Change log for libxml2 package in Ubuntu

175 of 310 results
Published in plucky-release
Deleted in plucky-proposed (Reason: Moved to plucky)
libxml2 (2.12.7+dfsg+really2.9.14-0.2ubuntu2) plucky; urgency=medium

  * Revert the last patch (ICU linking).
  * Don't build with ICU.

    libxml's README.md states:

    [ICU](https://icu.unicode.org/), a Unicode library. Mainly
    useful as an alternative to iconv on Windows. Unnecessary
    on most other systems.

    ICU 76.1 requires to be built with -std=c++17 or -std=gnu++17 or
    higher.  However including the ICU headers in the libxml2 headers,
    breaks builds with older C++ standards, most likely leading to
    some unrelated build failures for packages that don't rely on ICU,
    but are using libxml2.

 -- Matthias Klose <email address hidden>  Wed, 08 Jan 2025 13:46:56 +0100
Superseded in plucky-proposed
libxml2 (2.12.7+dfsg+really2.9.14-0.2ubuntu1) plucky; urgency=medium

  * Work around linking ICU libs.

 -- Matthias Klose <email address hidden>  Sun, 05 Jan 2025 22:01:31 +0100
Superseded in plucky-proposed
libxml2 (2.12.7+dfsg+really2.9.14-0.2build2) plucky; urgency=medium

  * No-change rebuild for icu soname change.

 -- Matthias Klose <email address hidden>  Sun, 05 Jan 2025 20:30:21 +0100
Superseded in plucky-release
Deleted in plucky-proposed (Reason: Moved to plucky)
libxml2 (2.12.7+dfsg+really2.9.14-0.2build1) plucky; urgency=medium

  * SRU: #2083480: No-change rebuild to add support for Python 3.13.

 -- Matthias Klose <email address hidden>  Wed, 13 Nov 2024 10:04:57 +0100
Superseded in plucky-proposed
libxml2 (2.12.7+dfsg+really2.9.14-0.2) unstable; urgency=medium

  * Non-maintainer upload.
  * Patch: Python 3.13 support. (Closes: #1084096)

 -- Stefano Rivera <email address hidden>  Wed, 06 Nov 2024 17:11:20 -0800
Superseded in plucky-proposed
libxml2 (2.12.7+dfsg+really2.9.14-0.1) unstable; urgency=medium

  * Non-maintainer upload.
  * Revert packaging to 2.9.14+dfsg-1.3 currently in testing to revert ABI
    breakage (Closes: #1073508)

 -- Sebastian Ramacher <email address hidden>  Thu, 26 Sep 2024 17:15:36 +0200
Superseded in plucky-release
Published in oracular-release
Deleted in oracular-proposed (Reason: Moved to oracular)
libxml2 (2.12.7+dfsg-3) unstable; urgency=medium

  * d/control: replace pkg-config with pkgconf
  * source: override invalid-profile-name-in-source-relation noi18n
  * d/control: versioned Breaks at libxml-libxml-perl

 -- Aron Xu <email address hidden>  Wed, 29 May 2024 21:25:11 +0800
Superseded in oracular-proposed
libxml2 (2.12.7+dfsg-2) unstable; urgency=medium

  * d/control: Depends on liblzma-dev and zlib1g-dev explicitly
    (Closes: #1071834)

 -- Aron Xu <email address hidden>  Sat, 25 May 2024 22:51:40 +0800
Superseded in oracular-release
Published in noble-release
Deleted in noble-proposed (Reason: Moved to noble)
libxml2 (2.9.14+dfsg-1.3ubuntu3) noble; urgency=medium

  * No-change rebuild for CVE-2024-3094

 -- Steve Langasek <email address hidden>  Sun, 31 Mar 2024 02:21:38 +0000
Superseded in noble-release
Deleted in noble-proposed (Reason: Moved to noble)
libxml2 (2.9.14+dfsg-1.3ubuntu2) noble; urgency=medium

  * No-change rebuild to build with python3.12 only.

 -- Matthias Klose <email address hidden>  Sat, 16 Mar 2024 23:14:38 +0100
Published in focal-updates
Published in focal-security
libxml2 (2.9.10+dfsg-5ubuntu0.20.04.7) focal-security; urgency=medium

  * SECURITY UPDATE: use-after-free via XInclude expansion
    - debian/patches/CVE-2024-25062-pre1.patch: avoid call stack overflow
      with XML reader and recursive XIncludes in xmlreader.c.
    - debian/patches/CVE-2024-25062.patch: don't expand XIncludes when
      backtracking in xmlreader.c.
    - CVE-2024-25062

 -- Marc Deslauriers <email address hidden>  Fri, 16 Feb 2024 13:19:13 -0500
Published in jammy-updates
Published in jammy-security
libxml2 (2.9.13+dfsg-1ubuntu0.4) jammy-security; urgency=medium

  * SECURITY UPDATE: use-after-free via XInclude expansion
    - debian/patches/CVE-2024-25062.patch: don't expand XIncludes when
      backtracking in xmlreader.c.
    - CVE-2024-25062

 -- Marc Deslauriers <email address hidden>  Fri, 16 Feb 2024 13:14:24 -0500
Published in mantic-updates
Published in mantic-security
libxml2 (2.9.14+dfsg-1.3ubuntu0.1) mantic-security; urgency=medium

  * SECURITY UPDATE: use-after-free via XInclude expansion
    - debian/patches/CVE-2024-25062.patch: don't expand XIncludes when
      backtracking in xmlreader.c.
    - CVE-2024-25062

 -- Marc Deslauriers <email address hidden>  Fri, 16 Feb 2024 13:12:19 -0500
Deleted in noble-updates (Reason: superseded by release)
Superseded in noble-release
Deleted in noble-proposed (Reason: Moved to noble)
libxml2 (2.9.14+dfsg-1.3ubuntu1) noble; urgency=medium

  * SECURITY UPDATE: use-after-free via XInclude expansion
    - debian/patches/CVE-2024-25062.patch: don't expand XIncludes when
      backtracking in xmlreader.c.
    - CVE-2024-25062

 -- Marc Deslauriers <email address hidden>  Thu, 15 Feb 2024 11:00:50 -0500
Superseded in noble-release
Deleted in noble-proposed (Reason: Moved to noble)
libxml2 (2.9.14+dfsg-1.3build3) noble; urgency=medium

  * No-change rebuild for ICU soname change.

 -- Matthias Klose <email address hidden>  Tue, 19 Dec 2023 11:06:39 +0100
Superseded in noble-release
Deleted in noble-proposed (Reason: Moved to noble)
libxml2 (2.9.14+dfsg-1.3build2) noble; urgency=medium

  * armhf (-fstack-clash-protection) breakage rebuild

 -- Mate Kukri <email address hidden>  Thu, 23 Nov 2023 15:12:01 +0000
Superseded in noble-release
Deleted in noble-proposed (Reason: Moved to noble)
libxml2 (2.9.14+dfsg-1.3build1) noble; urgency=medium

  * No-change rebuild with Python 3.12 as supported version

 -- Graham Inggs <email address hidden>  Tue, 31 Oct 2023 17:06:46 +0000
Superseded in noble-release
Published in mantic-release
Deleted in mantic-proposed (Reason: Moved to mantic)
libxml2 (2.9.14+dfsg-1.3) unstable; urgency=medium

  * Non-maintainer upload.
  * Reset nsNr in xmlCtxtReset (CVE-2022-2309) (Closes: #1039991)
  * Also reset nsNr in htmlCtxtReset (CVE-2022-2309) (Closes: #1039991)

 -- Salvatore Bonaccorso <email address hidden>  Sat, 08 Jul 2023 21:18:29 +0200
Published in lunar-updates
Published in lunar-security
libxml2 (2.9.14+dfsg-1.1ubuntu0.1) lunar-security; urgency=medium

  * SECURITY UPDATE: NULL pointer dereference
    - debian/patches/CVE-2022-2309.patch: reset nsNr in
      xmlCtxReset in parser.c (LP: #1996494).
    - CVE-2022-2309
  * SECURITY UPDATE: Null dereference
    - debian/patches/CVE-2023-28484-*.patch: Fix null-pointer-deref in
      xmlSchemaCheckCOSSTDerivedOK and xmlSchemaFixupComplexType
      when parsing (invalid) XML schemas in
      result/schemas/oss-fuzz-51295_0_0.err,
      test/schemas/oss-fuzz-51295_0.xml,
      test/schemas/oss-fuzz-51295_0.xsd,
      xmlschemas.c.
    - CVE-2023-28484
  * SECURITY UPDATE: Logic or memory errors and double frees
    - debian/patches/CVE-2023-29469.patch: check namelen less equal zero in
      dict.c.
    - CVE-2023-29469

 -- Leonidas Da Silva Barbosa <email address hidden>  Tue, 06 Jun 2023 13:24:32 -0300
Superseded in mantic-release
Deleted in mantic-proposed (Reason: Moved to mantic)
libxml2 (2.9.14+dfsg-1.2) unstable; urgency=medium

  * Non-maintainer upload.
  * schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK
  * Fix null deref in xmlSchemaFixupComplexType (CVE-2023-28484)
    (Closes: #1034436)
  * Hashing of empty dict strings isn't deterministic (CVE-2023-29469)
    (Closes: #1034437)

 -- Salvatore Bonaccorso <email address hidden>  Sat, 15 Apr 2023 16:25:06 +0200
Obsolete in kinetic-updates
Obsolete in kinetic-security
libxml2 (2.9.14+dfsg-1ubuntu0.2) kinetic-security; urgency=medium

  * SECURITY UPDATE: Null dereference
    - debian/patches/CVE-2023-28484-*.patch: Fix null-pointer-deref in
      xmlSchemaCheckCOSSTDerivedOK and xmlSchemaFixupComplexType
      when parsing (invalid) XML schemas in
      result/schemas/oss-fuzz-51295_0_0.err,
      test/schemas/oss-fuzz-51295_0.xml,
      test/schemas/oss-fuzz-51295_0.xsd,
      xmlschemas.c.
    - CVE-2023-28484
  * SECURITY UPDATE: Logic or memory errors and double frees
    - debian/patches/CVE-2023-29469.patch: check namelen less equal zero in
      dict.c.
    - CVE-2023-29469

 -- Leonidas Da Silva Barbosa <email address hidden>  Thu, 13 Apr 2023 07:48:55 -0300
Superseded in jammy-updates
Superseded in jammy-security
libxml2 (2.9.13+dfsg-1ubuntu0.3) jammy-security; urgency=medium

  * SECURITY UPDATE: Null dereference
    - debian/patches/CVE-2023-28484-*.patch: Fix null-pointer-deref in
      xmlSchemaCheckCOSSTDerivedOK and xmlSchemaFixupComplexType
      when parsing (invalid) XML schemas in
      result/schemas/oss-fuzz-51295_0_0.err,
      test/schemas/oss-fuzz-51295_0.xml,
      test/schemas/oss-fuzz-51295_0.xsd,
      xmlschemas.c.
    - CVE-2023-28484
  * SECURITY UPDATE: Logic or memory errors and double frees
    - debian/patches/CVE-2023-29469.patch: check namelen less equal zero in
      dict.c.
    - CVE-2023-29469

 -- Leonidas Da Silva Barbosa <email address hidden>  Fri, 14 Apr 2023 08:19:12 -0300
Superseded in focal-updates
Superseded in focal-security
libxml2 (2.9.10+dfsg-5ubuntu0.20.04.6) focal-security; urgency=medium

  * SECURITY UPDATE: Null dereference
    - debian/patches/CVE-2023-28484-*.patch: Fix null-pointer-deref in
      xmlSchemaCheckCOSSTDerivedOK and xmlSchemaFixupComplexType
      when parsing (invalid) XML schemas in
      result/schemas/oss-fuzz-51295_0_0.err,
      test/schemas/oss-fuzz-51295_0.xml,
      test/schemas/oss-fuzz-51295_0.xsd,
      xmlschemas.c.
    - CVE-2023-28484
  * SECURITY UPDATE: Logic or memory errors and double frees
    - debian/patches/CVE-2023-29469.patch: check namelen less equal zero in
      dict.c.
    - CVE-2023-29469

 -- Leonidas Da Silva Barbosa <email address hidden>  Fri, 14 Apr 2023 09:29:46 -0300
Published in bionic-updates
Published in bionic-security
libxml2 (2.9.4+dfsg1-6.1ubuntu1.9) bionic-security; urgency=medium

  * SECURITY UPDATE: Null dereference
    - debian/patches/CVE-2023-28484-*.patch: Fix null-pointer-deref in
      xmlSchemaCheckCOSSTDerivedOK and xmlSchemaFixupComplexType
      when parsing (invalid) XML schemas in
      result/schemas/oss-fuzz-51295_0_0.err,
      test/schemas/oss-fuzz-51295_0.xml,
      test/schemas/oss-fuzz-51295_0.xsd,
      xmlschemas.c.
    - CVE-2023-28484
  * SECURITY UPDATE: Logic or memory errors and double frees
    - debian/patches/CVE-2023-29469.patch: check namelen less equal zero in
      dict.c.
    - CVE-2023-29469

 -- Leonidas Da Silva Barbosa <email address hidden>  Fri, 14 Apr 2023 10:26:30 -0300
Superseded in mantic-release
Published in lunar-release
Deleted in lunar-proposed (Reason: Moved to lunar)
libxml2 (2.9.14+dfsg-1.1build2) lunar; urgency=medium

  * Rebuild to drop Python 3.10 extension

 -- Jeremy Bicha <email address hidden>  Wed, 01 Mar 2023 22:09:21 -0500
Superseded in lunar-release
Deleted in lunar-proposed (Reason: Moved to lunar)
libxml2 (2.9.14+dfsg-1.1build1) lunar; urgency=medium

  * Rebuild against latest icu

 -- Jeremy Bicha <email address hidden>  Sat, 04 Feb 2023 10:46:36 -0500
Superseded in kinetic-updates
Superseded in kinetic-security
libxml2 (2.9.14+dfsg-1ubuntu0.1) kinetic-security; urgency=medium

  * SECURITY UPDATE: NULL pointer dereference
    - debian/patches/CVE-2022-2309.patch: reset nsNr in
      xmlCtxReset in parser.c (LP: #1996494).
    - CVE-2022-2309
  * SECURITY UPDATE: Integer overflow
    - debian/patches/CVE-2022-40303.patch: fix integer overflows
      with XML_PARSE_HUGE in parser.c.
    - CVE-2022-40303
  * SECURITY UPDATE: Double-free
    - debian/patches/CVE-2022-40304.patch: fix dict
      corruption caused by entity ref cycles in
      entities.c.
    - CVE-2022-40304

 -- Leonidas Da Silva Barbosa <email address hidden>  Tue, 29 Nov 2022 16:23:02 -0300
Superseded in jammy-updates
Superseded in jammy-security
libxml2 (2.9.13+dfsg-1ubuntu0.2) jammy-security; urgency=medium

  * SECURITY UPDATE: NULL pointer dereference
    - debian/patches/CVE-2022-2309.patch: reset nsNr in
      xmlCtxReset in parser.c (LP: #1996494).
    - CVE-2022-2309
  * SECURITY UPDATE: Integer overflow
    - debian/patches/CVE-2022-40303.patch: fix integer overflows
      with XML_PARSE_HUGE in parser.c.
    - CVE-2022-40303
  * SECURITY UPDATE: Double-free
    - debian/patches/CVE-2022-40304.patch: fix dict
      corruption caused by entity ref cycles in
      entities.c.
    - CVE-2022-40304

 -- Leonidas Da Silva Barbosa <email address hidden>  Tue, 29 Nov 2022 16:39:07 -0300
Superseded in focal-updates
Superseded in focal-security
libxml2 (2.9.10+dfsg-5ubuntu0.20.04.5) focal-security; urgency=medium

  * SECURITY UPDATE: NULL pointer dereference
    - debian/patches/CVE-2022-2309.patch: reset nsNr in
      xmlCtxReset in parser.c (LP: #1996494).
    - CVE-2022-2309
  * SECURITY UPDATE: Integer overflow
    - debian/patches/CVE-2022-40303.patch: fix integer overflows
      with XML_PARSE_HUGE in parser.c.
    - CVE-2022-40303
  * SECURITY UPDATE: Double-free
    - debian/patches/CVE-2022-40304.patch: fix dict
      corruption caused by entity ref cycles in
      entities.c.
    - CVE-2022-40304

 -- Leonidas Da Silva Barbosa <email address hidden>  Wed, 30 Nov 2022 09:53:52 -0300
Superseded in bionic-updates
Superseded in bionic-security
libxml2 (2.9.4+dfsg1-6.1ubuntu1.8) bionic-security; urgency=medium

  * SECURITY UPDATE: NULL pointer dereference
    - debian/patches/CVE-2022-2309.patch: reset nsNr in
      xmlCtxReset in parser.c (LP: #1996494).
    - CVE-2022-2309
  * SECURITY UPDATE: Integer overflow
    - debian/patches/CVE-2022-40303.patch: fix integer overflows
      with XML_PARSE_HUGE in parser.c.
    - CVE-2022-40303
  * SECURITY UPDATE: Double-free
    - debian/patches/CVE-2022-40304.patch: fix dict
      corruption caused by entity ref cycles in
      entities.c.
    - CVE-2022-40304

 -- Leonidas Da Silva Barbosa <email address hidden>  Thu, 01 Dec 2022 09:38:39 -0300
Superseded in lunar-proposed
libxml2 (2.9.14+dfsg-1build1) lunar; urgency=medium

  * No-change rebuild with Python 3.11 as supported

 -- Graham Inggs <email address hidden>  Wed, 02 Nov 2022 08:29:44 +0000
Superseded in lunar-release
Deleted in lunar-proposed (Reason: Moved to lunar)
libxml2 (2.9.14+dfsg-1.1) unstable; urgency=medium

  * Non-maintainer upload.
  * Fix integer overflows with XML_PARSE_HUGE (CVE-2022-40303)
    (Closes: #1022224)
  * Fix dict corruption caused by entity reference cycles (CVE-2022-40304)
    (Closes: #1022225)

 -- Salvatore Bonaccorso <email address hidden>  Sun, 30 Oct 2022 11:18:06 +0100
Superseded in bionic-updates
Superseded in bionic-security
libxml2 (2.9.4+dfsg1-6.1ubuntu1.7) bionic-security; urgency=medium

  * SECURITY UPDATE: Possible cross-site scripting
    - debian/patches/CVE-2016-3709.patch: Revert "do not URI escape
      in server side includes" in HTMLtree.c.
    - CVE-2016-3709

 -- Leonidas Da Silva Barbosa <email address hidden>  Mon, 01 Aug 2022 11:25:53 -0300
Superseded in focal-updates
Superseded in focal-security
libxml2 (2.9.10+dfsg-5ubuntu0.20.04.4) focal-security; urgency=medium

  * SECURITY UPDATE: Possible cross-site scripting
    - debian/patches/CVE-2016-3709.patch: Revert "do not URI escape
      in server side includes" in HTMLtree.c.
    - CVE-2016-3709

 -- Leonidas Da Silva Barbosa <email address hidden>  Mon, 01 Aug 2022 11:05:23 -0300
Obsolete in impish-updates
Obsolete in impish-security
libxml2 (2.9.12+dfsg-4ubuntu0.2) impish-security; urgency=medium

  * SECURITY UPDATE: Integer overflows
    - debian/patches/CVE-2022-29824.patch: Fix integer overflows in
      xmlBuf and xmlBuffer in tree.c, buf.c.
    - CVE-2022-29824

 -- Leonidas Da Silva Barbosa <email address hidden>  Mon, 09 May 2022 16:13:07 -0300
Superseded in jammy-updates
Superseded in jammy-security
libxml2 (2.9.13+dfsg-1ubuntu0.1) jammy-security; urgency=medium

  * SECURITY UPDATE: Integer overflows
    - debian/patches/CVE-2022-29824.patch: Fix integer overflows in
      xmlBuf and xmlBuffer in tree.c, buf.c.
    - CVE-2022-29824

 -- Leonidas Da Silva Barbosa <email address hidden>  Mon, 09 May 2022 15:33:11 -0300
Superseded in focal-updates
Superseded in focal-security
libxml2 (2.9.10+dfsg-5ubuntu0.20.04.3) focal-security; urgency=medium

  * SECURITY UPDATE: Integer overflows
    - debian/patches/CVE-2022-29824.patch: Fix integer overflows in
      xmlBuf and xmlBuffer in tree.c, buf.c.
    - CVE-2022-29824

 -- Leonidas Da Silva Barbosa <email address hidden>  Tue, 10 May 2022 11:13:24 -0300
Superseded in bionic-updates
Superseded in bionic-security
libxml2 (2.9.4+dfsg1-6.1ubuntu1.6) bionic-security; urgency=medium

  * SECURITY UPDATE: Integer overflows
    - debian/patches/CVE-2022-29824.patch: Fix integer overflows in
      xmlBuf and xmlBuffer in tree.c, buf.c.
    - CVE-2022-29824

 -- Leonidas Da Silva Barbosa <email address hidden>  Tue, 10 May 2022 11:18:33 -0300
Superseded in lunar-release
Obsolete in kinetic-release
Deleted in kinetic-proposed (Reason: Moved to kinetic)
libxml2 (2.9.14+dfsg-1) unstable; urgency=high

  * Team upload.
  * New upstream version 2.9.14+dfsg.
    + Integer overflows in xmlBuf/xmlBuffer.  CVE-2022-29824 Closes: #1010526

 -- Mattia Rizzolo <email address hidden>  Thu, 05 May 2022 14:43:51 +0200
Superseded in kinetic-proposed
libxml2 (2.9.13+dfsg-1build2) kinetic; urgency=medium

  * No-change rebuild against latest icu

 -- Jeremy Bicha <email address hidden>  Fri, 29 Apr 2022 08:06:01 -0400
Superseded in kinetic-release
Published in jammy-release
Deleted in jammy-proposed (Reason: Moved to jammy)
libxml2 (2.9.13+dfsg-1build1) jammy; urgency=medium

  * No-change rebuild with Python 3.10 only

 -- Graham Inggs <email address hidden>  Thu, 17 Mar 2022 19:28:02 +0000
Superseded in bionic-updates
Superseded in bionic-security
libxml2 (2.9.4+dfsg1-6.1ubuntu1.5) bionic-security; urgency=medium

  * SECURITY UPDATE: use-after-free of ID and IDREF attributes
    - debian/patches/CVE-2022-23308.patch: normalize ID attributes in
      valid.c.
    - CVE-2022-23308

 -- Marc Deslauriers <email address hidden>  Thu, 10 Mar 2022 13:00:02 -0500
Superseded in focal-updates
Superseded in focal-security
libxml2 (2.9.10+dfsg-5ubuntu0.20.04.2) focal-security; urgency=medium

  * SECURITY UPDATE: use-after-free of ID and IDREF attributes
    - debian/patches/CVE-2022-23308.patch: normalize ID attributes in
      valid.c.
    - CVE-2022-23308

 -- Marc Deslauriers <email address hidden>  Thu, 10 Mar 2022 12:59:13 -0500
Superseded in impish-updates
Superseded in impish-security
libxml2 (2.9.12+dfsg-4ubuntu0.1) impish-security; urgency=medium

  * SECURITY UPDATE: use-after-free of ID and IDREF attributes
    - debian/patches/CVE-2022-23308.patch: normalize ID attributes in
      valid.c.
    - CVE-2022-23308

 -- Marc Deslauriers <email address hidden>  Thu, 10 Mar 2022 12:57:40 -0500
Superseded in jammy-release
Deleted in jammy-proposed (Reason: Moved to jammy)
libxml2 (2.9.13+dfsg-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 2.9.13+dfsg.
    + Convert devhelp to version2.  Closes: #955205
    + Use-after-free of ID and IDREF attrs.  CVE-2022-23308; Closes: #1006489
  * Bump my copyright for debian/*.
  * d/watch: move download sourceto https://download.gnome.org/.

 -- Mattia Rizzolo <email address hidden>  Sun, 27 Feb 2022 19:57:48 +0100

Available diffs

Superseded in jammy-release
Deleted in jammy-proposed (Reason: Moved to jammy)
libxml2 (2.9.12+dfsg-6) unstable; urgency=medium

  * Team upload.
  * d/control:
    + Use the new Description field in the source paragraph and add references
      to the binary paragraphs.  This is a new feature since dpkg 1.19.0
      (from 2017).  Policy is not yet updated, see #998165.
    + Drop Build-Depends on python3-all-dbg, not used since the last revision.
  * Add patches from upstream to fix:
    + return code of xmllint when incorrectly called.  Closes: #727075
    + regression with entity references in external DTDs.  Closes: #994765

 -- Mattia Rizzolo <email address hidden>  Sat, 19 Feb 2022 13:11:26 +0100
Superseded in jammy-proposed
libxml2 (2.9.12+dfsg-5build1) jammy; urgency=medium

  * No-change rebuild for icu soname change.

 -- Matthias Klose <email address hidden>  Wed, 09 Feb 2022 05:39:53 +0100
Superseded in jammy-proposed
libxml2 (2.9.12+dfsg-4build1) jammy; urgency=medium

  * No-change rebuild to add python3.10.

 -- Matthias Klose <email address hidden>  Sat, 16 Oct 2021 06:56:51 +0000
Superseded in jammy-release
Deleted in jammy-proposed (Reason: Moved to jammy)
libxml2 (2.9.12+dfsg-5) unstable; urgency=medium

  * Team upload.
  * Stop building the python3-libxml2-dbg package.  Closes: #994307
  * Add a Conflicts against the old w3c-dtd-xhtml, that contains a .dtd that
    is not validating anymore.  Closes: #993638
  * Remove lintian override that was fixed in lintian for
    debian-rules-uses-supported-python-versions-without-python-all-build-depends

 -- Mattia Rizzolo <email address hidden>  Mon, 20 Sep 2021 15:06:01 +0200
Superseded in jammy-release
Obsolete in impish-release
Deleted in impish-proposed (Reason: Moved to impish)
libxml2 (2.9.12+dfsg-4) unstable; urgency=medium

  * Team upload.
  * Add a few patches from upstream:
    + Work around lxml API abuse.
    + Fix regression in xmlNodeDumpOutputInternal.  LP: #1943277
    + Fix whitespace when serializing empty HTML documents.
    + Forbid epsilon-reduction of final states.
    + Fix buffering in xmlOutputBufferWrite.

 -- Mattia Rizzolo <email address hidden>  Fri, 10 Sep 2021 22:13:09 +0200
Superseded in impish-proposed
libxml2 (2.9.12+dfsg-3ubuntu1) impish; urgency=medium

  * Fix regression in 2.9.12 (LP: #1943277):
    - d/p/upstream/85b1792e37b131e7a51af98a37f92472e8de5f3f.patch:
      Add patch from upstream to work around lxml API abuse. Make
      xmlNodeDumpOutput and htmlNodeDumpFormatOutput work with corrupted
      parent pointers.
    - d/p/upstream/13ad8736d294536da4cbcd70a96b0a2fbf47070c.patch:
      Add patch from upstream to fix regression in xmlNodeDumpOutputInternal.
      Commit 85b1792e could cause additional whitespace if xmlNodeDump was
      called with a non-zero starting level.
    - d/p/upstream/92d9ab4c28842a09ca2b76d3ff2f933e01b6cd6f.patch:
      Add patch from upstream to fix whitespace when serializing
      empty HTML documents.

 -- Corey Bryant <email address hidden>  Fri, 10 Sep 2021 11:33:12 -0400
Superseded in impish-release
Deleted in impish-proposed (Reason: Moved to impish)
libxml2 (2.9.12+dfsg-3) unstable; urgency=medium

  * Team upload.
  * Upload to unstable.
  * Add patch from upstream to fix a regression in the recursion limit for
    complex XSLT documents.  This also fixed the ruby-nokogiri test failure,
    so drop the previously introduced Breaks.
  * d/control: Bump Standards-Version to 4.6.0, no changes needed.

 -- Mattia Rizzolo <email address hidden>  Wed, 01 Sep 2021 16:45:21 +0200
Superseded in impish-proposed
libxml2 (2.9.12+dfsg-2) experimental; urgency=medium

  * Team upload.
  * d/control: Break ruby-nokogiri (<< 1.11.7).
  * lintian:
    + Add a link from usr/share/doc/libxml2/gtk-doc
      usr/share/gtk-doc/html/libxml2.  See #970275
    + Override for package-contains-documentation-outside-usr-share-doc.
  * Add two patches to refactor how docs are installed.
  * Add a patch to properly install all the documentation we were
    previously manually installing.
  * d/rules: Use the now working --docdir flag to install the documentation
    directly in the right place.
  * Move the documentation and examples from /usr/share/doc/libxml2-doc
    to /usr/share/doc/libxml2/, following Policy v3.9.7 ยง12.3.

 -- Mattia Rizzolo <email address hidden>  Thu, 29 Jul 2021 12:22:11 +0200

Available diffs

Superseded in bionic-updates
Superseded in bionic-security
libxml2 (2.9.4+dfsg1-6.1ubuntu1.4) bionic-security; urgency=medium

  * debian/patches/fix-error-handler-bug.patch: Add extra missing commit to
    previous CVE-2017-8872 fix, halt immediately when the error handler
    attempts to stop the parser.
  * SECURITY UPDATE: memory leak
    - debian/patches/CVE-2019-20388.patch: Memory leak in
      xmlSchemaValidateStream function in xmlschemas.c.
    - CVE-2019-20388
  * SECURITY UPDATE: out-of-bounds read
    - debian/patches/CVE-2020-24977.patch: Make sure that truncated UTF-8
      sequences don't cause an out-of-bounds array access in xmllint.
    - CVE-2020-24977
  * SECURITY UPDATE: use-after-free in xmlEncodeEntitiesInternal
    - debian/patches/CVE-2021-3516.patch: Call htmlCtxtUseOptions to make sure
      that names aren't stored in dictionaries.
    - CVE-2021-3516
  * SECURITY UPDATE: heap-based buffer overflow in xmlEncodeEntitiesInternal
    - debian/patches/CVE-2021-3517.patch: Add some checks to validate input is
      UTF-8 format, supplementing CVE-2020-24977 fix.
    - CVE-2021-3517
  * SECURITY UPDATE: use-after-free in xmlXIncludeDoProcess
    - debian/patches/CVE-2021-3518.patch: Move from a block list to an allow
      list approach to avoid descending into other node types that can't
      contain elements.
    - CVE-2021-3518
  * SECURITY UPDATE: NULL pointer dereference in xmlValidBuildAContentModel
    - debian/patches/CVE-2021-3537.patch: Check return value of recursive calls
      to xmlParseElementChildrenContentDeclPriv and return immediately in case
      of errors.
    - CVE-2021-3537

 -- Avital Ostromich <email address hidden>  Thu, 22 Apr 2021 19:26:37 -0400
Superseded in focal-updates
Superseded in focal-security
libxml2 (2.9.10+dfsg-5ubuntu0.20.04.1) focal-security; urgency=medium

  * SECURITY UPDATE: out-of-bounds read
    - debian/patches/CVE-2020-24977.patch: Make sure that truncated UTF-8
      sequences don't cause an out-of-bounds array access in xmllint.
    - CVE-2020-24977
  * SECURITY UPDATE: use-after-free in xmlEncodeEntitiesInternal
    - debian/patches/CVE-2021-3516.patch: Call htmlCtxtUseOptions to make sure
      that names aren't stored in dictionaries.
    - CVE-2021-3516
  * SECURITY UPDATE: heap-based buffer overflow in xmlEncodeEntitiesInternal
    - debian/patches/CVE-2021-3517.patch: Add some checks to validate input is
      UTF-8 format, supplementing CVE-2020-24977 fix.
    - CVE-2021-3517
  * SECURITY UPDATE: use-after-free in xmlXIncludeDoProcess
    - debian/patches/CVE-2021-3518.patch: Move from a block list to an allow
      list approach to avoid descending into other node types that can't
      contain elements.
    - CVE-2021-3518
  * SECURITY UPDATE: NULL pointer dereference in xmlValidBuildAContentModel
    - debian/patches/CVE-2021-3537.patch: Check return value of recursive calls
      to xmlParseElementChildrenContentDeclPriv and return immediately in case
      of errors.
    - CVE-2021-3537
  * SECURITY UPDATE: Exponential entity expansion
    - debian/patches/Patch-for-security-issue-CVE-2021-3541.patch: Add check to
      xmlParserEntityCheck to prevent entity exponential.
    - CVE-2021-3541

 -- Avital Ostromich <email address hidden>  Wed, 26 May 2021 19:51:20 -0400
Obsolete in groovy-updates
Obsolete in groovy-security
libxml2 (2.9.10+dfsg-5ubuntu0.20.10.2) groovy-security; urgency=medium

  * SECURITY UPDATE: out-of-bounds read
    - debian/patches/CVE-2020-24977.patch: Make sure that truncated UTF-8
      sequences don't cause an out-of-bounds array access in xmllint.
    - CVE-2020-24977
  * SECURITY UPDATE: use-after-free in xmlEncodeEntitiesInternal
    - debian/patches/CVE-2021-3516.patch: Call htmlCtxtUseOptions to make sure
      that names aren't stored in dictionaries.
    - CVE-2021-3516
  * SECURITY UPDATE: heap-based buffer overflow in xmlEncodeEntitiesInternal
    - debian/patches/CVE-2021-3517.patch: Add some checks to validate input is
      UTF-8 format, supplementing CVE-2020-24977 fix.
    - CVE-2021-3517
  * SECURITY UPDATE: use-after-free in xmlXIncludeDoProcess
    - debian/patches/CVE-2021-3518.patch: Move from a block list to an allow
      list approach to avoid descending into other node types that can't
      contain elements.
    - CVE-2021-3518
  * SECURITY UPDATE: NULL pointer dereference in xmlValidBuildAContentModel
    - debian/patches/CVE-2021-3537.patch: Check return value of recursive calls
      to xmlParseElementChildrenContentDeclPriv and return immediately in case
      of errors.
    - CVE-2021-3537
  * SECURITY UPDATE: Exponential entity expansion
    - debian/patches/Patch-for-security-issue-CVE-2021-3541.patch: Add check to
      xmlParserEntityCheck to prevent entity exponential.
    - CVE-2021-3541

 -- Avital Ostromich <email address hidden>  Wed, 26 May 2021 19:43:37 -0400
Obsolete in hirsute-updates
Obsolete in hirsute-security
libxml2 (2.9.10+dfsg-6.3ubuntu0.1) hirsute-security; urgency=medium

  * SECURITY UPDATE: use-after-free in xmlEncodeEntitiesInternal
    - debian/patches/CVE-2021-3516.patch: Call htmlCtxtUseOptions to make sure
      that names aren't stored in dictionaries.
    - CVE-2021-3516
  * SECURITY UPDATE: heap-based buffer overflow in xmlEncodeEntitiesInternal
    - debian/patches/CVE-2021-3517.patch: Add some checks to validate input is
      UTF-8 format, supplementing CVE-2020-24977 fix.
    - CVE-2021-3517
  * SECURITY UPDATE: use-after-free in xmlXIncludeDoProcess
    - debian/patches/CVE-2021-3518.patch: Move from a block list to an allow
      list approach to avoid descending into other node types that can't
      contain elements.
    - CVE-2021-3518
  * SECURITY UPDATE: NULL pointer dereference in xmlValidBuildAContentModel
    - debian/patches/CVE-2021-3537.patch: Check return value of recursive calls
      to xmlParseElementChildrenContentDeclPriv and return immediately in case
      of errors.
    - CVE-2021-3537
  * SECURITY UPDATE: Exponential entity expansion
    - debian/patches/Patch-for-security-issue-CVE-2021-3541.patch: Add check to
      xmlParserEntityCheck to prevent entity exponential.
    - CVE-2021-3541

 -- Avital Ostromich <email address hidden>  Mon, 17 May 2021 18:13:47 -0400
Superseded in impish-release
Deleted in impish-proposed (Reason: Moved to impish)
libxml2 (2.9.10+dfsg-6.7) unstable; urgency=medium

  * Non-maintainer upload.
  * Patch for security issue CVE-2021-3541 (Closes: #988603)

 -- Salvatore Bonaccorso <email address hidden>  Sat, 22 May 2021 08:21:29 +0200
Superseded in impish-release
Deleted in impish-proposed (Reason: Moved to impish)
libxml2 (2.9.10+dfsg-6.6) unstable; urgency=medium

  * Non-maintainer upload.
  * Upload to unstable.

 -- Salvatore Bonaccorso <email address hidden>  Thu, 06 May 2021 10:48:16 +0200
Superseded in impish-release
Obsolete in hirsute-release
Deleted in hirsute-proposed (Reason: Moved to hirsute)
libxml2 (2.9.10+dfsg-6.3build2) hirsute; urgency=medium

  * No-change rebuild to build with lto.

 -- Matthias Klose <email address hidden>  Mon, 29 Mar 2021 08:04:19 +0200
Superseded in hirsute-release
Deleted in hirsute-proposed (Reason: moved to Release)
libxml2 (2.9.10+dfsg-6.3build1) hirsute; urgency=medium

  * No-change rebuild to drop python3.8 extensions.

 -- Matthias Klose <email address hidden>  Mon, 07 Dec 2020 18:40:14 +0100
Superseded in hirsute-release
Deleted in hirsute-proposed (Reason: moved to Release)
libxml2 (2.9.10+dfsg-6.3) unstable; urgency=medium

  * Non-maintainer upload.
  * Remove the Python2 autopkg test.

 -- Matthias Klose <email address hidden>  Sun, 29 Nov 2020 11:58:00 +0100
Superseded in hirsute-release
Deleted in hirsute-proposed (Reason: moved to Release)
libxml2 (2.9.10+dfsg-6.2) unstable; urgency=medium

  * Non-maintainer upload.
  * Fix out-of-bounds read with 'xmllint --htmlout' (CVE-2020-24977)
    (Closes: #969529)

 -- Salvatore Bonaccorso <email address hidden>  Sun, 25 Oct 2020 13:56:23 +0100
Superseded in hirsute-proposed
libxml2 (2.9.10+dfsg-6.1) unstable; urgency=medium

  * Non-maintainer upload.
  * Fix build with Python 3.9. Closes: #972022.

 -- Matthias Klose <email address hidden>  Wed, 14 Oct 2020 08:45:25 +0200
Superseded in hirsute-release
Obsolete in groovy-release
Deleted in groovy-proposed (Reason: moved to Release)
libxml2 (2.9.10+dfsg-5build1) groovy; urgency=medium

  * No change rebuild against new icu ABI.

 -- Dimitri John Ledkov <email address hidden>  Mon, 27 Jul 2020 16:43:05 +0100
Superseded in groovy-release
Published in focal-release
Deleted in focal-proposed (Reason: moved to Release)
libxml2 (2.9.10+dfsg-5) unstable; urgency=medium

  * Team upload.

  [ Mattia Rizzolo ]
  * d/rules:
    + Drop --disable-silent-rules, already passed by dh_auto_configure.
    + Drop --parallel, now default with debhelper compat > 10.
    + Use dh_installdocs and dh_installexamples to install docs and examples.
    + Use dh_missing --fail-missing (and add the relevant d/not-installed).
    + Minimize indep build to build only the docs.
  * d/watch: fix an option to avoid a warning message.
  * d/control:
    + Move most of the build-deps to Build-Depends-Arch.
    + Use ${python:Depends} also for python-libxml2-dbg.
  * Add a lintian override for
    debian-rules-uses-supported-python-versions-without-python-all-build-depends

  [ Gunnar Hjalmarsson ]
  * d/p/python3-unicode-errors.patch:
    Fix segfault issue with itstool and py3.  LP: #1869814

 -- Mattia Rizzolo <email address hidden>  Fri, 10 Apr 2020 14:53:23 +0200
Superseded in focal-release
Deleted in focal-proposed (Reason: moved to Release)
libxml2 (2.9.10+dfsg-4build1) focal; urgency=medium

  * No-change rebuild for icu soname change.

 -- Matthias Klose <email address hidden>  Tue, 03 Mar 2020 21:48:24 +0100
Superseded in focal-proposed
libxml2 (2.9.10+dfsg-4) unstable; urgency=medium

  * Team upload.
  * Add patch from upstream to prevent a segfault in some platforms with
    illegal documents.

 -- Mattia Rizzolo <email address hidden>  Thu, 27 Feb 2020 19:21:45 +0100
Superseded in focal-release
Deleted in focal-proposed (Reason: moved to Release)
libxml2 (2.9.10+dfsg-1ubuntu3) focal; urgency=medium

  * debian/patches/0001-Check-the-type-of-each-node-in-xmlFreeNodeList-
    not-j.patch: Check the type of each node in xmlFreeNodeList, not just
    the parent node.

 -- Steve Langasek <email address hidden>  Sat, 22 Feb 2020 23:58:06 -0800
Superseded in focal-proposed
libxml2 (2.9.10+dfsg-1ubuntu2) focal; urgency=medium

  * Restore the old xml2-config behaviour to print the shared libs by default.
    xml2-config --libs --static still can be used for the private libs.

 -- Matthias Klose <email address hidden>  Thu, 20 Feb 2020 10:56:09 +0100
Superseded in focal-proposed
libxml2 (2.9.10+dfsg-1ubuntu1) focal; urgency=medium

  * Restore the xml2-config binary for now.

 -- Matthias Klose <email address hidden>  Tue, 18 Feb 2020 09:41:38 +0100
Superseded in focal-proposed
libxml2 (2.9.4+dfsg1-8ubuntu4) focal; urgency=medium

  * No-change rebuild for icu soname change.

 -- Matthias Klose <email address hidden>  Thu, 13 Feb 2020 09:00:31 +0100
Published in xenial-updates
Published in xenial-security
libxml2 (2.9.3+dfsg1-1ubuntu0.7) xenial-security; urgency=medium

  * SECURITY UPDATE: Memory leak
    - debian/patches/CVE-2019-19956.patch: fix memory leak in
      xmlParseBalancedChunkMemoryRecover checking if doc is NULL in parser.c.
    - CVE-2019-19956
  * SECURITY UPDATE: Denial of service though an infinite loop
    - debian/patches/CVE-2020-7595.patch: fix infinite loop in
      xmlStringLenDecodeEntities adding checks to ctxt->instate if
      it is == XML_PARSER_EOF in parser.c.
    - CVE-2020-7595

 -- <email address hidden> (Leonidas S. Barbosa)  Wed, 05 Feb 2020 14:02:29 -0300
Obsolete in eoan-updates
Obsolete in eoan-security
libxml2 (2.9.4+dfsg1-7ubuntu3.1) eoan-security; urgency=medium

  * SECURITY UPDATE: Memory leak
    - debian/patches/CVE-2019-19956.patch: fix memory leak in
      xmlParseBalancedChunkMemoryRecover checking if doc is NULL in parser.c.
    - CVE-2019-19956
  * SECURITY UPDATE: Denial of service though an infinite loop
    - debian/patches/CVE-2020-7595.patch: fix infinite loop in
      xmlStringLenDecodeEntities adding checks to ctxt->instate if
      it is == XML_PARSER_EOF in parser.c.
    - CVE-2020-7595

 -- <email address hidden> (Leonidas S. Barbosa)  Wed, 05 Feb 2020 14:14:31 -0300
Superseded in bionic-updates
Superseded in bionic-security
libxml2 (2.9.4+dfsg1-6.1ubuntu1.3) bionic-security; urgency=medium

  * SECURITY UPDATE: Memory leak
    - debian/patches/CVE-2019-19956.patch: fix memory leak in
      xmlParseBalancedChunkMemoryRecover checking if doc is NULL in parser.c.
    - CVE-2019-19956
  * SECURITY UPDATE: Denial of service though an infinite loop
    - debian/patches/CVE-2020-7595.patch: fix infinite loop in
      xmlStringLenDecodeEntities adding checks to ctxt->instate if
      it is == XML_PARSER_EOF in parser.c.
    - CVE-2020-7595

 -- <email address hidden> (Leonidas S. Barbosa)  Wed, 05 Feb 2020 14:08:34 -0300
175 of 310 results