[ubuntu/hirsute-security] libxml2 2.9.10+dfsg-6.3ubuntu0.1 (Accepted)
Avital Ostromich
avital.ostromich at canonical.com
Thu Jun 17 14:38:05 UTC 2021
libxml2 (2.9.10+dfsg-6.3ubuntu0.1) hirsute-security; urgency=medium
* SECURITY UPDATE: use-after-free in xmlEncodeEntitiesInternal
- debian/patches/CVE-2021-3516.patch: Call htmlCtxtUseOptions to make sure
that names aren't stored in dictionaries.
- CVE-2021-3516
* SECURITY UPDATE: heap-based buffer overflow in xmlEncodeEntitiesInternal
- debian/patches/CVE-2021-3517.patch: Add some checks to validate input is
UTF-8 format, supplementing CVE-2020-24977 fix.
- CVE-2021-3517
* SECURITY UPDATE: use-after-free in xmlXIncludeDoProcess
- debian/patches/CVE-2021-3518.patch: Move from a block list to an allow
list approach to avoid descending into other node types that can't
contain elements.
- CVE-2021-3518
* SECURITY UPDATE: NULL pointer dereference in xmlValidBuildAContentModel
- debian/patches/CVE-2021-3537.patch: Check return value of recursive calls
to xmlParseElementChildrenContentDeclPriv and return immediately in case
of errors.
- CVE-2021-3537
* SECURITY UPDATE: Exponential entity expansion
- debian/patches/Patch-for-security-issue-CVE-2021-3541.patch: Add check to
xmlParserEntityCheck to prevent entity exponential.
- CVE-2021-3541
Date: 2021-05-27 19:47:23.522578+00:00
Changed-By: Avital Ostromich <avital.ostromich at canonical.com>
https://launchpad.net/ubuntu/+source/libxml2/2.9.10+dfsg-6.3ubuntu0.1
-------------- next part --------------
Sorry, changesfile not available.
More information about the Hirsute-changes
mailing list