-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 19 Dec 2015 15:29:45 +0100 Source: libxml2 Binary: libxml2 libxml2-utils libxml2-utils-dbg libxml2-dev libxml2-dbg libxml2-doc python-libxml2 python-libxml2-dbg Architecture: all source Version: 2.9.1+dfsg1-5+deb8u1 Distribution: jessie-security Urgency: high Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org> Changed-By: Salvatore Bonaccorso <carnil@debian.org> Closes: 782782 782985 783010 802827 803942 806384 Description: libxml2 - GNOME XML library libxml2-dbg - Debugging symbols for the GNOME XML library libxml2-dev - Development files for the GNOME XML library libxml2-doc - Documentation for the GNOME XML library libxml2-utils - XML utilities libxml2-utils-dbg - XML utilities (debug extension) python-libxml2 - Python bindings for the GNOME XML library python-libxml2-dbg - Python bindings for the GNOME XML library (debug extension) Changes: libxml2 (2.9.1+dfsg1-5+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add patches to address CVE-2015-7941. CVE-2015-7941: Denial of service via out-of-bounds read. (Closes: #783010) * Add 0058-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch. CVE-2015-1819: Enforce the reader to run in constant memory. (Closes: #782782) * Add patches to address CVE-2015-8317. CVE-2015-8317: Out-of-bounds heap read when parsing file with unfinished xml declaration. * Add patches to address CVE-2015-7942. CVE-2015-7942: heap-based buffer overflow in xmlParseConditionalSections(). (Closes: #802827) * Add 0063-Fix-parsing-short-unclosed-comment-uninitialized-acc.patch patch. Parsing an unclosed comment can result in `Conditional jump or move depends on uninitialised value(s)` and unsafe memory access. (Closes: #782985) * Add 0064-CVE-2015-8035-Fix-XZ-compression-support-loop.patch patch. CVE-2015-8035: DoS when parsing specially crafted XML document if XZ support is enabled. (Closes: #803942) * Add 0065-Avoid-extra-processing-of-MarkupDecl-when-EOF.patch patch. CVE-2015-8241: Buffer overread with XML parser in xmlNextChar. (Closes: #806384) * Add 0066-Avoid-processing-entities-after-encoding-conversion-.patch patch. CVE-2015-7498: Heap-based buffer overflow in xmlParseXmlDecl. * Add 0067-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch patch. CVE-2015-7497: Heap-based buffer overflow in xmlDictComputeFastQKey. * Add 0068-CVE-2015-5312-Another-entity-expansion-issue.patch patch. CVE-2015-5312: CPU exhaustion when processing specially crafted XML input. * Add patches to address CVE-2015-7499. CVE-2015-7499: Heap-based buffer overflow in xmlGROW. * Add 0071-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch patch. CVE-2015-7500: Heap buffer overflow in xmlParseMisc. Checksums-Sha1: 4d69762c6f1d5f748daf80b712a18e5a94a8d947 2591 libxml2_2.9.1+dfsg1-5+deb8u1.dsc 357366e7afc9dd03ba883c605d5c369decb2b2e1 3793894 libxml2_2.9.1+dfsg1.orig.tar.gz 004a1df14622f17e21971e6830a04625e51bbebb 48620 libxml2_2.9.1+dfsg1-5+deb8u1.debian.tar.xz 98aa0e0043be46271211df7f063675b70f15f092 814120 libxml2-doc_2.9.1+dfsg1-5+deb8u1_all.deb Checksums-Sha256: edf831eba01aedd2643c3f867d9e2cab00242983f801b268019307901517ef9f 2591 libxml2_2.9.1+dfsg1-5+deb8u1.dsc f3ec5256412192f74833286c4490672500b232ed1c9195214db2c641df064a28 3793894 libxml2_2.9.1+dfsg1.orig.tar.gz 03e6e7ece4183fb8028688c0cec39b55dce60d7f67c8351c5655801d9e79c7ac 48620 libxml2_2.9.1+dfsg1-5+deb8u1.debian.tar.xz e2a1e9b873a324286ec89828b8bf0f629f3ccf482a77eeff7a7c2314e5863c53 814120 libxml2-doc_2.9.1+dfsg1-5+deb8u1_all.deb Files: 0f86c710bec848296ce3180fe830a6a9 2591 libs optional libxml2_2.9.1+dfsg1-5+deb8u1.dsc 5f111980c06f927a62492b7b9781b7bf 3793894 libs optional libxml2_2.9.1+dfsg1.orig.tar.gz 89ca676465cdde570e22ff4588abc937 48620 libs optional libxml2_2.9.1+dfsg1-5+deb8u1.debian.tar.xz f281fb339413bae63912385a43997eb1 814120 doc optional libxml2-doc_2.9.1+dfsg1-5+deb8u1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJWdcofAAoJEAVMuPMTQ89EALIP/RcI05QIxyi8O0ImrlDUGkBB sLLUMjidLMTTvsYXovxRB+4KSx8UWD9gqmoakNvy6j6J6tpNKdTkEBDke9DkHIQz TOaMLoOVouXo0bhc8+gUEI1D5z6OiNpHzmkzoof9CSRwoFVYJHnRFPi6z22i14NZ wgFkCS/gd2ltPVwFP+4wPEOdWs7VuZfCfxJrzQwlr5Mna5z8tlyMRq3I8FIf3Nps QMcuBMlSXq3SC0I2Ln9paZWXo8u1JMHU0Dp60tD6C8O/DLw0hD+XAiiJ+CKATRyn WJIJ7m9DEivBjoMq3eiv3KnMQkIZYDapq2SrDGSoX6Jnxyga1wgPDnvhCGCsY+r7 Wu5YxAR824RewiyZKhtDfXctzhx/pRWPvADAMG3IhqxiswPnXcfKIDe7eVexLDxl qvv6XhyApRTmMpepSA1Vve9Ey2r72ICkdLn9cL8UckY+ng6XVIODmEC+PflaBKAR PqVgixpjMhaFjmujINo7ri/iKPvQg587Zv9SwZPXtmSUkww1Wvk4uvV2V70Ukt5u hEtPRP49d+I/hvZrXgCPugwB0NnCCJHnS1vfvxx2uMEjpImYMfCVPpZ8VJ1YgvIF QGpUoDR7AVyK9//oeywUB4HyhVG+DhuCSGa4NEW7DdWH/zKEh00hi9RlqhOSwc1J 7kjdF6ts94FQ+g4AaCqF =aIbj -----END PGP SIGNATURE-----