Back to libxml2 PTS page

Accepted libxml2 2.8.0+dfsg1-7+wheezy8 (source amd64 all) into oldoldstable

To: dispatch@tracker.debian.org, debian-lts-changes@lists.debian.org
Subject: Accepted libxml2 2.8.0+dfsg1-7+wheezy8 (source amd64 all) into oldoldstable
From: Thorsten Alteholz <debian@alteholz.de>
Date: Fri, 30 Jun 2017 18:20:17 +0000
Mail-followup-to: debian-lts@lists.debian.org
Message-id: <E1dR0Wf-0006H0-1R@seger.debian.org>
Reply-to: debian-lts@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 30 Jun 2017 19:03:02 +0200
Source: libxml2
Binary: libxml2 libxml2-utils libxml2-utils-dbg libxml2-dev libxml2-dbg libxml2-doc python-libxml2 python-libxml2-dbg
Architecture: source amd64 all
Version: 2.8.0+dfsg1-7+wheezy8
Distribution: wheezy-security
Urgency: high
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Thorsten Alteholz <debian@alteholz.de>
Description:
 libxml2    - GNOME XML library
 libxml2-dbg - Debugging symbols for the GNOME XML library
 libxml2-dev - Development files for the GNOME XML library
 libxml2-doc - Documentation for the GNOME XML library
 libxml2-utils - XML utilities
 libxml2-utils-dbg - XML utilities (debug extension)
 python-libxml2 - Python bindings for the GNOME XML library
 python-libxml2-dbg - Python bindings for the GNOME XML library (debug extension)
Changes:
 libxml2 (2.8.0+dfsg1-7+wheezy8) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the Wheezy LTS Team.
   * CVE-2017-7375
     Missing validation for external entities in xmlParsePEReference
   * CVE-2017-9047 + CVE-2017-9048
     A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801.
     The function xmlSnprintfElementContent in valid.c is supposed to
     recursively dump the element content definition into a char buffer 'buf'
     of size 'size'. The variable len is assigned strlen(buf).
     If the content->type is XML_ELEMENT_CONTENT_ELEMENT, then (i) the
     content->prefix is appended to buf (if it actually fits) whereupon
     (ii) content->name is written to the buffer. However, the check for
     whether the content->name actually fits also uses 'len' rather than
     the updated buffer length strlen(buf). This allows us to write about
     "size" many bytes beyond the allocated memory. This vulnerability
     causes programs that use libxml2, such as PHP, to crash.
   * CVE-2017-9049 + CVE-2017-9050
     libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based
     buffer over-read in the xmlDictComputeFastKey function in dict.c.
     This vulnerability causes programs that use libxml2, such as PHP,
     to crash. This vulnerability exists because of an incomplete fix
     for libxml2 Bug 759398.
Checksums-Sha1:
 4d3230ac83ac1698ed3f91d0da27525888501318 2673 libxml2_2.8.0+dfsg1-7+wheezy8.dsc
 fcc1bca14d2c7dd73c71556cf0a223a73bd92305 3554683 libxml2_2.8.0+dfsg1.orig.tar.gz
 b3080987b14663e7bcca2ba06a76dd86e5884609 73902 libxml2_2.8.0+dfsg1-7+wheezy8.debian.tar.gz
 0636535f2ab96f7c358c6e02f43d6fa5f7cb9916 906826 libxml2_2.8.0+dfsg1-7+wheezy8_amd64.deb
 28d3f957f4d111daae226fdeac6c067f6ce8f14c 99030 libxml2-utils_2.8.0+dfsg1-7+wheezy8_amd64.deb
 609aa3f91d29915e0add919dcd32d3ea1a605979 130294 libxml2-utils-dbg_2.8.0+dfsg1-7+wheezy8_amd64.deb
 9ef66684d250e0b2d9e33da8295b0ac8d88c6dda 903522 libxml2-dev_2.8.0+dfsg1-7+wheezy8_amd64.deb
 a2958e971123aeb55ca98205775f5fc4b8f19477 1404144 libxml2-dbg_2.8.0+dfsg1-7+wheezy8_amd64.deb
 6e9fe147b533e26d29b9fcee17424e2952bd84c7 1387824 libxml2-doc_2.8.0+dfsg1-7+wheezy8_all.deb
 a01437af2e6da35492a1cf398cb0e46bc0c70c62 347830 python-libxml2_2.8.0+dfsg1-7+wheezy8_amd64.deb
 506a1f1bbfdde642ff151a6ad34fe664ab26c00e 731300 python-libxml2-dbg_2.8.0+dfsg1-7+wheezy8_amd64.deb
Checksums-Sha256:
 1b0c2c8b5b038c4011da7689bc669c1b0427eec1ef39159639b8b287ea5f6847 2673 libxml2_2.8.0+dfsg1-7+wheezy8.dsc
 46f339843967e861e81f8427373ff2a3d0a8cb608022dea16aa1d345ddcee338 3554683 libxml2_2.8.0+dfsg1.orig.tar.gz
 6418cc0232daa38dabe154f8e8b3b6cecf0fbc1eddcd0710cbc058f815987c59 73902 libxml2_2.8.0+dfsg1-7+wheezy8.debian.tar.gz
 93fc8076932e6fd51f78da1b2e4bde14af48568b3a41f73434ce63d96a25e3ea 906826 libxml2_2.8.0+dfsg1-7+wheezy8_amd64.deb
 33eb05eb5a9ebbf5a15fc4fc697ab96ab4f688acf95dd6cc56fa73eedc2daba8 99030 libxml2-utils_2.8.0+dfsg1-7+wheezy8_amd64.deb
 17e1cd91ec47c6eb13b6cf56f5db2dc35e71bff5b1cae6a0b6686d56ed8da6b6 130294 libxml2-utils-dbg_2.8.0+dfsg1-7+wheezy8_amd64.deb
 64c77480c718094b0d17adc07d7f76a6a11a1d40ac9a1d3fb5cdfc5e4e5103f7 903522 libxml2-dev_2.8.0+dfsg1-7+wheezy8_amd64.deb
 b437f3d8fea89e0967b489acd32bdf1277c7322c494e2b4a29d63df42de8ebf0 1404144 libxml2-dbg_2.8.0+dfsg1-7+wheezy8_amd64.deb
 852ca56ce6c7ba017ced7d499f3c661a61df8f2e69d038ee10b214e01120e8ab 1387824 libxml2-doc_2.8.0+dfsg1-7+wheezy8_all.deb
 a3651ba1ef2170528de0c07b70855394cda83dac30d558ef9a4904ffbf8940a2 347830 python-libxml2_2.8.0+dfsg1-7+wheezy8_amd64.deb
 9447a1a007036879f7b73306e5510e8e26ed4d534f8cce3919bbb247fd85dc76 731300 python-libxml2-dbg_2.8.0+dfsg1-7+wheezy8_amd64.deb
Files:
 43c2eec1c532a087e3a22858c1428a9c 2673 libs optional libxml2_2.8.0+dfsg1-7+wheezy8.dsc
 008920f545a36da4eca363d0c1a0ffee 3554683 libs optional libxml2_2.8.0+dfsg1.orig.tar.gz
 d1e4032145a55e53fa15073a7907d913 73902 libs optional libxml2_2.8.0+dfsg1-7+wheezy8.debian.tar.gz
 2a9df577a9f333580c7e1e057216e486 906826 libs standard libxml2_2.8.0+dfsg1-7+wheezy8_amd64.deb
 23f03d98d978456122061d850ea18c68 99030 text optional libxml2-utils_2.8.0+dfsg1-7+wheezy8_amd64.deb
 c3b233c4dff6daa4c2d44764b12fee64 130294 debug extra libxml2-utils-dbg_2.8.0+dfsg1-7+wheezy8_amd64.deb
 01158096a0652114e20f1cac09e4abfa 903522 libdevel optional libxml2-dev_2.8.0+dfsg1-7+wheezy8_amd64.deb
 ee9e9146833344a3b8e7bce07e10b9f9 1404144 debug extra libxml2-dbg_2.8.0+dfsg1-7+wheezy8_amd64.deb
 2fbb9d8b6895692368edc354e092af64 1387824 doc optional libxml2-doc_2.8.0+dfsg1-7+wheezy8_all.deb
 045db9155d274f2439177d89a5f4533b 347830 python optional python-libxml2_2.8.0+dfsg1-7+wheezy8_amd64.deb
 3801de4ab422401fbf6485d450ebeec1 731300 debug extra python-libxml2-dbg_2.8.0+dfsg1-7+wheezy8_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQKnBAEBCgCRFiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAllWksBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcTHGRlYmlhbkBh
bHRlaG9sei5kZQAKCRCW/KwNOHtYRzeGD/9N96WFL2GkvVm7BdHnNuipOlHlZPop
1c/lHjPoy6UWfraB2Cs2RMQliXiQLdFXY1PHtmqahx79/Bn6YWgOe3Ts5alLCS1q
QdRvGFxSTJx0busJZdLAxBw+CyR9nN+22IKQ6yY9FuJxms3tSuKQjKMj0ZgcDeQW
TdFgJ+sEfch7FrSu70T55gODHj7HgoVFLKQYUBDQnjT6F8TsP0S3aUpzuawExtDU
SW/CShSqW+V3nfP+cI2MyIrwrRa6YX9o9C9cejJ9HKO2QIlmZsb3OuIpDq3AXOV+
XJ4lqdZYgkPbmtou65kU6JHkwDCoqZ57Xt7TKp5D8chmqoB233jBj1xqb+RJtRK6
8y/fMBr8vlwEQk+saPLDXJqdY0fwYrLJIuXCYH3zg9y7XHBTLqNhcOYjJsWg+aar
jsLd6K8frX7sYwfhvKx0IP3nXifhLkPiWDmojnfny5aL63p6vjmELnQvfQI/2ONe
XL9UJmL6qEcJwE5Ifq1jbgOq08FvJcyuHmYx2lb+l9FyIp4OvtLJ2PsdKgGVlABZ
FtpCjthfi8PUq5JjFpssxYSUtkfADMgPhLmnUDOYTcT80tBwueiuX91+sMryZmjN
KW95mhn2YM5lhr8aobkBULccsf9SXYh8+Uz/2hoNGt0D7k4+8ZlQ4o2DRfyz5wtO
LjjnqR+ctmxJTA==
=JbgW
-----END PGP SIGNATURE-----