Change log for libxml2 package in Ubuntu

76150 of 307 results
Superseded in focal-release
Deleted in focal-proposed (Reason: moved to Release)
libxml2 (2.9.4+dfsg1-8ubuntu1) focal; urgency=low

  * Merge from Debian unstable.  Remaining changes:
    - debian/patches/CVE-2016-9318.patch: fix in parser.c.
    - debian/patches/CVE-2017-18258.patch: fix in xzlib.c.
    - debian/patches/CVE-2018-14404.patch: fix in xpath.c.
    - debian/patches/CVE-2018-14567.patch: fix in xzlib.c.
    - debian/patches/CVE-2017-16932.patch: fix in parser.c and
      add some error check files result/errors/759579.xml,
      result/errors/759579.xml.err, result/errors/759579.xml.str,
      test/errors/759579.xml.

Superseded in focal-release
Deleted in focal-proposed (Reason: moved to Release)
libxml2 (2.9.4+dfsg1-7ubuntu5) focal; urgency=medium

  * Adjust testsuite for python->python2 move

 -- Gianfranco Costamagna <email address hidden>  Thu, 24 Oct 2019 11:06:28 +0200
Superseded in focal-proposed
libxml2 (2.9.4+dfsg1-7ubuntu4) focal; urgency=medium

  * No-change rebuild to build with python3.8.

 -- Matthias Klose <email address hidden>  Fri, 18 Oct 2019 18:08:14 +0000
Superseded in focal-release
Obsolete in eoan-release
Obsolete in disco-release
Deleted in disco-proposed (Reason: moved to release)
libxml2 (2.9.4+dfsg1-7ubuntu3) disco; urgency=medium

  * No-change rebuild for icu soname changes.

 -- Matthias Klose <email address hidden>  Tue, 13 Nov 2018 08:14:59 +0000
Superseded in disco-release
Deleted in disco-proposed (Reason: moved to release)
libxml2 (2.9.4+dfsg1-7ubuntu2) disco; urgency=medium

  * No-change rebuild to build without python3.6 support.

 -- Matthias Klose <email address hidden>  Sat, 03 Nov 2018 11:51:26 +0000
Superseded in disco-release
Obsolete in cosmic-release
Deleted in cosmic-proposed (Reason: moved to release)
libxml2 (2.9.4+dfsg1-7ubuntu1) cosmic; urgency=medium

  * SECURITY UPDATE: XXE attacks
    - debian/patches/CVE-2016-9318.patch: fix in parser.c.
    - CVE-2016-9318
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2017-18258.patch: fix in xzlib.c.
    - CVE-2017-18258
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2018-14404.patch: fix in xpath.c.
    - CVE-2018-14404
  * SECURITY UPDATE: Infinite loop in LZMA decompression
    - debian/patches/CVE-2018-14567.patch: fix in xzlib.c.
    - CVE-2018-14567
  * SECURITY UPDATE: Infinite recursion/Denial of service
    - debian/patches/CVE-2017-16932.patch: fix in parser.c and
      add some error check files result/errors/759579.xml,
      result/errors/759579.xml.err, result/errors/759579.xml.str,
      test/errors/759579.xml.
    - CVE-2017-16932

 -- <email address hidden> (Leonidas S. Barbosa)  Thu, 16 Aug 2018 12:02:31 -0300
Published in trusty-updates
Published in trusty-security
libxml2 (2.9.1+dfsg1-3ubuntu4.13) trusty-security; urgency=medium

  * SECURITY UPDATE: XXE attacks
    - debian/patches/CVE-2016-9318.patch: fix in parser.c.
    - CVE-2016-9318
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2017-18258.patch: fix in xzlib.c.
    - CVE-2017-18258
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2018-14404.patch: fix in xpath.c.
    - CVE-2018-14404
  * SECURITY UPDATE: Infinite loop in LZMA decompression
    - debian/patches/CVE-2018-14567.patch: fix in xzlib.c.
    - CVE-2018-14567

 -- <email address hidden> (Leonidas S. Barbosa)  Mon, 13 Aug 2018 17:50:43 -0300
Superseded in xenial-updates
Superseded in xenial-security
libxml2 (2.9.3+dfsg1-1ubuntu0.6) xenial-security; urgency=medium

  * SECURITY UPDATE: XXE attacks
    - debian/patches/CVE-2016-9318.patch: fix in parser.c.
    - CVE-2016-9318
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2017-18258.patch: fix in xzlib.c.
    - CVE-2017-18258
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2018-14404.patch: fix in xpath.c.
    - CVE-2018-14404
  * SECURITY UPDATE: Infinite loop in LZMA decompression
    - debian/patches/CVE-2018-14567.patch: fix in xzlib.c.
    - CVE-2018-14567

 -- <email address hidden> (Leonidas S. Barbosa)  Mon, 13 Aug 2018 16:49:50 -0300
Superseded in bionic-updates
Superseded in bionic-security
libxml2 (2.9.4+dfsg1-6.1ubuntu1.2) bionic-security; urgency=medium

  * SECURITY UPDATE: XXE attacks
    - debian/patches/CVE-2016-9318.patch: fix in parser.c.
    - CVE-2016-9318
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2017-18258.patch: fix in xzlib.c.
    - CVE-2017-18258
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2018-14404.patch: fix in xpath.c.
    - CVE-2018-14404
  * SECURITY UPDATE: Infinite loop in LZMA decompression
    - debian/patches/CVE-2018-14567.patch: fix in xzlib.c.
    - CVE-2018-14567
  * SECURITY UPDATE: Infinite recursion/Denial of service
    - debian/patches/CVE-2017-16932.patch: fix in parser.c and
      add some error check files result/errors/759579.xml,
      result/errors/759579.xml.err, result/errors/759579.xml.str,
      test/errors/759579.xml.
    - CVE-2017-16932

 -- <email address hidden> (Leonidas S. Barbosa)  Fri, 10 Aug 2018 15:30:23 -0300
Superseded in cosmic-release
Deleted in cosmic-proposed (Reason: moved to release)
libxml2 (2.9.4+dfsg1-7build1) cosmic; urgency=medium

  * No-change rebuild to build for python3.7.

 -- Matthias Klose <email address hidden>  Thu, 28 Jun 2018 06:58:57 +0000
Superseded in cosmic-proposed
libxml2 (2.9.4+dfsg1-7) unstable; urgency=medium

  * Team upload.
  * drop automatically generated dependency on (non-existing) libicu60-dbg
    from libxm2-dbg (closes: #900113)

 -- Rene Engelhard <email address hidden>  Sat, 26 May 2018 10:03:44 +0000
Superseded in cosmic-release
Published in bionic-release
Deleted in bionic-proposed (Reason: moved to release)
libxml2 (2.9.4+dfsg1-6.1ubuntu1) bionic; urgency=low

  * Merge from Debian unstable.  Remaining changes:
    - debian/{rules,control}: Drop dep on libicu-dbg, icu59 doesn't ship it.

Superseded in bionic-release
Deleted in bionic-proposed (Reason: moved to release)
libxml2 (2.9.4+dfsg1-5.2ubuntu1) bionic; urgency=low

  * Merge from Debian unstable.  Remaining changes:
    - debian/{rules,control}: Drop dep on libicu-dbg, icu59 doesn't ship it.

Superseded in xenial-updates
Superseded in xenial-security
libxml2 (2.9.3+dfsg1-1ubuntu0.5) xenial-security; urgency=medium

  * SECURITY UPDATE: use after-free in xmlXPathCompOpEvalPositionPredicate
    - debian/patches/CVE-2017-15412.patch: fix XPath stack frame logic in
      xpath.c.
    - CVE-2017-15412

 -- <email address hidden> (Leonidas S. Barbosa)  Mon, 11 Dec 2017 13:29:09 -0300
Superseded in trusty-updates
Superseded in trusty-security
libxml2 (2.9.1+dfsg1-3ubuntu4.12) trusty-security; urgency=medium

  * SECURITY UPDATE: use after-free in xmlXPathCompOpEvalPositionPredicate
    - debian/patches/CVE-2017-15412.patch: fix XPath stack frame logic in
      xpath.c.
    - CVE-2017-15412

 -- <email address hidden> (Leonidas S. Barbosa)  Mon, 11 Dec 2017 13:31:53 -0300
Obsolete in zesty-updates
Obsolete in zesty-security
libxml2 (2.9.4+dfsg1-2.2ubuntu0.3) zesty-security; urgency=medium

  * SECURITY UPDATE: use after-free in xmlXPathCompOpEvalPositionPredicate
    - debian/patches/CVE-2017-15412.patch: fix XPath stack frame logic in
      xpath.c.
    - CVE-2017-15412

 -- <email address hidden> (Leonidas S. Barbosa)  Mon, 11 Dec 2017 13:26:06 -0300
Obsolete in artful-updates
Obsolete in artful-security
libxml2 (2.9.4+dfsg1-4ubuntu1.2) artful-security; urgency=medium

  * SECURITY UPDATE: use after-free in xmlXPathCompOpEvalPositionPredicate
    - debian/patches/CVE-2017-15412.patch: fix XPath stack frame logic in
      xpath.c.
    - CVE-2017-15412

 -- <email address hidden> (Leonidas S. Barbosa)  Mon, 11 Dec 2017 13:30:29 -0300
Superseded in artful-updates
Superseded in artful-security
libxml2 (2.9.4+dfsg1-4ubuntu1.1) artful-security; urgency=medium

  * SECURITY UPDATE: infinite recursion in parameter entities
    - CVE-2017-16932

 -- <email address hidden> (Leonidas S. Barbosa)  Mon, 04 Dec 2017 15:22:50 -0300
Superseded in zesty-updates
Superseded in zesty-security
libxml2 (2.9.4+dfsg1-2.2ubuntu0.2) zesty-security; urgency=medium

  * SECURITY UPDATE: infinite recursion in parameter entities
    - CVE-2017-16932

 -- <email address hidden> (Leonidas S. Barbosa)  Mon, 04 Dec 2017 15:21:45 -0300
Superseded in xenial-updates
Superseded in xenial-security
libxml2 (2.9.3+dfsg1-1ubuntu0.4) xenial-security; urgency=medium

  * SECURITY UPDATE: infinite recursion in parameter entities
    - CVE-2017-16932

 -- <email address hidden> (Leonidas S. Barbosa)  Mon, 04 Dec 2017 15:20:29 -0300
Superseded in trusty-updates
Superseded in trusty-security
libxml2 (2.9.1+dfsg1-3ubuntu4.11) trusty-security; urgency=medium

  * SECURITY UPDATE: infinite recursion in parameter entities
    - CVE-2017-16932

 -- <email address hidden> (Leonidas S. Barbosa)  Mon, 04 Dec 2017 15:17:15 -0300
Superseded in bionic-release
Deleted in bionic-proposed (Reason: moved to release)
libxml2 (2.9.4+dfsg1-5.1ubuntu1) bionic; urgency=low

  * Merge from Debian unstable.  Remaining changes:
    - debian/{rules,control}: Drop dep on libicu-dbg, icu59 doesn't ship it.

Superseded in bionic-release
Deleted in bionic-proposed (Reason: moved to release)
libxml2 (2.9.4+dfsg1-5ubuntu2) bionic; urgency=medium

  * No-change rebuild for icu soname change.

 -- Matthias Klose <email address hidden>  Tue, 07 Nov 2017 08:54:26 +0000
Superseded in bionic-release
Deleted in bionic-proposed (Reason: moved to release)
libxml2 (2.9.4+dfsg1-5ubuntu1) bionic; urgency=medium

  * debian/{rules,control}: Drop dep on libicu-dbg, icu59 doesn't ship it.

Superseded in bionic-proposed
libxml2 (2.9.4+dfsg1-4ubuntu2) bionic; urgency=medium

  * No-change rebuild for libicu soname change.

 -- Matthias Klose <email address hidden>  Wed, 25 Oct 2017 15:45:15 +0000
Superseded in bionic-release
Obsolete in artful-release
Deleted in artful-proposed (Reason: moved to release)
libxml2 (2.9.4+dfsg1-4ubuntu1) artful; urgency=medium

  * Fix FTBFS: Fix debhelper -p and -N flags.
  *

 -- Matthias Klose <email address hidden>  Wed, 11 Oct 2017 11:06:37 +0200
Superseded in xenial-updates
Superseded in xenial-security
libxml2 (2.9.3+dfsg1-1ubuntu0.3) xenial-security; urgency=medium

  * SECURITY UPDATE: type confusion leading to out-of-bounds write
    - debian/patches/CVE-2017-0663.patch: eliminate cast
    - CVE-2017-0663
  * SECURITY UPDATE: XML external entity (XXE) vulnerability
    - debian/patches/CVE-2017-7375.patch: add validation for parsed
      entity references
    - CVE-2017-7375
  * SECURITY UPDATE: buffer overflow in URL handling
    - debian/patches/CVE-2017-7376.patch: allocate enough memory for
      ports in HTTP redirect support
    - CVE-2017-7376
  * SECURITY UPDATE: buffer overflows in xmlSnprintfElementContent()
    - debian/patches/CVE-2017-9047-9048.patch: ensure enough space
      remains in buffer for copied data
    - CVE-2017-9047, CVE-2017-9048
  * SECURITY UPDATE: heap based buffer overreads in
    xmlDictComputeFastKey()
    - debian/patches/CVE-2017-9049-9050.patch: drop uneccessary
      expansions, add additional sanity check
    - CVE-2017-9049, CVE-2017-9050

 -- Steve Beattie <email address hidden>  Fri, 15 Sep 2017 16:00:14 -0700
Superseded in trusty-updates
Superseded in trusty-security
libxml2 (2.9.1+dfsg1-3ubuntu4.10) trusty-security; urgency=medium

  * SECURITY UPDATE: type confusion leading to out-of-bounds write
    - debian/patches/CVE-2017-0663.patch: eliminate cast
    - CVE-2017-0663
  * SECURITY UPDATE: XML external entity (XXE) vulnerability
    - debian/patches/CVE-2017-7375.patch: add validation for parsed
      entity references
    - CVE-2017-7375
  * SECURITY UPDATE: buffer overflow in URL handling
    - debian/patches/CVE-2017-7376.patch: allocate enough memory for
      ports in HTTP redirect support
    - CVE-2017-7376
  * SECURITY UPDATE: buffer overflows in xmlSnprintfElementContent()
    - debian/patches/CVE-2017-9047-9048.patch: ensure enough space
      remains in buffer for copied data
    - CVE-2017-9047, CVE-2017-9048
  * SECURITY UPDATE: heap based buffer overreads in
    xmlDictComputeFastKey()
    - debian/patches/CVE-2017-9049-9050.patch: drop uneccessary
      expansions, add additional sanity check
    - CVE-2017-9049, CVE-2017-9050

 -- Steve Beattie <email address hidden>  Fri, 15 Sep 2017 16:19:46 -0700
Superseded in zesty-updates
Superseded in zesty-security
libxml2 (2.9.4+dfsg1-2.2ubuntu0.1) zesty-security; urgency=medium

  * SECURITY UPDATE: type confusion leading to out-of-bounds write
    - debian/patches/CVE-2017-0663.patch: eliminate cast
    - CVE-2017-0663
  * SECURITY UPDATE: XML external entity (XXE) vulnerability
    - debian/patches/CVE-2017-7375.patch: add validation for parsed
      entity references
    - CVE-2017-7375
  * SECURITY UPDATE: buffer overflow in URL handling
    - debian/patches/CVE-2017-7376.patch: allocate enough memory for
      ports in HTTP redirect support
    - CVE-2017-7376
  * SECURITY UPDATE: buffer overflows in xmlSnprintfElementContent()
    - debian/patches/CVE-2017-9047-9048.patch: ensure enough space
      remains in buffer for copied data
    - CVE-2017-9047, CVE-2017-9048
  * SECURITY UPDATE: heap based buffer overreads in
    xmlDictComputeFastKey()
    - debian/patches/CVE-2017-9049-9050.patch: drop uneccessary
      expansions, add additional sanity check
    - CVE-2017-9049, CVE-2017-9050

 -- Steve Beattie <email address hidden>  Fri, 15 Sep 2017 16:13:37 -0700
Superseded in artful-release
Deleted in artful-proposed (Reason: moved to release)
libxml2 (2.9.4+dfsg1-3.1) unstable; urgency=low

  * Non-maintainer upload.
  * Increase buffer space for port in HTTP redirect support (CVE-2017-7376)
    Incorrect limit was used for port values. (Closes: #870865)
  * Prevent unwanted external entity reference (CVE-2017-7375)
    Missing validation for external entities in xmlParsePEReference.
    (Closes: #870867)
  * Fix handling of parameter-entity references (CVE-2017-9049, CVE-2017-9050)
    - Heap-based buffer over-read in function xmlDictComputeFastKey
      (CVE-2017-9049).
    - Heap-based buffer over-read in function xmlDictAddString
      (CVE-2017-9050).
    (Closes: #863019, #863018)
  * Fix buffer size checks in xmlSnprintfElementContent (CVE-2017-9047,
    CVE-2017-9048)
    - Buffer overflow in function xmlSnprintfElementContent (CVE-2017-9047).
    - Stack-based buffer overflow in function xmlSnprintfElementContent
      (CVE-2017-9048).
    (Closes: #863022, #863021)
  * Fix type confusion in xmlValidateOneNamespace (CVE-2017-0663)
    Heap buffer overflow in xmlAddID. (Closes: #870870)

 -- Salvatore Bonaccorso <email address hidden>  Sun, 20 Aug 2017 06:56:40 +0200
Superseded in artful-release
Deleted in artful-proposed (Reason: moved to release)
libxml2 (2.9.4+dfsg1-3build2) artful; urgency=medium

  * No-change rebuild against python3.6

 -- Jeremy Bicha <email address hidden>  Wed, 02 Aug 2017 16:08:27 -0400
Superseded in artful-release
Deleted in artful-proposed (Reason: moved to release)
libxml2 (2.9.4+dfsg1-3build1) artful; urgency=medium

  * No-change rebuild to build with python3.6.

 -- Matthias Klose <email address hidden>  Mon, 24 Jul 2017 13:52:40 +0000
Superseded in artful-release
Deleted in artful-proposed (Reason: moved to release)
libxml2 (2.9.4+dfsg1-3) unstable; urgency=medium

  * Team upload.

  [ Mattia Rizzolo ]
  * d/control:
    + Use HTTPS in Vcs-* fields.
    + Remove the deprecated '${python:Provides}' and '${python3:Provides}'.
    + Bump Standards-Version to 4.0.0, no changes needed.
  * Build for all supported python versions.  Closes: #864328
    Thanks to YunQiang Su <email address hidden> for the initial patch.
  * Drop libxml-utils-dbg package in favour of the automatic debug package.
  * Replace the upstream ChangeLog with the NEWS file.  Closes: #808372
    The ChangeLog file stopped being updated in 2009, whereas NEWS is
    automatically generated by upstream during releases.
  * d/rules:
    + Correctly make use of the dh sequencer in the build step.
      Override dh_auto_build instead of using build/build-arch/build-indep
      targets directly.
      This makes possible for dh to call dh_autoreconf and other helpers that
      would otherwise be skipped (like dh_update_autotools_config).
    + Fix duplicated targets for override_dh_auto_install-indep.
    + Streamline dpkg-buildflags usage.
  * Bump debhelper compat level to 10
    + remove --parallel, now default
    + remove --with autoreconf, now default

  [ Helmut Grohne ]
  * Improve build profiles support.  Closes: #862867
    + Rename the meaningless stage1 to the meaningful nopython.
    + Use the standard variable DEB_BUILD_PROFILES rather than
      DEB_BUILD_PROFILE by checking dh_listpackages.
    + Correctly build nopython even when python is installed.
    + Add build profile annotations to debian/control.

 -- Mattia Rizzolo <email address hidden>  Tue, 04 Jul 2017 21:59:55 +0200
Superseded in artful-release
Deleted in artful-proposed (Reason: moved to release)
libxml2 (2.9.4+dfsg1-2.2ubuntu1) artful; urgency=medium

  * Only build for the default version of Python.

 -- Michael Hudson-Doyle <email address hidden>  Tue, 16 May 2017 14:45:03 +1200
Superseded in artful-release
Deleted in artful-proposed (Reason: moved to release)
libxml2 (2.9.4+dfsg1-2.2build1) artful; urgency=medium

  * No change rebuild to add Python 3.6 support.

 -- Michael Hudson-Doyle <email address hidden>  Fri, 12 May 2017 11:47:33 +1200
Superseded in precise-updates
Superseded in precise-security
libxml2 (2.7.8.dfsg-5.1ubuntu4.17) precise-security; urgency=medium

  * SECURITY UPDATE: format string vulnerabilities
    - fix format string warnings in HTMLparser.c, SAX2.c, catalog.c,
      configure, configure.in, debugXML.c, encoding.c, entities.c, error.c,
      include/libxml/parserInternals.h, include/libxml/xmlerror.h,
      include/libxml/xmlstring.h, libxml.h, parser.c, parserInternals.c,
      relaxng.c, schematron.c, testModule.c, valid.c, xinclude.c, xmlIO.c,
      xmllint.c, xmlreader.c, xmlschemas.c, xmlstring.c, xmlwriter.c,
      xpath.c, xpointer.c.
    - 4472c3a5a5b516aaf59b89be602fbce52756c3e9
    - 502f6a6d08b08c04b3ddfb1cd21b2f699c1b7f5b
    - d77e5fc4bcdb7da748c9cca116a601ae4df60d21
    - debian/libxml2.symbols: added new symbol.
    - CVE-2016-4448
  * SECURITY UPDATE: use-after-free via namespace nodes in XPointer ranges
    - disallow namespace nodes in XPointer ranges in xpointer.c.
    - c1d1f7121194036608bf555f08d3062a36fd344b
    - CVE-2016-4658
  * SECURITY UPDATE: use-after-free in XPointer range-to function
    - fix XPointer paths beginning with range-to and fix comparison with
      root node in xmlXPathCmpNodesin xpath.c, xpointer.c.
    - 9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e
    - a005199330b86dada19d162cae15ef9bdcb6baa8
    - CVE-2016-5131

 -- Marc Deslauriers <email address hidden>  Wed, 15 Mar 2017 09:00:55 -0400
Superseded in trusty-updates
Superseded in trusty-security
libxml2 (2.9.1+dfsg1-3ubuntu4.9) trusty-security; urgency=medium

  * SECURITY UPDATE: format string vulnerabilities
    - debian/patches/CVE-2016-4448-1.patch: fix format string warnings in
      HTMLparser.c, SAX2.c, catalog.c, configure.in, debugXML.c,
      encoding.c, entities.c, error.c, include/libxml/parserInternals.h,
      include/libxml/xmlerror.h, include/libxml/xmlstring.h, libxml.h,
      parser.c, parserInternals.c, relaxng.c, schematron.c, testModule.c,
      valid.c, xinclude.c, xmlIO.c, xmllint.c, xmlreader.c, xmlschemas.c,
      xmlstring.c, xmlwriter.c, xpath.c, xpointer.c.
    - debian/patches/CVE-2016-4448-2.patch: fix format string warnings in
      libxml.h, relaxng.c, xmlschemas.c, xmlstring.c.
    - debian/patches/CVE-2016-4448-3.patch: fix build on pre-C99 compilers
      in relaxng.c, xmlschemas.c.
    - debian/libxml2.symbols: added new symbol.
    - CVE-2016-4448
  * SECURITY UPDATE: use-after-free via namespace nodes in XPointer ranges
    - debian/patches/CVE-2016-4658.patch: disallow namespace nodes in
      XPointer ranges in xpointer.c.
    - CVE-2016-4658
  * SECURITY UPDATE: use-after-free in XPointer range-to function
    - debian/patches/CVE-2016-5131-1.patch: fix XPointer paths beginning
      with range-to in xpath.c, xpointer.c.
    - debian/patches/CVE-2016-5131-2.patch: fix comparison with root node
      in xmlXPathCmpNodes in xpath.c.
    - CVE-2016-5131

 -- Marc Deslauriers <email address hidden>  Wed, 15 Mar 2017 07:54:26 -0400
Superseded in xenial-updates
Superseded in xenial-security
libxml2 (2.9.3+dfsg1-1ubuntu0.2) xenial-security; urgency=medium

  * SECURITY UPDATE: format string vulnerabilities
    - debian/patches/CVE-2016-4448-1.patch: fix format string warnings in
      HTMLparser.c, SAX2.c, catalog.c, configure.ac, debugXML.c,
      encoding.c, entities.c, error.c, include/libxml/parserInternals.h,
      include/libxml/xmlerror.h, include/libxml/xmlstring.h, libxml.h,
      parser.c, parserInternals.c, relaxng.c, schematron.c, testModule.c,
      valid.c, xinclude.c, xmlIO.c, xmllint.c, xmlreader.c, xmlschemas.c,
      xmlstring.c, xmlwriter.c, xpath.c, xpointer.c.
    - debian/patches/CVE-2016-4448-2.patch: fix format string warnings in
      libxml.h, relaxng.c, xmlschemas.c, xmlstring.c.
    - debian/libxml2.symbols: added new symbol.
    - CVE-2016-4448
  * SECURITY UPDATE: use-after-free via namespace nodes in XPointer ranges
    - debian/patches/CVE-2016-4658.patch: disallow namespace nodes in
      XPointer ranges in xpointer.c.
    - CVE-2016-4658
  * SECURITY UPDATE: use-after-free in XPointer range-to function
    - debian/patches/CVE-2016-5131-1.patch: fix XPointer paths beginning
      with range-to in xpath.c, xpointer.c.
    - debian/patches/CVE-2016-5131-2.patch: fix comparison with root node
      in xmlXPathCmpNodes in xpath.c.
    - CVE-2016-5131
  * debian/patches/lp1652325.patch: XML push parser fails with bogus
    UTF-8 encoding error when multi-byte character in large CDATA section
    is split across buffer (LP: #1652325)

 -- Marc Deslauriers <email address hidden>  Tue, 14 Mar 2017 16:06:13 -0400
Obsolete in yakkety-updates
Obsolete in yakkety-security
libxml2 (2.9.4+dfsg1-2ubuntu0.1) yakkety-security; urgency=medium

  * SECURITY UPDATE: use-after-free via namespace nodes in XPointer ranges
    - debian/patches/CVE-2016-4658.patch: disallow namespace nodes in
      XPointer ranges in xpointer.c.
    - CVE-2016-4658
  * SECURITY UPDATE: use-after-free in XPointer range-to function
    - debian/patches/CVE-2016-5131-1.patch: fix XPointer paths beginning
      with range-to in xpath.c, xpointer.c.
    - debian/patches/CVE-2016-5131-2.patch: fix comparison with root node
      in xmlXPathCmpNodes in xpath.c.
    - CVE-2016-5131

 -- Marc Deslauriers <email address hidden>  Tue, 14 Mar 2017 16:01:34 -0400
Superseded in artful-release
Obsolete in zesty-release
Deleted in zesty-proposed (Reason: moved to release)
libxml2 (2.9.4+dfsg1-2.2) unstable; urgency=medium

  * Non-maintainer upload.
  * Fix attribute decoding during XML schema validation 
    (Closes: #832602, #832864)

 -- Mònica Ramírez Arceda <email address hidden>  Sat, 14 Jan 2017 15:31:49 +0100
Superseded in zesty-proposed
libxml2 (2.9.4+dfsg1-2.1) unstable; urgency=medium

  * Non-maintainer upload.
  * Fix comparison with root node in xmlXPathCmpNodes
  * Fix XPointer paths beginning with range-to (CVE-2016-5131)
    (Closes: #840554)
  * Disallow namespace nodes in XPointer ranges (CVE-2016-4658)
    (Closes: #840553)
  * Fix more NULL pointer derefs in xpointer.c

 -- Salvatore Bonaccorso <email address hidden>  Sun, 30 Oct 2016 16:30:55 +0100
Superseded in zesty-release
Obsolete in yakkety-release
Deleted in yakkety-proposed (Reason: moved to release)
libxml2 (2.9.4+dfsg1-2) unstable; urgency=medium

  [ YunQiang Su ]
  * add python3 support (Closes: #737774)
  * fix typo in test/control: python->python3

  [ Aron Xu ]
  * Really allow parallel building
  * Mark python3-libxml2* as M-A: same

 -- Aron Xu <email address hidden>  Mon, 12 Sep 2016 02:57:02 +0800

Available diffs

Superseded in yakkety-release
Deleted in yakkety-proposed (Reason: moved to release)
libxml2 (2.9.4+dfsg1-1) unstable; urgency=medium

  * Imported Upstream version 2.9.4+dfsg1
    - Closes: 829718, CVE-2016-4448
  * Drop patches applied upstream, refresh remainers
  * Update Std-Ver to 3.9.8 from 3.9.6
  * Update symbols for 2.9.4
  * cherry-pick: Fix NULL pointer deref in XPointer range-to

 -- Aron Xu <email address hidden>  Tue, 19 Jul 2016 11:42:45 +0800

Available diffs

Superseded in yakkety-release
Deleted in yakkety-proposed (Reason: moved to release)
libxml2 (2.9.3+dfsg1-1.2) unstable; urgency=medium

  [ Simon McVittie ]
  * Non-maintainer upload.
  * Add -arch suffix to some architecture-specific debhelper overrides,
    fixing FTBFS with dpkg-buildpackage -A or when source-only uploads
    are used (Closes: #806065)
    - Do a build for the default Python version even when we are
      building arch-indep-only: we need something for gtk-doc to analyze

 -- Salvatore Bonaccorso <email address hidden>  Sun, 05 Jun 2016 07:23:42 +0200
Superseded in precise-updates
Superseded in precise-security
libxml2 (2.7.8.dfsg-5.1ubuntu4.15) precise-security; urgency=medium

  * SECURITY UPDATE: heap-based buffer overread in xmlNextChar
    - return after error in parser.c.
    - a7a94612aa3b16779e2c74e1fa353b5d9786c602
    - CVE-2016-1762
  * SECURITY UPDATE: heap-based buffer overread in htmlCurrentChar
    - clear up NULL deref, handle 0-length entities and fix tests in
      parserInternals.c.
    - ff76eb28c75451bc56e3b93f44dac155ca29e7f5
    - fdfeecc1b73b0318466f0d61f0b8881ed9d92dd2
    - 0bcd05c5cd83dec3406c8f68b769b1d610c72f76
    - CVE-2016-1833
  * SECURITY UPDATE: heap-buffer-overflow in xmlStrncat
    - check for negative lengths in xmlstring.c.
    - 8fbbf5513d609c1770b391b99e33314cd0742704
    - CVE-2016-1834
  * SECURITY UPDATE: heap use-after-free in xmlSAX2AttributeNs
    - add check to parser.c, add tests to result/errors/759020.xml.err,
      result/errors/759020.xml.str, test/errors/759020.xml.
    - 38eae571111db3b43ffdeb05487c9f60551906fb
    - CVE-2016-1835
  * SECURITY UPDATE: heap use-after-free in htmlParsePubidLiteral and
    htmlParseSystemiteral
    - prevent stable pointer usage in HTMLparser.c.
    - 11ed4a7a90d5ce156a18980a4ad4e53e77384852
    - CVE-2016-1837
  * SECURITY UPDATE: heap-based buffer overread in
    xmlParserPrintFileContextInternal
    - add bounds check to parser.c,
      add tests to result/errors/758588.xml.err,
      result/errors/758588.xml.str, test/errors/758588.xml.
    - db07dd613e461df93dde7902c6505629bf0734e9
    - CVE-2016-1838
  * SECURITY UPDATE: heap-based buffer overread in xmlDictAddString
    - add bounds check to HTMLparser.c.
    - a820dbeac29d330bae4be05d9ecd939ad6b4aa33
    - CVE-2015-8806
    - CVE-2016-1839
    - CVE-2016-2073
  * SECURITY UPDATE: heap-buffer-overflow in xmlFAParsePosCharGroup
    - properly handle error in xmlregexp.c.
    - cbb271655cadeb8dbb258a64701d9a3a0c4835b4
    - CVE-2016-1840
  * SECURITY UPDATE: avoid building recursive entities
    - properly handle recursion in parser.c, tree.c.
    - bdd66182ef53fe1f7209ab6535fda56366bd7ac9
    - CVE-2016-3627
  * SECURITY UPDATE: recursion depth counter issue
    - properly could recursion depth in parser.c.
    - 8f30bdff69edac9075f4663ce3b56b0c52d48ce6
    - CVE-2016-3705
  * SECURITY UPDATE: heap-based buffer-underreads due to xmlParseName
    - improve error handling in parser.c.
    - 00906759053986b8079985644172085f74331f83
    - CVE-2016-4447
  * SECURITY UPDATE: inappropriate fetch of entities content
    - fix another external entity fetch in parser.c.
    - b1d34de46a11323fccffa9fadeb33be670d602f5
    - CVE-2016-4449
  * SECURITY UPDATE: out of bound access when serializing malformed strings
    - improve string handling in xmlsave.c.
    - c97750d11bb8b6f3303e7131fe526a61ac65bcfd
    - CVE-2016-4483

 -- Marc Deslauriers <email address hidden>  Fri, 03 Jun 2016 09:11:38 -0400
Superseded in trusty-updates
Superseded in trusty-security
libxml2 (2.9.1+dfsg1-3ubuntu4.8) trusty-security; urgency=medium

  * SECURITY UPDATE: heap-based buffer overread in xmlNextChar
    - debian/patches/CVE-2016-1762.patch: return after error in parser.c.
    - CVE-2016-1762
  * SECURITY UPDATE: heap-based buffer overread in htmlCurrentChar
    - debian/patches/CVE-2016-1833-pre.patch: clear up NULL deref in
      parserInternals.c.
    - debian/patches/CVE-2016-1833-pre2.patch: handle 0-length entities in
      parserInternals.c.
    - debian/patches/CVE-2016-1833.patch: fix tests in parserInternals.c.
    - CVE-2016-1833
  * SECURITY UPDATE: heap-buffer-overflow in xmlStrncat
    - debian/patches/CVE-2016-1834.patch: check for negative lengths in
      xmlstring.c.
    - CVE-2016-1834
  * SECURITY UPDATE: heap use-after-free in xmlSAX2AttributeNs
    - debian/patches/CVE-2016-1835.patch: add check to parser.c, add tests
      to result/errors/759020.xml.err, result/errors/759020.xml.str,
      test/errors/759020.xml.
    - CVE-2016-1835
  * SECURITY UPDATE: heap use-after-free in xmlDictComputeFastKey
    - debian/patches/CVE-2016-1836.patch: prevent stale pointer usage in
      parser.c, added tests to result/errors/759398.xml.err,
      result/errors/759398.xml.str, test/errors/759398.xml.
    - CVE-2016-1836
  * SECURITY UPDATE: heap use-after-free in htmlParsePubidLiteral and
    htmlParseSystemiteral
    - debian/patches/CVE-2016-1837.patch: prevent stable pointer usage in
      HTMLparser.c.
    - CVE-2016-1837
  * SECURITY UPDATE: heap-based buffer overread in
    xmlParserPrintFileContextInternal
    - debian/patches/CVE-2016-1838.patch: add bounds check to parser.c,
      add tests to result/errors/758588.xml.err,
      result/errors/758588.xml.str, test/errors/758588.xml.
    - CVE-2016-1838
  * SECURITY UPDATE: heap-based buffer overread in xmlDictAddString
    - debian/patches/CVE-2016-1839.patch: add bounds check to HTMLparser.c.
    - CVE-2015-8806
    - CVE-2016-1839
    - CVE-2016-2073
  * SECURITY UPDATE: heap-buffer-overflow in xmlFAParsePosCharGroup
    - debian/patches/CVE-2016-1840.patch: properly handle error in
      xmlregexp.c.
    - CVE-2016-1840
  * SECURITY UPDATE: avoid building recursive entities
    - debian/patches/CVE-2016-3627.patch: properly handle recursion in
      parser.c, tree.c.
    - CVE-2016-3627
  * SECURITY UPDATE: recursion depth counter issue
    - debian/patches/CVE-2016-3705.patch: properly could recursion depth in
      parser.c.
    - CVE-2016-3705
  * SECURITY UPDATE: heap-based buffer-underreads due to xmlParseName
    - debian/patches/CVE-2016-4447.patch: improve error handling in
      parser.c.
    - CVE-2016-4447
  * SECURITY UPDATE: inappropriate fetch of entities content
    - debian/patches/CVE-2016-4449.patch: fix another external entity fetch
      in parser.c.
    - CVE-2016-4449
  * SECURITY UPDATE: out of bound access when serializing malformed strings
    - debian/patches/CVE-2016-4483.patch: improve string handling in
      xmlsave.c.
    - CVE-2016-4483

 -- Marc Deslauriers <email address hidden>  Fri, 03 Jun 2016 08:59:55 -0400
Obsolete in wily-updates
Obsolete in wily-security
libxml2 (2.9.2+zdfsg1-4ubuntu0.4) wily-security; urgency=medium

  * SECURITY UPDATE: heap-based buffer overread in xmlNextChar
    - debian/patches/CVE-2016-1762.patch: return after error in parser.c.
    - CVE-2016-1762
  * SECURITY UPDATE: heap-based buffer overread in htmlCurrentChar
    - debian/patches/CVE-2016-1833-pre2.patch: handle 0-length entities in
      parserInternals.c.
    - debian/patches/CVE-2016-1833.patch: fix tests in parserInternals.c.
    - CVE-2016-1833
  * SECURITY UPDATE: heap-buffer-overflow in xmlStrncat
    - debian/patches/CVE-2016-1834.patch: check for negative lengths in
      xmlstring.c.
    - CVE-2016-1834
  * SECURITY UPDATE: heap use-after-free in xmlSAX2AttributeNs
    - debian/patches/CVE-2016-1835.patch: add check to parser.c, add tests
      to result/errors/759020.xml.err, result/errors/759020.xml.str,
      test/errors/759020.xml.
    - CVE-2016-1835
  * SECURITY UPDATE: heap use-after-free in xmlDictComputeFastKey
    - debian/patches/CVE-2016-1836.patch: prevent stale pointer usage in
      parser.c, added tests to result/errors/759398.xml.err,
      result/errors/759398.xml.str, test/errors/759398.xml.
    - CVE-2016-1836
  * SECURITY UPDATE: heap use-after-free in htmlParsePubidLiteral and
    htmlParseSystemiteral
    - debian/patches/CVE-2016-1837.patch: prevent stable pointer usage in
      HTMLparser.c.
    - CVE-2016-1837
  * SECURITY UPDATE: heap-based buffer overread in
    xmlParserPrintFileContextInternal
    - debian/patches/CVE-2016-1838.patch: add bounds check to parser.c,
      add tests to result/errors/758588.xml.err,
      result/errors/758588.xml.str, test/errors/758588.xml.
    - CVE-2016-1838
  * SECURITY UPDATE: heap-based buffer overread in xmlDictAddString
    - debian/patches/CVE-2016-1839.patch: add bounds check to HTMLparser.c.
    - CVE-2015-8806
    - CVE-2016-1839
    - CVE-2016-2073
  * SECURITY UPDATE: heap-buffer-overflow in xmlFAParsePosCharGroup
    - debian/patches/CVE-2016-1840.patch: properly handle error in
      xmlregexp.c.
    - CVE-2016-1840
  * SECURITY UPDATE: avoid building recursive entities
    - debian/patches/CVE-2016-3627.patch: properly handle recursion in
      parser.c, tree.c.
    - CVE-2016-3627
  * SECURITY UPDATE: recursion depth counter issue
    - debian/patches/CVE-2016-3705.patch: properly could recursion depth in
      parser.c.
    - CVE-2016-3705
  * SECURITY UPDATE: heap-based buffer-underreads due to xmlParseName
    - debian/patches/CVE-2016-4447.patch: improve error handling in
      parser.c.
    - CVE-2016-4447
  * SECURITY UPDATE: inappropriate fetch of entities content
    - debian/patches/CVE-2016-4449.patch: fix another external entity fetch
      in parser.c.
    - CVE-2016-4449
  * SECURITY UPDATE: out of bound access when serializing malformed strings
    - debian/patches/CVE-2016-4483.patch: improve string handling in
      xmlsave.c.
    - CVE-2016-4483

 -- Marc Deslauriers <email address hidden>  Fri, 03 Jun 2016 08:55:52 -0400
Superseded in xenial-updates
Superseded in xenial-security
libxml2 (2.9.3+dfsg1-1ubuntu0.1) xenial-security; urgency=medium

  * SECURITY UPDATE: heap-based buffer overread in xmlNextChar
    - debian/patches/CVE-2016-1762.patch: return after error in parser.c.
    - CVE-2016-1762
  * SECURITY UPDATE: heap-based buffer overread in htmlCurrentChar
    - debian/patches/CVE-2016-1833.patch: fix tests in parserInternals.c.
    - CVE-2016-1833
  * SECURITY UPDATE: heap-buffer-overflow in xmlStrncat
    - debian/patches/CVE-2016-1834.patch: check for negative lengths in
      xmlstring.c.
    - CVE-2016-1834
  * SECURITY UPDATE: heap use-after-free in xmlSAX2AttributeNs
    - debian/patches/CVE-2016-1835.patch: add check to parser.c, add tests
      to result/errors/759020.xml.err, result/errors/759020.xml.str,
      test/errors/759020.xml.
    - CVE-2016-1835
  * SECURITY UPDATE: heap use-after-free in xmlDictComputeFastKey
    - debian/patches/CVE-2016-1836.patch: prevent stale pointer usage in
      parser.c, added tests to result/errors/759398.xml.err,
      result/errors/759398.xml.str, test/errors/759398.xml.
    - CVE-2016-1836
  * SECURITY UPDATE: heap use-after-free in htmlParsePubidLiteral and
    htmlParseSystemiteral
    - debian/patches/CVE-2016-1837.patch: prevent stable pointer usage in
      HTMLparser.c.
    - CVE-2016-1837
  * SECURITY UPDATE: heap-based buffer overread in
    xmlParserPrintFileContextInternal
    - debian/patches/CVE-2016-1838.patch: add bounds check to parser.c,
      add tests to result/errors/758588.xml.err,
      result/errors/758588.xml.str, test/errors/758588.xml.
    - CVE-2016-1838
  * SECURITY UPDATE: heap-based buffer overread in xmlDictAddString
    - debian/patches/CVE-2016-1839.patch: add bounds check to HTMLparser.c.
    - CVE-2015-8806
    - CVE-2016-1839
    - CVE-2016-2073
  * SECURITY UPDATE: heap-buffer-overflow in xmlFAParsePosCharGroup
    - debian/patches/CVE-2016-1840.patch: properly handle error in
      xmlregexp.c.
    - CVE-2016-1840
  * SECURITY UPDATE: avoid building recursive entities
    - debian/patches/CVE-2016-3627.patch: properly handle recursion in
      parser.c, tree.c.
    - CVE-2016-3627
  * SECURITY UPDATE: recursion depth counter issue
    - debian/patches/CVE-2016-3705.patch: properly could recursion depth in
      parser.c.
    - CVE-2016-3705
  * SECURITY UPDATE: heap-based buffer-underreads due to xmlParseName
    - debian/patches/CVE-2016-4447.patch: improve error handling in
      parser.c.
    - CVE-2016-4447
  * SECURITY UPDATE: inappropriate fetch of entities content
    - debian/patches/CVE-2016-4449.patch: fix another external entity fetch
      in parser.c.
    - CVE-2016-4449
  * SECURITY UPDATE: out of bound access when serializing malformed strings
    - debian/patches/CVE-2016-4483.patch: improve string handling in
      xmlsave.c.
    - CVE-2016-4483

 -- Marc Deslauriers <email address hidden>  Fri, 03 Jun 2016 08:05:40 -0400
Superseded in yakkety-proposed
libxml2 (2.9.3+dfsg1-1.1) unstable; urgency=medium

  * Non-maintainer upload.
  * Heap-based buffer overread in xmlNextChar (CVE-2016-1762)
  * heap-buffer-overflow in xmlStrncat (CVE-2016-1834)
  * Add missing increments of recursion depth counter to XML parser
    (CVE-2016-3705) (Closes: #823414)
  * Avoid an out of bound access when serializing malformed strings
    (CVE-2016-4483) (Closes: #823405)
  * Heap-buffer-overflow in xmlFAParsePosCharGroup (CVE-2016-1840)
  * Heap-based buffer overread in xmlParserPrintFileContextInternal
    (CVE-2016-1838)
  * Heap-based buffer overread in xmlDictAddString (CVE-2016-1839
    CVE-2015-8806 CVE-2016-2073) (Closes: #813613, #812807)
  * Heap use-after-free in xmlDictComputeFastKey (CVE-2016-1836)
  * Fix inappropriate fetch of entities content (CVE-2016-4449)
  * Heap use-after-free in htmlParsePubidLiteral and htmlParseSystemiteral
    (CVE-2016-1837)
  * Heap use-after-free in xmlSAX2AttributeNs (CVE-2016-1835)
  * Heap-based buffer-underreads due to xmlParseName (CVE-2016-4447)
  * Heap-based buffer overread in htmlCurrentChar (CVE-2016-1833)
  * Avoid building recursive entities (CVE-2016-3627) (Closes: #819006)

 -- Salvatore Bonaccorso <email address hidden>  Sat, 28 May 2016 06:51:08 +0200
Superseded in yakkety-release
Deleted in yakkety-proposed (Reason: moved to release)
libxml2 (2.9.3+dfsg1-1build1) yakkety; urgency=medium

  * No-change rebuild for libicu soname change.

 -- Matthias Klose <email address hidden>  Fri, 22 Apr 2016 22:58:37 +0000
Superseded in wily-updates
Superseded in wily-security
libxml2 (2.9.2+zdfsg1-4ubuntu0.3) wily-security; urgency=medium

  * SECURITY UPDATE: incomplete fix for out of bounds read in xmlGROW
    (LP: #1525996)
    - add extra commits to this previously-fixed CVE
    - debian/patches/CVE-2015-7499-3.patch: reuse xmlHaltParser() where it
      makes sense in parser.c.
    - debian/patches/CVE-2015-7499-4.patch: do not print error context when
      there is none in error.c.
    - CVE-2015-7499
  * SECURITY UPDATE: out of bounds memory access via unclosed html comment
    - debian/patches/CVE-2015-8710.patch: fix parsing short unclosed
      comment uninitialized access in HTMLparser.c.
    - CVE-2015-8710

 -- Marc Deslauriers <email address hidden>  Thu, 14 Jan 2016 13:11:43 -0500
Obsolete in vivid-updates
Obsolete in vivid-security
libxml2 (2.9.2+dfsg1-3ubuntu0.3) vivid-security; urgency=medium

  * SECURITY UPDATE: incomplete fix for out of bounds read in xmlGROW
    (LP: #1525996)
    - add extra commits to this previously-fixed CVE
    - debian/patches/CVE-2015-7499-3.patch: reuse xmlHaltParser() where it
      makes sense in parser.c.
    - debian/patches/CVE-2015-7499-4.patch: do not print error context when
      there is none in error.c.
    - CVE-2015-7499
  * SECURITY UPDATE: out of bounds memory access via unclosed html comment
    - debian/patches/CVE-2015-8710.patch: fix parsing short unclosed
      comment uninitialized access in HTMLparser.c.
    - CVE-2015-8710

 -- Marc Deslauriers <email address hidden>  Thu, 14 Jan 2016 13:12:24 -0500
Superseded in trusty-updates
Superseded in trusty-security
libxml2 (2.9.1+dfsg1-3ubuntu4.7) trusty-security; urgency=medium

  * SECURITY UPDATE: incomplete fix for out of bounds read in xmlGROW
    (LP: #1525996)
    - add extra commits to this previously-fixed CVE
    - debian/patches/CVE-2015-7499-3.patch: reuse xmlHaltParser() where it
      makes sense in parser.c.
    - debian/patches/CVE-2015-7499-4.patch: do not print error context when
      there is none in error.c.
    - CVE-2015-7499
  * SECURITY UPDATE: out of bounds memory access via unclosed html comment
    - debian/patches/CVE-2015-8710.patch: fix parsing short unclosed
      comment uninitialized access in HTMLparser.c.
    - CVE-2015-8710

 -- Marc Deslauriers <email address hidden>  Thu, 14 Jan 2016 13:13:10 -0500
Superseded in precise-updates
Superseded in precise-security
libxml2 (2.7.8.dfsg-5.1ubuntu4.14) precise-security; urgency=medium

  * SECURITY UPDATE: incomplete fix for out of bounds read in xmlGROW
    (LP: #1525996)
    - add extra commits to this previously-fixed CVE
    - parser.c: reuse xmlHaltParser() where it makes sense.
    - e3b1597421ad7cbeb5939fc3b54f43f141c82366
    - error.c: do not print error context when there is none.
    - ce0b0d0d81fdbb5f722a890432b52d363e4de57b
    - CVE-2015-7499
  * SECURITY UPDATE: out of bounds memory access via unclosed html comment
    - HTMLparser.c: fix parsing short unclosed comment uninitialized
      access.
    - e724879d964d774df9b7969fc846605aa1bac54c
    - CVE-2015-8710

 -- Marc Deslauriers <email address hidden>  Thu, 14 Jan 2016 13:16:09 -0500
Superseded in xenial-release
Deleted in xenial-proposed (Reason: moved to release)
libxml2 (2.9.2+zdfsg1-4ubuntu3) xenial; urgency=medium

  * SECURITY UPDATE: incomplete fix for out of bounds read in xmlGROW
    (LP: #1525996)
    - add extra commits to this previously-fixed CVE
    - debian/patches/CVE-2015-7499-3.patch: reuse xmlHaltParser() where it
      makes sense in parser.c.
    - debian/patches/CVE-2015-7499-4.patch: do not print error context when
      there is none in error.c.
    - CVE-2015-7499
  * SECURITY UPDATE: out of bounds memory access via unclosed html comment
    - debian/patches/CVE-2015-8710.patch: fix parsing short unclosed
      comment uninitialized access in HTMLparser.c.
    - CVE-2015-8710

 -- Marc Deslauriers <email address hidden>  Thu, 14 Jan 2016 08:59:31 -0500
Superseded in yakkety-release
Published in xenial-release
Deleted in xenial-proposed (Reason: moved to release)
libxml2 (2.9.3+dfsg1-1) unstable; urgency=medium

  * New upstream release.

 -- Aron Xu <email address hidden>  Mon, 14 Dec 2015 15:35:25 +0800
Superseded in precise-updates
Superseded in precise-security
libxml2 (2.7.8.dfsg-5.1ubuntu4.13) precise-security; urgency=medium

  * SECURITY UPDATE: denial of service via entity expansion issue
    - parser.c: properly exit when entity expansion is detected.
    - https://git.gnome.org/browse/libxml2/commit/?id=69030714cde66d525a8884bda01b9e8f0abf8e1e
    - CVE-2015-5312
  * SECURITY UPDATE: heap buffer overflow in xmlDictComputeFastQKey
    - dict.c: check offset.
    - https://git.gnome.org/browse/libxml2/commit/?id=6360a31a84efe69d155ed96306b9a931a40beab9
    - CVE-2015-7497
  * SECURITY UPDATE: denial of service via encoding conversion failures
    - parser.c: avoid processing entities after encoding conversion
      failures.
    - https://git.gnome.org/browse/libxml2/commit/?id=afd27c21f6b36e22682b7da20d726bce2dcb2f43
    - CVE-2015-7498
  * SECURITY UPDATE: out of bounds read in xmlGROW
    - parser.c: add xmlHaltParser() to stop the parser and check input.
    - https://git.gnome.org/browse/libxml2/commit/?id=28cd9cb747a94483f4aea7f0968d202c20bb4cfc
    - https://git.gnome.org/browse/libxml2/commit/?id=35bcb1d758ed70aa7b257c9c3b3ff55e54e3d0da
    - CVE-2015-7499
  * SECURITY UPDATE: out of bounds read in xmlParseMisc
    - parser.c: check entity boundaries.
    - https://git.gnome.org/browse/libxml2/commit/?id=f1063fdbe7fa66332bbb76874101c2a7b51b519f
    - CVE-2015-7500
  * SECURITY UPDATE: denial of service via extra processing of MarkupDecl
    - parser.c: add extra EOF check.
    - https://git.gnome.org/browse/libxml2/commit/?id=ab2b9a93ff19cedde7befbf2fcc48c6e352b6cbe
    - CVE-2015-8241
  * SECURITY UPDATE: buffer overead with HTML parser in push mode
    - HTMLparser.c: use pointer in the input in.
    - https://git.gnome.org/browse/libxml2/commit/?id=8fb4a770075628d6441fb17a1e435100e2f3b1a2
    - CVE-2015-8242
  * SECURITY UPDATE: denial of service via encoding failures
    - parser.c: do not process encoding values if the declaration is broken
      and fail parsing if the encoding conversion failed.
    - https://git.gnome.org/browse/libxml2/commit/?id=9aa37588ee78a06ca1379a9d9356eab16686099c
    - https://git.gnome.org/browse/libxml2/commit/?id=709a952110e98621c9b78c4f26462a9d8333102e
    - CVE-2015-8317

 -- Marc Deslauriers <email address hidden>  Wed, 09 Dec 2015 12:35:41 -0500
Superseded in vivid-updates
Superseded in vivid-security
libxml2 (2.9.2+dfsg1-3ubuntu0.2) vivid-security; urgency=medium

  * SECURITY UPDATE: denial of service via entity expansion issue
    - debian/patches/CVE-2015-5312.patch: properly exit when entity
      expansion is detected in parser.c.
    - CVE-2015-5312
  * SECURITY UPDATE: heap buffer overflow in xmlDictComputeFastQKey
    - debian/patches/CVE-2015-7497.patch: check offset in dict.c.
    - CVE-2015-7497
  * SECURITY UPDATE: denial of service via encoding conversion failures
    - debian/patches/CVE-2015-7498.patch: avoid processing entities after
      encoding conversion failures in parser.c.
    - CVE-2015-7498
  * SECURITY UPDATE: out of bounds read in xmlGROW
    - debian/patches/CVE-2015-7499-1.patch: add xmlHaltParser() to stop the
      parser in parser.c.
    - debian/patches/CVE-2015-7499-2.patch: check input in parser.c.
    - CVE-2015-7499
  * SECURITY UPDATE: out of bounds read in xmlParseMisc
    - debian/patches/CVE-2015-7500.patch: check entity boundaries in
      parser.c.
    - CVE-2015-7500
  * SECURITY UPDATE: denial of service via extra processing of MarkupDecl
    - debian/patches/CVE-2015-8241.patch: add extra EOF check in parser.c.
    - CVE-2015-8241
  * SECURITY UPDATE: buffer overead with HTML parser in push mode
    - debian/patches/CVE-2015-8242.patch: use pointer in the input in
      HTMLparser.c.
    - CVE-2015-8242
  * SECURITY UPDATE: denial of service via encoding failures
    - debian/patches/CVE-2015-8317-1.patch: do not process encoding values
      if the declaration is broken in parser.c.
    - debian/patches/CVE-2015-8317-2.patch: fail parsing if the encoding
      conversion failed in parser.c.
    - CVE-2015-8317

 -- Marc Deslauriers <email address hidden>  Wed, 09 Dec 2015 11:35:28 -0500
Superseded in trusty-updates
Superseded in trusty-security
libxml2 (2.9.1+dfsg1-3ubuntu4.6) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service via entity expansion issue
    - debian/patches/CVE-2015-5312.patch: properly exit when entity
      expansion is detected in parser.c.
    - CVE-2015-5312
  * SECURITY UPDATE: heap buffer overflow in xmlDictComputeFastQKey
    - debian/patches/CVE-2015-7497.patch: check offset in dict.c.
    - CVE-2015-7497
  * SECURITY UPDATE: denial of service via encoding conversion failures
    - debian/patches/CVE-2015-7498.patch: avoid processing entities after
      encoding conversion failures in parser.c.
    - CVE-2015-7498
  * SECURITY UPDATE: out of bounds read in xmlGROW
    - debian/patches/CVE-2015-7499-1.patch: add xmlHaltParser() to stop the
      parser in parser.c.
    - debian/patches/CVE-2015-7499-2.patch: check input in parser.c.
    - CVE-2015-7499
  * SECURITY UPDATE: out of bounds read in xmlParseMisc
    - debian/patches/CVE-2015-7500.patch: check entity boundaries in
      parser.c.
    - CVE-2015-7500
  * SECURITY UPDATE: denial of service via extra processing of MarkupDecl
    - debian/patches/CVE-2015-8241.patch: add extra EOF check in parser.c.
    - CVE-2015-8241
  * SECURITY UPDATE: buffer overead with HTML parser in push mode
    - debian/patches/CVE-2015-8242.patch: use pointer in the input in
      HTMLparser.c.
    - CVE-2015-8242
  * SECURITY UPDATE: denial of service via encoding failures
    - debian/patches/CVE-2015-8317-1.patch: do not process encoding values
      if the declaration is broken in parser.c.
    - debian/patches/CVE-2015-8317-2.patch: fail parsing if the encoding
      conversion failed in parser.c.
    - CVE-2015-8317

 -- Marc Deslauriers <email address hidden>  Wed, 09 Dec 2015 12:00:30 -0500
Superseded in wily-updates
Superseded in wily-security
libxml2 (2.9.2+zdfsg1-4ubuntu0.2) wily-security; urgency=medium

  * SECURITY UPDATE: denial of service via entity expansion issue
    - debian/patches/CVE-2015-5312.patch: properly exit when entity
      expansion is detected in parser.c.
    - CVE-2015-5312
  * SECURITY UPDATE: heap buffer overflow in xmlDictComputeFastQKey
    - debian/patches/CVE-2015-7497.patch: check offset in dict.c.
    - CVE-2015-7497
  * SECURITY UPDATE: denial of service via encoding conversion failures
    - debian/patches/CVE-2015-7498.patch: avoid processing entities after
      encoding conversion failures in parser.c.
    - CVE-2015-7498
  * SECURITY UPDATE: out of bounds read in xmlGROW
    - debian/patches/CVE-2015-7499-1.patch: add xmlHaltParser() to stop the
      parser in parser.c.
    - debian/patches/CVE-2015-7499-2.patch: check input in parser.c.
    - CVE-2015-7499
  * SECURITY UPDATE: out of bounds read in xmlParseMisc
    - debian/patches/CVE-2015-7500.patch: check entity boundaries in
      parser.c.
    - CVE-2015-7500
  * SECURITY UPDATE: denial of service via extra processing of MarkupDecl
    - debian/patches/CVE-2015-8241.patch: add extra EOF check in parser.c.
    - CVE-2015-8241
  * SECURITY UPDATE: buffer overead with HTML parser in push mode
    - debian/patches/CVE-2015-8242.patch: use pointer in the input in
      HTMLparser.c.
    - CVE-2015-8242

 -- Marc Deslauriers <email address hidden>  Wed, 09 Dec 2015 11:18:32 -0500
Superseded in xenial-release
Deleted in xenial-proposed (Reason: moved to release)
libxml2 (2.9.2+zdfsg1-4ubuntu2) xenial; urgency=medium

  * SECURITY UPDATE: denial of service via entity expansion issue
    - debian/patches/CVE-2015-5312.patch: properly exit when entity
      expansion is detected in parser.c.
    - CVE-2015-5312
  * SECURITY UPDATE: heap buffer overflow in xmlDictComputeFastQKey
    - debian/patches/CVE-2015-7497.patch: check offset in dict.c.
    - CVE-2015-7497
  * SECURITY UPDATE: denial of service via encoding conversion failures
    - debian/patches/CVE-2015-7498.patch: avoid processing entities after
      encoding conversion failures in parser.c.
    - CVE-2015-7498
  * SECURITY UPDATE: out of bounds read in xmlGROW
    - debian/patches/CVE-2015-7499-1.patch: add xmlHaltParser() to stop the
      parser in parser.c.
    - debian/patches/CVE-2015-7499-2.patch: check input in parser.c.
    - CVE-2015-7499
  * SECURITY UPDATE: out of bounds read in xmlParseMisc
    - debian/patches/CVE-2015-7500.patch: check entity boundaries in
      parser.c.
    - CVE-2015-7500
  * SECURITY UPDATE: denial of service via extra processing of MarkupDecl
    - debian/patches/CVE-2015-8241.patch: add extra EOF check in parser.c.
    - CVE-2015-8241
  * SECURITY UPDATE: buffer overead with HTML parser in push mode
    - debian/patches/CVE-2015-8242.patch: use pointer in the input in
      HTMLparser.c.
    - CVE-2015-8242

 -- Marc Deslauriers <email address hidden>  Wed, 09 Dec 2015 10:15:37 -0500
Superseded in precise-updates
Superseded in precise-security
libxml2 (2.7.8.dfsg-5.1ubuntu4.12) precise-security; urgency=medium

  * SECURITY UPDATE: denial of service via XEE attack
    - include/libxml/tree.h, tree.c, xmlreader.c: enforce the reader to run
      in constant memory.
    - patch obtained from Debian's 2.7.8.dfsg-2+squeeze12 package.
    - CVE-2015-1819
  * SECURITY UPDATE: denial of service via out-of-bounds read
    - parser.c: stop parsing on entities boundaries errors.
    - https://git.gnome.org/browse/libxml2/commit/?id=a7dfab7411cbf545f359dd3157e5df1eb0e7ce31
    - https://git.gnome.org/browse/libxml2/commit/?id=9b8512337d14c8ddf662fcb98b0135f225a1c489
    - CVE-2015-7941
  * SECURITY UPDATE: overflow in conditional sections
    - parser.c: properly check input.
    - https://git.gnome.org/browse/libxml2/commit/?id=bd0526e66a56e75a18da8c15c4750db8f801c52d
    - https://git.gnome.org/browse/libxml2/commit/?id=41ac9049a27f52e7a1f3b341f8714149fc88d450
    - CVE-2015-7942

 -- Marc Deslauriers <email address hidden>  Fri, 13 Nov 2015 09:28:57 -0500
Superseded in trusty-updates
Superseded in trusty-security
libxml2 (2.9.1+dfsg1-3ubuntu4.5) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service via XEE attack
    - debian/patches/CVE-2015-1819.patch: enforce the reader to run in
      constant memory in buf.c, include/libxml/tree.h, xmlreader.c.
    - CVE-2015-1819
  * SECURITY UPDATE: denial of service via out-of-bounds read
    - debian/patches/CVE-2015-7941.patch: stop parsing on entities
      boundaries errors in parser.c.
    - CVE-2015-7941
  * SECURITY UPDATE: overflow in conditional sections
    - debian/patches/CVE-2015-7942.patch: properly check input in parser.c.
    - CVE-2015-7942
  * SECURITY UPDATE: denial of service via crafted document with xz
    - debian/patches/CVE-2015-8035.patch: check for error in xzlib.c.
    - CVE-2015-8035

 -- Marc Deslauriers <email address hidden>  Fri, 13 Nov 2015 08:58:16 -0500
Superseded in vivid-updates
Superseded in vivid-security
libxml2 (2.9.2+dfsg1-3ubuntu0.1) vivid-security; urgency=medium

  * SECURITY UPDATE: denial of service via XEE attack
    - debian/patches/CVE-2015-1819.patch: enforce the reader to run in
      constant memory in buf.c, include/libxml/tree.h, xmlreader.c.
    - CVE-2015-1819
  * SECURITY UPDATE: denial of service via out-of-bounds read
    - debian/patches/CVE-2015-7941.patch: stop parsing on entities
      boundaries errors in parser.c.
    - CVE-2015-7941
  * SECURITY UPDATE: overflow in conditional sections
    - debian/patches/CVE-2015-7942.patch: properly check input in parser.c.
    - CVE-2015-7942

 -- Marc Deslauriers <email address hidden>  Fri, 13 Nov 2015 08:52:21 -0500
Superseded in wily-updates
Superseded in wily-security
libxml2 (2.9.2+zdfsg1-4ubuntu0.1) wily-security; urgency=medium

  * SECURITY UPDATE: overflow in conditional sections
    - debian/patches/CVE-2015-7942.patch: properly check input in parser.c.
    - CVE-2015-7942

 -- Marc Deslauriers <email address hidden>  Fri, 13 Nov 2015 08:50:07 -0500
Superseded in xenial-release
Deleted in xenial-proposed (Reason: moved to release)
libxml2 (2.9.2+zdfsg1-4ubuntu1) xenial; urgency=medium

  * SECURITY UPDATE: overflow in conditional sections
    - debian/patches/CVE-2015-7942.patch: properly check input in parser.c.
    - CVE-2015-7942
  * SECURITY UPDATE: denial of service via crafted document with xz
    - debian/patches/CVE-2015-8035.patch: check for error in xzlib.c.
    - CVE-2015-8035
  * debian/patches/re-enable-xz-support.patch: re-enable xz support that
    was disabled by mistake in 2.9.2.
  * debian/libxml2.symbols: added new symbol.

 -- Marc Deslauriers <email address hidden>  Fri, 13 Nov 2015 07:30:36 -0500
Superseded in xenial-release
Obsolete in wily-release
Deleted in wily-proposed (Reason: moved to release)
libxml2 (2.9.2+zdfsg1-4) unstable; urgency=medium

  * Revert everything in N'ACKed NMU revert to 2.9.1.
    - Resolving regression, Closes: #754424
    - Drop the following NMU, not needed in 2.9.2, Closes: #781232
    - Drop not approved patch for GNOME #746048
  * Revert icu dbg drop, but don't hardcode version,
    thanks Matthias Klose <doko>, Closes: #798642
  * Cherry pick upstream post release patches:
    - Fix for regression triggered by CVE-2014-3660, Closes: #768089
    - Fix for the spurious ID already defined error, Closes: #766884
    - Fix for CVE-2015-1819, Closes: #782782
    - Fix for GNOME #744980, Closes: #783010
    - Several fixes for memory related issues.

 -- Aron Xu <email address hidden>  Tue, 22 Sep 2015 16:31:48 +0800
Superseded in wily-release
Deleted in wily-proposed (Reason: moved to release)
libxml2 (2.9.2+dfsg1-3ubuntu2) wily; urgency=medium

  * Fix the spurious ID already defined error. Gnome #737840.
  * Don't hardcode the libicuXX-dbg dependency.

 -- Matthias Klose <email address hidden>  Fri, 11 Sep 2015 13:26:44 +0200
Superseded in wily-release
Deleted in wily-proposed (Reason: moved to release)
libxml2 (2.9.2+dfsg1-3ubuntu1) wily; urgency=medium

  * Update hardcoded libicu52-dbg dep

 -- Iain Lane <email address hidden>  Wed, 05 Aug 2015 17:40:32 +0100
Superseded in wily-proposed
libxml2 (2.9.2+dfsg1-3build2) wily; urgency=medium

  * No-change rebuild against new libicu

 -- Iain Lane <email address hidden>  Wed, 05 Aug 2015 17:40:32 +0100
Superseded in wily-proposed
libxml2 (2.9.2+dfsg1-3build1) wily; urgency=medium

  * Rebuild for icu 55.

 -- Matthias Klose <email address hidden>  Mon, 03 Aug 2015 21:21:48 +0000
Superseded in wily-release
Obsolete in vivid-release
Deleted in vivid-proposed (Reason: moved to release)
libxml2 (2.9.2+dfsg1-3) unstable; urgency=medium


  * Add icu related deps for -dev and -dbg packages
    (Closes: #776741)

 -- Aron Xu <email address hidden>  Sun, 01 Feb 2015 12:35:52 +0800
Superseded in vivid-proposed
libxml2 (2.9.2+dfsg1-2) unstable; urgency=medium


  [ Michael Gilbert ]
  * Enable icu support (Closes: #776254)

  [ Aron Xu ]
  * 0003-Fix-missing-entities-after-CVE-2014-3660-fix.patch:
    Fix upstream bug triggered by CVE fix (Closes: #768089)

 -- Aron Xu <email address hidden>  Fri, 30 Jan 2015 13:52:23 +0800

Available diffs

Superseded in vivid-release
Deleted in vivid-proposed (Reason: moved to release)
libxml2 (2.9.2+dfsg1-1) unstable; urgency=low


  * New upstream release (Closes: #765722, CVE-2014-3660)
  * Remove no-longer-needed upstream patches
  * Update distro patch
  * Std-ver: 3.9.5 -> 3.9.6, no change.

 -- Aron Xu <email address hidden>  Sun, 26 Oct 2014 07:04:50 +0800
Obsolete in lucid-updates
Obsolete in lucid-security
libxml2 (2.7.6.dfsg-1ubuntu1.15) lucid-security; urgency=medium

  * SECURITY UPDATE: denial of service via entity expansion
    - parser.c, SAX2.c, include/libxml/entities.h: refactor entity checking
      and add additional tests.
    - https://git.gnome.org/browse/libxml2/commit/?id=a3f1e3e5712257fd279917a9158278534e8f4b72
    - https://git.gnome.org/browse/libxml2/commit/?id=cff2546f13503ac028e4c1f63c7b6d85f2f2d777
    - https://git.gnome.org/browse/libxml2/commit/?id=be2a7edaf289c5da74a4f9ed3a0b6c733e775230
    - CVE-2014-3660
 -- Marc Deslauriers <email address hidden>   Wed, 22 Oct 2014 14:27:25 -0400
76150 of 307 results