (2.9.10+dfsg-4) unstable; urgency=medium . * Team upload. * Add patch from upstream to prevent a segfault in some platforms with illegal documents. . libxml2 (2.9.10+dfsg-3) unstable; urgency=medium . * Team upload. * Add patch so that xml2-config only disaplys libraries needed for dynamic linking. Closes: #952115 . libxml2 (2.9.10+dfsg-2.1) unstable; urgency=medium . * Non-maintainer upload. * Fix memory leak in xmlSchemaValidateStream (CVE-2019-20388) (Closes: #949583) * Fix infinite loop in xmlStringLenDecodeEntities (CVE-2020-7595) (Closes: #949582) . libxml2 (2.9.10+dfsg-2) unstable; urgency=medium . * Team upload * Re-instate Python2 support for now, the rev-deps are not ready. Re-opens: #936941 * python-libxml2-dbg: Depend on python2-dbg instead of python-dbg. Closes: #948493 * d/control: Bump Standards-Version 4.5.0, no changes needed. * Re-instnate the xml2-config script for now. * Upload to unstable. . libxml2 (2.9.10+dfsg-1) experimental; urgency=medium . * Team upload. * New upstream version 2.9.10+dfsg. + Fix memory leak. CVE-2019-19956 * Drop all patches. * d/control: + Bump debhelper compat level to 12. + Bump Standards-Version to 4.4.1, no changes needed. * d/libxml2.symbols: add Build-Depends-Package field, by lintian. . libxml2 (2.9.9+dfsg1-1~exp2) experimental; urgency=medium . * Team upload. * Merge the lost uploads 2.9.7+dfsg-1 and 2.9.8+dfsg-1. . libxml2 (2.9.9+dfsg1-1~exp1) experimental; urgency=medium . [ Rene Engelhard ] * actually remove the override_dh_gencontrol (thanks mattia)... . [ Aron Xu ] * New upstream version 2.9.9+dfsg1 + Fix infinite loop in LZMA decompression. CVE-2018-9251; Closes: #895195 + Fix (another) infinite loop in LZMA decompression. CVE-2018-14567 + Fix nullptr deref with XPath logic ops. CVE-2018-14404; Closes: #901817 * Remove patches merged upstream * Update symbols * Remove python2 support Closes: #936941 . libxml2 (2.9.8+dfsg-1) experimental; urgency=medium . * Team upload. . [ Rene Engelhard ] * New upstream version 2.9.8+dfsg. + Fix possible XML External Entity attack. CVE-2016-9318; Closes: #844581 * Update Vcs-* to salsa.debian.org. . [ Mattia Rizzolo ] * d/libxml2.symbols: + Remove removed symbols xmlNop@Base (no users found anywhere). + Add two new symbols. * Refresh patches. + Drop the Python 3.6 compatibility patch, upstreamed. * d/copyright: Update. * d/control: Bump Standards-Version to 4.2.1, no changes needed. * d/rules: Bump shlibs version. . libxml2 (2.9.7+dfsg-1) experimental; urgency=medium . * Team upload. * New upstream version 2.9.7+dfsg. Closes: #882074 + Infinite recursion in parameter entities. CVE-2017-16932; Closes: #882613 + Double entity expansion; Closes: #836698 + Set memory limit for LZMA decompression. CVE-2017-18258; Closes: #895245 * Refresh patches. * Refresh symbols. * Stop installing /usr/bin/xml2-config. Packages should just use pkg-config instead. * Remove the libxml2-dbg package, in favour of automatic debug package. . libxml2 (2.9.4+dfsg1-8) unstable; urgency=medium . * Team upload. * Fix autopkgtest: use `python2` instead of `python` and actually run the `python3` test. Closes: #943386 . libxml2 (2.9.4+dfsg1-7) unstable; urgency=medium . * Team upload. * drop automatically generated dependency on (non-existing) libicu60-dbg from libxm2-dbg (closes: #900113) . libxml2 (2.9.4+dfsg1-6.1) unstable; urgency=medium . * Non-maintainer upload. * Out-of-bounds read in htmlParseTryOrFinish (CVE-2017-8872) (Closes: #862450) . libxml2 (2.9.4+dfsg1-6) unstable; urgency=medium . * Team upload. * d/watch: bump to version 4, wrap lines, and limit matching to released stable versions. * Drop libxml2-udeb. The package has been broken in Ubuntu for a while already, and nobody seems to care anyway. * d/copyright: Rewrite using copyright-format 1.0. * Employ automatic upstream tarball repacking. * Bump debhelper compat level to 11. * Remove old upgrade code dealing with symlinks-to-dir in /usr/share/doc. * d/control: + Bump Standards-Version to 4.1.3, no changes needed. + Set Rules-Requires-Root: no. + Move from the deprecated priority:extra to priority:optional also for the -dbg packages. + Lower the priority of the libxml2 package to optional. Since Policy 4.0.1 library packages should not have a priority higher than optional. See #886039 for the override change. * d/rules: + Stop installing the TODO files. + Install the AUTHORS and README files only on the main libxml2 binary. + Workaround debhelper bug #886037 by reshuffling the dh_strip calls. . libxml2 (2.9.4+dfsg1-5.2) unstable; urgency=medium . * Non-maintainer upload. * Fix XPath stack frame logic (CVE-2017-15412) (Closes: #883790) . libxml2 (2.9.4+dfsg1-5.1) unstable; urgency=medium . * Non-maintainer upload. * Fix NULL pointer deref in xmlDumpElementContent (CVE-2017-5969) (Closes: #855001) * Check for integer overflow in memory debug code (CVE-2017-5130) (Closes: #880000) * Fix copy-paste errors in error messages * python: remove single use of _PyVerify_fd (Closes: #878684) . libxml2 (2.9.4+dfsg1-5) unstable; urgency=medium . * Team upload. * d/control: Bump Standards-Version to 4.1.1, no changes needed. * d/rules: + Use `rename` instead of `prename`, and separate the -v and -f options. Closes: #876308 + Fix usage of debhelper's -N and -p options: newer debhelper doesn't accept specifying packages not present in d/control. . libxml2 (2.9.4+dfsg1-4) unstable; urgency=medium . * Team upload. * Drop Recommends: xml-core from libxml2. xml-core is not really needed by anything, and packages needing it already depend on it. Closes: #869744 Thanks to Adam Borowski for proposing it. * Run wrap-and-sort. * Add Build-Depends on rename. Closes: #874211 * Bump Standards-Version to 4.1.0: + keep debug packages priority to extra as they are special cased by tools. . libxml2 (2.9.4+dfsg1-3.1) unstable; urgency=low . * Non-maintainer upload. * Increase buffer space for port in HTTP redirect support (CVE-2017-7376) Incorrect limit was used for port values. (Closes: #870865) * Prevent unwanted external entity reference (CVE-2017-7375) Missing validation for external entities in xmlParsePEReference. (Closes: #870867) * Fix handling of parameter-entity references (CVE-2017-9049, CVE-2017-9050) - Heap-based buffer over-read in function xmlDictComputeFastKey (CVE-2017-9049). - Heap-based buffer over-read in function xmlDictAddString (CVE-2017-9050). (Closes: #863019, #863018) * Fix buffer size checks in xmlSnprintfElementContent (CVE-2017-9047, CVE-2017-9048) - Buffer overflow in function xmlSnprintfElementContent (CVE-2017-9047). - Stack-based buffer overflow in function xmlSnprintfElementContent (CVE-2017-9048). (Closes: #863022, #863021) * Fix type confusion in xmlValidateOneNamespace (CVE-2017-0663) Heap buffer overflow in xmlAddID. (Closes: #870870) . libxml2 (2.9.4+dfsg1-3) unstable; urgency=medium . * Team upload. . [ Mattia Rizzolo ] * d/control: + Use HTTPS in Vcs-* fields. + Remove the deprecated '${python:Provides}' and '${python3:Provides}'. + Bump Standards-Version to 4.0.0, no changes needed. * Build for all supported python versions. Closes: #864328 Thanks to YunQiang Su for the initial patch. * Drop libxml-utils-dbg package in favour of the automatic debug package. * Replace the upstream ChangeLog with the NEWS file. Closes: #808372 The ChangeLog file stopped being updated in 2009, whereas NEWS is automatically generated by upstream during releases. * d/rules: + Correctly make use of the dh sequencer in the build step. Override dh_auto_build instead of using build/build-arch/build-indep targets directly. This makes possible for dh to call dh_autoreconf and other helpers that would otherwise be skipped (like dh_update_autotools_config). + Fix duplicated targets for override_dh_auto_install-indep. + Streamline dpkg-buildflags usage. * Bump debhelper compat level to 10 + remove --parallel, now default + remove --with autoreconf, now default . [ Helmut Grohne ] * Improve build profiles support. Closes: #862867 + Rename the meaningless stage1 to the meaningful nopython. + Use the standard variable DEB_BUILD_PROFILES rather than DEB_BUILD_PROFILE by checking dh_listpackages. + Correctly build nopython even when python is installed. + Add build profile annotations to debian/control. . libxml2 (2.9.4+dfsg1-2.2) unstable; urgency=medium . * Non-maintainer upload. * Fix attribute decoding during XML schema validation (Closes: #832602, #832864) . libxml2 (2.9.4+dfsg1-2.1) unstable; urgency=medium . * Non-maintainer upload. * Fix comparison with root node in xmlXPathCmpNodes * Fix XPointer paths beginning with range-to (CVE-2016-5131) (Closes: #840554) * Disallow namespace nodes in XPointer ranges (CVE-2016-4658) (Closes: #840553) * Fix more NULL pointer derefs in xpointer.c . libxml2 (2.9.4+dfsg1-2) unstable; urgency=medium . [ YunQiang Su ] * add python3 support (Closes: #737774) * fix typo in test/control: python->python3 . [ Aron Xu ] * Really allow parallel building * Mark python3-libxml2* as M-A: same . libxml2 (2.9.4+dfsg1-1) unstable; urgency=medium . * Imported Upstream version 2.9.4+dfsg1 - Closes: 829718, CVE-2016-4448 * Drop patches applied upstream, refresh remainers * Update Std-Ver to 3.9.8 from 3.9.6 * Update symbols for 2.9.4 * cherry-pick: Fix NULL pointer deref in XPointer range-to . libxml2 (2.9.3+dfsg1-1.2) unstable; urgency=medium . [ Simon McVittie ] * Non-maintainer upload. * Add -arch suffix to some architecture-specific debhelper overrides, fixing FTBFS with dpkg-buildpackage -A or when source-only uploads are used (Closes: #806065) - Do a build for the default Python version even when we are building arch-indep-only: we need something for gtk-doc to analyze . libxml2 (2.9.3+dfsg1-1.1) unstable; urgency=medium . * Non-maintainer upload. * Heap-based buffer overread in xmlNextChar (CVE-2016-1762) * heap-buffer-overflow in xmlStrncat (CVE-2016-1834) * Add missing increments of recursion depth counter to XML parser (CVE-2016-3705) (Closes: #823414) * Avoid an out of bound access when serializing malformed strings (CVE-2016-4483) (Closes: #823405) * Heap-buffer-overflow in xmlFAParsePosCharGroup (CVE-2016-1840) * Heap-based buffer overread in xmlParserPrintFileContextInternal (CVE-2016-1838) * Heap-based buffer overread in xmlDictAddString (CVE-2016-1839 CVE-2015-8806 CVE-2016-2073) (Closes: #813613, #812807) * Heap use-after-free in xmlDictComputeFastKey (CVE-2016-1836) * Fix inappropriate fetch of entities content (CVE-2016-4449) * Heap use-after-free in htmlParsePubidLiteral and htmlParseSystemiteral (CVE-2016-1837) * Heap use-after-free in xmlSAX2AttributeNs (CVE-2016-1835) * Heap-based buffer-underreads due to xmlParseName (CVE-2016-4447) * Heap-based buffer overread in htmlCurrentChar (CVE-2016-1833) * Avoid building recursive entities (CVE-2016-3627) (Closes: #819006) Checksums-Sha1: 23eb2da6f0f9691a58568800f630747fa2f02132 2959 libxml2_2.9.10+dfsg-5+ubuntu16.04.1+deb.sury.org+3.dsc 8e3811b93d71808dcc9b6ed264cb6a1dd686962f 4093153 libxml2_2.9.10+dfsg.orig.tar.gz adf8f872fb77c8f9ad5d5e0df36d9231481b3093 27996 libxml2_2.9.10+dfsg-5+ubuntu16.04.1+deb.sury.org+3.debian.tar.xz d8a00187cdd38f9534fcdc56fedc7ec4b7419f8d 10071 libxml2_2.9.10+dfsg-5+ubuntu16.04.1+deb.sury.org+3_source.buildinfo Checksums-Sha256: bb61394b67dc02e9361b1f93cbb078e6b6ca7c9d1d83f241ffd3b148c4ed5f5b 2959 libxml2_2.9.10+dfsg-5+ubuntu16.04.1+deb.sury.org+3.dsc bd71f6085a7f78d95e7cbbd8f7475a6c76a194b8681d85c067effeb2411453b7 4093153 libxml2_2.9.10+dfsg.orig.tar.gz 84c3c11a0d4af9148ce9191fdea2dc8cf64ecaf7d2094755fcd7c9e8b7740af1 27996 libxml2_2.9.10+dfsg-5+ubuntu16.04.1+deb.sury.org+3.debian.tar.xz f7cc7010bf0473db8c7ddc4c6629a2f631e75e2a34fca57731b0b0c19b884ef4 10071 libxml2_2.9.10+dfsg-5+ubuntu16.04.1+deb.sury.org+3_source.buildinfo Files: 341197da895d88ec4552a416a9695f83 2959 libs optional libxml2_2.9.10+dfsg-5+ubuntu16.04.1+deb.sury.org+3.dsc e7fca125cdc234f0292c2762f7481f69 4093153 libs optional libxml2_2.9.10+dfsg.orig.tar.gz d92c61458a98837c7cec3f34955e5300 27996 libs optional libxml2_2.9.10+dfsg-5+ubuntu16.04.1+deb.sury.org+3.debian.tar.xz 90a0735093706231a9ee0d3874b882ee 10071 libs optional libxml2_2.9.10+dfsg-5+ubuntu16.04.1+deb.sury.org+3_source.buildinfo