Opened 8 years ago

Last modified 8 years ago

#7152 closed enhancement

libxml2-2.9.3 — at Version 3

Reported by: Fernando de Oliveira Owned by: Pierre Labastie
Priority: high Milestone: 7.9
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description (last modified by Fernando de Oliveira)

Security Update

See Security in the news, below.

http://xmlsoft.org/sources/libxml2-sources-2.9.3.tar.gz

http://xmlsoft.org/sources/libxml2-sources-2.9.3.tar.gz.asc

http://www.xmlsoft.org/news.html 

v2.9.3: Nov 20 2015

  • Security:
    ◦ CVE-2015-8242 Buffer overead with HTML parser in push mode (Hugh
      Davenport),
    ◦ CVE-2015-7500 Fix memory access error due to incorrect entities
      boundaries (Daniel Veillard),
    ◦ CVE-2015-7499-2 Detect incoherency on GROW (Daniel Veillard),
    ◦ CVE-2015-7499-1 Add xmlHaltParser() to stop the parser (Daniel
      Veillard),
    ◦ CVE-2015-5312 Another entity expansion issue (David Drysdale),
    ◦ CVE-2015-7497 Avoid an heap buffer overflow in
      xmlDictComputeFastQKey (David Drysdale),
    ◦ CVE-2015-7498 Avoid processing entities after encoding conversion
      failures (Daniel Veillard),
    ◦ CVE-2015-8035 Fix XZ compression support loop (Daniel Veillard),
    ◦ CVE-2015-7942-2 Fix an error in previous Conditional section patch
      (Daniel Veillard),
    ◦ CVE-2015-7942 Another variation of overflow in Conditional
      sections (Daniel Veillard),
    ◦ CVE-2015-1819 Enforce the reader to run in constant memory (Daniel
      Veillard)
    ◦ CVE-2015-7941_2 Cleanup conditional section error handling (Daniel
      Veillard),
    ◦ CVE-2015-7941_1 Stop parsing on entities boundaries errors (Daniel
      Veillard),
  • Documentation:
    ◦ Correct spelling of "calling" (Alex Henrie),
    ◦ Fix a small error in xmllint --format description (Fabien
      Degomme),
    ◦ Avoid XSS on the search of xmlsoft.org (Daniel Veillard)
  • Portability:
    ◦ threads: use forward declarations only for glibc (Michael
      Heimpold),
    ◦ Update Win32 configure.js to search for configure.ac (Daniel
      Veillard)
  • Bug Fixes:
    ◦ Bug on creating new stream from entity (Daniel Veillard),
    ◦ Fix some loop issues embedding NEXT (Daniel Veillard),
    ◦ Do not print error context when there is none (Daniel Veillard),
    ◦ Avoid extra processing of MarkupDecl when EOF (Hugh Davenport),
    ◦ Fix parsing short unclosed comment uninitialized access (Daniel
      Veillard),
    ◦ Add missing Null check in xmlParseExternalEntityPrivate (Gaurav
      Gupta),
    ◦ Fix a bug in CData error handling in the push parser (Daniel
      Veillard),
    ◦ Fix a bug on name parsing at the end of current input buffer
      (Daniel Veillard),
    ◦ Fix the spurious ID already defined error (Daniel Veillard),
    ◦ Fix previous change to node sort order (Nick Wellnhofer),
    ◦ Fix a self assignment issue raised by clang (Scott Graham),
    ◦ Fail parsing early on if encoding conversion failed (Daniel
      Veillard),
    ◦ Do not process encoding values if the declaration if broken
      (Daniel Veillard),
    ◦ Silence clang's -Wunknown-attribute (Michael Catanzaro),
    ◦ xmlMemUsed is not thread-safe (Martin von Gagern),
    ◦ Fix support for except in nameclasses (Daniel Veillard),
    ◦ Fix order of root nodes (Nick Wellnhofer),
    ◦ Allow attributes on descendant-or-self axis (Nick Wellnhofer),
    ◦ Fix the fix to Windows locking (Steve Nairn),
    ◦ Fix timsort invariant loop re: Envisage article (Christopher
      Swenson),
    ◦ Don't add IDs in xmlSetTreeDoc (Nick Wellnhofer),
    ◦ Account for ID attributes in xmlSetTreeDoc (Nick Wellnhofer),
    ◦ Remove various unused value assignments (Philip Withnall),
    ◦ Fix missing entities after CVE-2014-3660 fix (Daniel Veillard),
    ◦ Revert "Missing initialization for the catalog module" (Daniel
      Veillard)
  • Improvements:
    ◦ Reuse xmlHaltParser() where it makes sense (Daniel Veillard),
    ◦ xmlStopParser reset errNo (Daniel Veillard),
    ◦ Reenable xz support by default (Daniel Veillard),
    ◦ Recover unescaped less-than character in HTML recovery parsing
      (Daniel Veillard),
    ◦ Allow HTML serializer to output HTML5 DOCTYPE (Shaun McCance),
    ◦ Regression test for bug #695699 (Nick Wellnhofer),
    ◦ Add a couple of XPath tests (Nick Wellnhofer),
    ◦ Add Python 3 rpm subpackage (Tomas Radej),
    ◦ libxml2-config.cmake.in: update include directories (Samuel
      Martin),
    ◦ Adding example from bugs 738805 to regression tests (Daniel
      Veillard)
  • Cleanups:

Change History (3)

comment:1 by Fernando de Oliveira, 8 years ago

Description: modified (diff)

Sorry.

comment:2 by Pierre Labastie, 8 years ago

Owner: changed from blfs-book@… to Pierre Labastie
Status: newassigned

comment:3 by Fernando de Oliveira, 8 years ago

Description: modified (diff)

Sorry, Pierre, just another typo I committed in the Description. Apologies for intruding in your ticket.

Note: See TracTickets for help on using tickets.