#4993 closed enhancement (fixed)


Reported by: Bruce Dubbs Owned by: Bruce Dubbs
Priority: high Milestone: 11.1
Component: Book Version: git
Severity: normal Keywords:


New point version.

Change History (4)

comment:1 by Bruce Dubbs, 20 months ago

Release 2.4.4 Sun January 30 2022 Security fixes:

 CVE-2022-23852 -- Fix signed integer overflow
                   (undefined behavior) in function XML_GetBuffer
                   (that is also called by function XML_Parse internally)
                   for when XML_CONTEXT_BYTES is defined to >0 (which is both
                   common and default).
                   Impact is denial of service or more.
 CVE-2022-23990 -- Fix unsigned integer overflow in function
                   doProlog triggered by large content in element type
                   declarations when there is an element declaration handler
                   present (from a prior call to XML_SetElementDeclHandler).
                   Impact is denial of service or more.

Bug fixes:

  • xmlwf: Fix a memory leak on output file opening error

Other changes:

  • Autotools: Fix broken CMake support under Cygwin
  • Windows: Add missing files to the installer to fix compilation with CMake from installed sources
  • Version info bumped from 9:3:8 to 9:4:8; see https://verbump.de/ for what these numbers do

comment:2 by Douglas R. Reno, 20 months ago

Priority: normalhigh

Promote to High due to CVE fixes

comment:3 by Bruce Dubbs, 20 months ago

Owner: changed from lfs-book to Bruce Dubbs
Status: newassigned

comment:4 by Bruce Dubbs, 20 months ago

Resolution: fixed
Status: assignedclosed

Fixed at commit a5d31dd654840c3e5990fd1b3f29831b2cc01cf6

Package updates and a patch.
    Add coreutils-9.0 chmod patch.
    Update to glibc-2.35.
    Update to linux-5.16.5.
    Update to findutils-4.9.0.
    Update to expat-2.4.4.
    Update to iana-etc-20220128.
Note: See TracTickets for help on using tickets.