-
libxml2 (2.8.0+dfsg1-5ubuntu2.5) quantal-security; urgency=medium
* SECURITY UPDATE: resource exhaustion via external parameter entities
- debian/patches/CVE-2014-0191.patch: do not fetch external parameter
entities in parser.c.
- CVE-2014-0191
-- Marc Deslauriers <email address hidden> Thu, 08 May 2014 14:29:41 -0400
-
libxml2 (2.8.0+dfsg1-5ubuntu2.4) quantal-security; urgency=low
* SECURITY REGRESSION: regression with lxml (LP: #1201849)
- debian/patches/CVE-2013-2877.patch: revised to fix regression, and a
couple of wrong return values.
- CVE-2013-2877
-- Marc Deslauriers <email address hidden> Tue, 16 Jul 2013 13:53:52 -0400
-
libxml2 (2.8.0+dfsg1-5ubuntu2.3) quantal-security; urgency=low
* SECURITY UPDATE: external entity expansion attack (LP: #1194410)
- debian/patches/CVE-2013-0339.patch: do not fetch external parsed
entities in parser.c, added test to test/errors/extparsedent.xml,
result/errors/extparsedent.xml.
- CVE-2013-0339
* SECURITY UPDATE: denial of service via incomplete document
- debian/patches/CVE-2013-2877.patch: try to stop parsing as quickly as
possible in parser.c, include/libxml/xmlerror.h.
- CVE-2013-2877
-- Marc Deslauriers <email address hidden> Thu, 11 Jul 2013 14:53:41 -0400
-
libxml2 (2.8.0+dfsg1-5ubuntu2.2) quantal-security; urgency=low
* SECURITY UPDATE: denial of service via entity expansion
- debian/patches/CVE-2013-0338.patch: limit number of entity expansions
in include/libxml/parser.h, parser.c, parserInternals.c.
- CVE-2013-0338
-- Marc Deslauriers <email address hidden> Tue, 26 Mar 2013 10:08:01 -0400
-
libxml2 (2.8.0+dfsg1-5ubuntu2.1) quantal-security; urgency=low
* SECURITY UPDATE: buffer underflow in xmlParseAttValueComplex()
- debian/patches/CVE-2012-5134.patch: add array bounds checking in
parser.c, thanks to Daniel Veillard
- CVE-2012-5134
-- Seth Arnold <email address hidden> Tue, 04 Dec 2012 10:16:41 -0800
-
libxml2 (2.8.0+dfsg1-5ubuntu2) quantal; urgency=low
* debian/tests/control: added pkg-config as depends for the test.
Change forwarded to Debian as bug 690047.
-- Daniel Holbach <email address hidden> Wed, 10 Oct 2012 08:15:16 +0200
-
libxml2 (2.8.0+dfsg1-5ubuntu1) quantal; urgency=low
* debian/tests/build, debian/tests/control: add test to check
that code can be easily built against libxml2, test some core
functionality too.
* debian/control: enable autopkgtest.
-- Daniel Holbach <email address hidden> Tue, 09 Oct 2012 13:49:15 +0200
-
libxml2 (2.8.0+dfsg1-5) unstable; urgency=low
[ Daniel Veillard ]
* Fix parser local buffers size problems
* Fix entities local buffers size problems
CVE-2012-2807, Closes: #679280.
-- Aron Xu <email address hidden> Thu, 19 Jul 2012 17:11:09 +0800
-
libxml2 (2.8.0+dfsg1-4ubuntu1) quantal; urgency=low
* Merge with Debian (LP: #987502), remaining changes:
- Don't drop *.la file. Some libraries still depend on it.
libxml2 (2.8.0+dfsg1-4) unstable; urgency=low
* Sanitize the output of `xml2-config --libs`.
libxml2 (2.8.0+dfsg1-3) unstable; urgency=low
* Remove odd output of xml2-config --libs (Closes: #675682).
* Mark libxml2-dev "M-A: same" again, fixed xml2-config
(Closes: #674474).
libxml2 (2.8.0+dfsg1-2) unstable; urgency=low
* debian/control:
- Remove "M-A: same" from libxml2-dev (Closes: #674474).
- Add "M-A: foreign" to libxml2-doc.
* debian/rules:
- Style change on calling dh using --with.
- Enable all hardening features.
- The sed command for removing DEB_HOST_MULTIARCH is not reverted
because it's generally a good idea to avoid it here.
* lintian-overrides:
- libxml2: package-name-doesnt-match-sonames
- python-libxml2-dbg: hardening-no-fortify-functions
libxml2 (2.8.0+dfsg1-1) unstable; urgency=low
* New upstream release. (Closes: #148220, #590934)
* Adjust changelog of previous NMU (Closes: #674739).
* Try to avoid useless space in /usr/bin/xml-config (Closes: #674474).
libxml2 (2.7.8.dfsg-9.1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* Fix CVE-2011-3102: off by one pointer access in xpointer.c
(Closes: #674191).
libxml2 (2.7.8.dfsg-9) unstable; urgency=low
* Multi-Arch ready. (Closes: #643026)
- M-A:same packages are libxml2, libxml2-dev and libxml2-dbg.
- M-A:foreign package is libxml2-utils, others are not M-A.
- Library files in udeb are still placed under usr/lib directly.
* New binary: libxml2-utils-dbg.
Move debuggings symbols of libxml2-utils binaries to another package
in favor of marking libxml2-dbg as M-A: same. Descriptions of related
binary packages are slightly modified.
* Enable hardening for Python modules. (Closes: #664107)
* Add support for build-arch and build target, essentially make the
package not FTBFS anymore. (Closes: #668672)
* Use dh compat 9. Not hardcoding libdir in debian/rules.
* Port to source format 3.0 to ease future maintenance of patches.
- Old patches are stored in 01_historical_changes.patch
- Do not patch Makefile.in directly, use dh_autoreconf with patches to
configure.in and Makefile.am instead. This will not actually make
bootstraping a new architecture more difficult since we already have
gettext and autoconf in deep B-D, porters need to break it anyway.
- Store doc/examples/index.html in patch to avoid ciculate B-D with
xsltproc, we should not B-D on it.
* debian/*.dirs: removed, useless.
libxml2 (2.7.8.dfsg-8) unstable; urgency=high
* New maintainer (Closes: #654176).
* Apply upstream patch to add randomization to hashing with large
dictionaries to mitigate hash DoS (CVE-2012-0841; Closes: #660846)
* Bump std-ver to 3.9.3, no change needed.
libxml2 (2.7.8.dfsg-7) unstable; urgency=low
* Team upload.
* parser.c: Fix an allocation error when copying entities.
CVE-2011-3919. Closes: #656377.
libxml2 (2.7.8.dfsg-6) unstable; urgency=low
* Team upload.
* Enabled hardened build flags (Closes: #654903).
* error.c: Fix __xmlRaiseError (Closes: #622358).
-- Iain Lane <email address hidden> Mon, 25 Jun 2012 13:14:43 +0100
-
libxml2 (2.7.8.dfsg-5.1ubuntu5) quantal; urgency=low
* SECURITY UPDATE: Fix an off by one pointer access in xpointer.c
- d8e1faeaa99c7a7c07af01c1c72de352eb590a3e
- CVE-2011-3102
-- Jamie Strandboge <email address hidden> Fri, 18 May 2012 08:53:18 -0500
-
libxml2 (2.7.8.dfsg-5.1ubuntu4) precise; urgency=low
* SECURITY UPDATE: add randomization to dictionaries with hash tables
help prevent denial of service via hash algorithm collision
- configure.in: lookup for rand, srand and time
- dict.c: add randomization to dictionaries hash tables
- hash.c: add randomization to normal hash tables
- 8973d58b7498fa5100a876815476b81fd1a2412a
- CVE-2012-0841
-- Jamie Strandboge <email address hidden> Tue, 28 Feb 2012 07:20:11 -0600