-
libxml2 (2.8.0+dfsg1-7+wheezy5) wheezy-security; urgency=high
* Non-maintainer upload by the Security Team.
* Add patches to address CVE-2015-7941.
CVE-2015-7941: Denial of service via out-of-bounds read. (Closes: #783010)
* Add CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch.
CVE-2015-1819: Enforce the reader to run in constant memory.
Thanks to Mike Gabriel for the patch backport. (Closes: #782782)
* Add patches to address CVE-2015-8317.
CVE-2015-8317: Out-of-bounds heap read when parsing file with unfinished
xml declaration.
* Add patches to address CVE-2015-7942.
CVE-2015-7942: heap-based buffer overflow in
xmlParseConditionalSections(). (Closes: #802827)
* Add Fix-parsing-short-unclosed-comment-uninitialized-acc.patch patch.
Parsing an unclosed comment can result in `Conditional jump or move
depends on uninitialised value(s)` and unsafe memory access.
(Closes: #782985)
* Add CVE-2015-8035-Fix-XZ-compression-support-loop.patch patch.
CVE-2015-8035: DoS when parsing specially crafted XML document if XZ
support is enabled. (Closes: #803942)
* Add Avoid-extra-processing-of-MarkupDecl-when-EOF.patch patch.
CVE-2015-8241: Buffer overread with XML parser in xmlNextChar.
(Closes: #806384)
* Add Avoid-processing-entities-after-encoding-conversion-.patch patch.
CVE-2015-7498: Heap-based buffer overflow in xmlParseXmlDecl.
* Add CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch patch.
CVE-2015-7497: Heap-based buffer overflow in xmlDictComputeFastQKey.
* Add CVE-2015-5312-Another-entity-expansion-issue.patch patch.
CVE-2015-5312: CPU exhaustion when processing specially crafted XML
input.
* Add patches to address CVE-2015-7499.
CVE-2015-7499: Heap-based buffer overflow in xmlGROW.
Add a specific parser error (XML_ERR_USER_STOP), backported from
e50ba8164eee06461c73cd8abb9b46aa0be81869 upstream (commit to address
CVE-2013-2877, the "Try to stop parsing as quickly as possible" was not
backported).
* Add CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch patch.
CVE-2015-7500: Heap buffer overflow in xmlParseMisc.
-- Salvatore Bonaccorso <email address hidden> Sat, 19 Dec 2015 15:25:28 +0100
-
libxml2 (2.8.0+dfsg1-7+wheezy4) wheezy-security; urgency=high
* Non-maintainer upload by the Security Team.
* Add missing required patches for CVE-2014-3660.
The two upstream commits a3f1e3e5712257fd279917a9158278534e8f4b72 and
cff2546f13503ac028e4c1f63c7b6d85f2f2d777 are required in addition to the
commit be2a7edaf289c5da74a4f9ed3a0b6c733e775230 to fix CVE-2014-3660 due
to changes in the use of ent->checked.
Fixes "libxml2: CVE-2014-3660 patch makes installation-guide FTBFS".
(Closes: #774358)
* Refresh cve-2014-3660.patch patch
* Refresh cve-2014-3660-bis.patch patch
-- Salvatore Bonaccorso <email address hidden> Sat, 04 Apr 2015 11:01:18 +0200
-
libxml2 (2.8.0+dfsg1-7+wheezy2) stable-security; urgency=high
* Fix buggy patch (Closes: #765770)
* Fix wrongly applied patch for CVE-2014-0191 (Closes: #762864)
* Add patch for CVE-2014-3660 (Closes: #765722)
-- Aron Xu <email address hidden> Sun, 26 Oct 2014 12:39:34 +0800
-
libxml2 (2.8.0+dfsg1-7+wheezy1) stable-security; urgency=high
* debian/patches/cve-2014-0191.patch: libxml2 could be made to consume
resources if it processed a specially crafted file.
(Closes: #747309, CVE-2014-0191)
-- Aron Xu <email address hidden> Wed, 09 Jul 2014 04:18:01 +0800
-
libxml2 (2.8.0+dfsg1-7+nmu3) stable; urgency=low
* Non-maintainer upload with maintainer’s approval.
* 0007-Fix-pthread-memory-corruption.patch: patch stolen from the
upstream repository. Fix memory corruption when re-using the libxml2
from threaded applications. Closes: #742258.
-- Josselin Mouette <email address hidden> Fri, 04 Apr 2014 09:25:16 +0200
-
libxml2 (2.8.0+dfsg1-7+nmu2) stable-security; urgency=high
* Non-maintainer upload by the Security Team.
* Fix cve-2013-2877: out-of-bounds read when handling documents that end
abruptly.
-- Michael Gilbert <email address hidden> Sun, 13 Oct 2013 05:01:45 +0000
-
libxml2 (2.8.0+dfsg1-7+nmu1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* Fix cve-2013-0338 and cve-2013-0339: large memory consuption issues when
performing string substition during entity expansion (closes: #702260).
-- Michael Gilbert <email address hidden> Wed, 06 Mar 2013 20:24:06 +0000
-
libxml2 (2.8.0+dfsg1-7) unstable; urgency=low
[ Daniel Veillard ]
* Fix potential out of bound access
CVE-2012-5134, Closes: #694521.
-- Aron Xu <email address hidden> Wed, 28 Nov 2012 22:40:13 +0800
-
libxml2 (2.8.0+dfsg1-6) unstable; urgency=low
[ Daniel Veillard ]
* Fix a failure to report xmlreader parsing failures
Closes: #676210.
[ Aron Xu ]
* Add gbp.conf for wheezy branch.
-- Aron Xu <email address hidden> Sun, 07 Oct 2012 14:18:59 +0800
-
libxml2 (2.8.0+dfsg1-5) unstable; urgency=low
[ Daniel Veillard ]
* Fix parser local buffers size problems
* Fix entities local buffers size problems
CVE-2012-2807, Closes: #679280.
-- Aron Xu <email address hidden> Thu, 19 Jul 2012 17:11:09 +0800
-
libxml2 (2.8.0+dfsg1-4) unstable; urgency=low
* Sanitize the output of `xml2-config --libs`.
-- Aron Xu <email address hidden> Fri, 15 Jun 2012 01:42:55 +0800
-
libxml2 (2.8.0+dfsg1-3) unstable; urgency=low
* Remove odd output of xml2-config --libs (Closes: #675682).
* Mark libxml2-dev "M-A: same" again, fixed xml2-config
(Closes: #674474).
-- Aron Xu <email address hidden> Tue, 05 Jun 2012 01:44:14 +0800
-
libxml2 (2.7.8.dfsg-9.1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* Fix cve-2012-3102: off by one poinnter access in xpointer.c
(closes: #674191).
-- Michael Gilbert <email address hidden> Wed, 23 May 2012 13:48:52 -0400
-
libxml2 (2.7.8.dfsg-9) unstable; urgency=low
* Multi-Arch ready. (Closes: #643026)
- M-A:same packages are libxml2, libxml2-dev and libxml2-dbg.
- M-A:foreign package is libxml2-utils, others are not M-A.
- Library files in udeb are still placed under usr/lib directly.
* New binary: libxml2-utils-dbg.
Move debuggings symbols of libxml2-utils binaries to another package
in favor of marking libxml2-dbg as M-A: same. Descriptions of related
binary packages are slightly modified.
* Enable hardening for Python modules. (Closes: #664107)
* Add support for build-arch and build target, essentially make the
package not FTBFS anymore. (Closes: #668672)
* Use dh compat 9. Not hardcoding libdir in debian/rules.
* Port to source format 3.0 to ease future maintenance of patches.
- Old patches are stored in 01_historical_changes.patch
- Do not patch Makefile.in directly, use dh_autoreconf with patches to
configure.in and Makefile.am instead. This will not actually make
bootstraping a new architecture more difficult since we already have
gettext and autoconf in deep B-D, porters need to break it anyway.
- Store doc/examples/index.html in patch to avoid ciculate B-D with
xsltproc, we should not B-D on it.
* debian/*.dirs: removed, useless.
-- Aron Xu <email address hidden> Sun, 22 Apr 2012 00:16:37 +0800
-
libxml2 (2.7.8.dfsg-7) unstable; urgency=low
* Team upload.
* parser.c: Fix an allocation error when copying entities.
CVE-2011-3919. Closes: #656377.
-- Andrew O. Shadura <email address hidden> Fri, 20 Jan 2012 12:54:41 +0300
-
libxml2 (2.7.8.dfsg-5.1) unstable; urgency=high
* Non-maintainer upload.
* encoding.c: Fix off by one error. CVE-2011-0216.
* parser.c: Make sure parser returns when getting a Stop order.
CVE-2011-3905.
* Both closes: #652352.
-- Luk Claes <email address hidden> Fri, 30 Dec 2011 18:31:13 +0100
-
libxml2 (2.7.8.dfsg-5) unstable; urgency=low
* xpath.c, xpointer.c, include/libxml/xpath.h: Hardening of XPath evaluation.
CVE-2011-2821.
* xpath.c: Fix for undefined namespaces. CVE-2011-2834.
* Both closes: #643648.
-- Mike Hommey <email address hidden> Fri, 07 Oct 2011 09:31:14 +0200
-
libxml2 (2.7.8.dfsg-4) unstable; urgency=low
* debian/rules: Add --with python2 to dh call. * debian/control: - Remove build dependency on python-support. - Build depend on python-all-dev >= 2.6.6-3~. - Remove XB-Python-Version header. - Bump Standards-Version to 3.9.2.0. No changes required. * debian/pycompat: Removed. With the above changes, closes: #631416. Thanks Colin Watson. -- Mike Hommey <email address hidden> Fri, 29 Jul 2011 12:33:08 +0200
-
libxml2 (2.7.8.dfsg-3) unstable; urgency=low
* xpath.c: Fix some potential problems on reallocation failures. Closes: #628537. -- Mike Hommey <email address hidden> Sat, 04 Jun 2011 10:40:39 +0900
-
libxml2 (2.7.8.dfsg-2) unstable; urgency=low
* xpath.c: Fix a double-freeing error in XPath processing code. (CVE-2010-4494). Closes: #607922. -- Mike Hommey <email address hidden> Sat, 25 Dec 2010 10:48:27 +0100
