|
|
Log in / Subscribe / Register

Debian-LTS alert DLA-691-1 (libxml2)



From:
    	      Thorsten Alteholz <debian@alteholz.de> 


To:
    	      debian-lts-announce@lists.debian.org 


Subject:
    	      [SECURITY] [DLA 691-1] libxml2 security update 


Date:
    	      Mon, 31 Oct 2016 18:09:55 +0100 (CET)


Message-ID:
    	      <alpine.DEB.2.02.1610311809010.8728@jupiter.server.alteholz.net>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : libxml2
Version        : 2.8.0+dfsg1-7+wheezy7
CVE ID         : CVE-2016-4658 CVE-2016-5131

CVE-2016-4658
      Namespace nodes must be copied to avoid use-after-free errors.
      But they don't necessarily have a physical representation in a
      document, so simply disallow them in XPointer ranges.

CVE-2016-5131
      The old code would invoke the broken xmlXPtrRangeToFunction.
      range-to isn't really a function but a special kind of
      location step. Remove this function and always handle range-to
      in the XPath code.
      The old xmlXPtrRangeToFunction could also be abused to trigger
      a use-after-free error with the potential for remote code
      execution.

For Debian 7 "Wheezy", these problems have been fixed in version
2.8.0+dfsg1-7+wheezy7.

We recommend that you upgrade your libxml2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQJ8BAEBCgBmBQJYF3rkXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHk6kQAKNZdsL5pKUm4AxEN1haC+7z
PiBAnARH80w5vqYWh2P4+1DBBvLor4IbPOi9y3/5b8IRMhDefQwwrZv0RSxROv9k
2VekzC+uJ0mLyyPRGKfF6nwWBaLdaopu1EJK5EkWhUdVksYU9FcsgfMlArcjX5vh
GlOTQtRhmledFPMPnj2G6PBVAd46pw6Jjsu49TAK35jFhPX0Jb3iCqWEB1B42y50
k+kUm3bakvhowD8TkZxbYbDOWQdOcqQL//NKgpHtN4HEQjsQNRvJuCpo8DhYmean
fNxX6MbO7O97+ckEkDD88o7YFNGEm26+SnkWK7Uu3hMsqoUEfaZldY9gOrdXnrva
jVP7YW7/XtXBbPVmNn6jhqgLk5YIJd9QM6K2BX2JcJfEtByPF5ghdJ9wk6yEH1uZ
VGrtGOa7X+KrCD5l62WV0c5zDLHfn6Qvw7ko3seA7/y5IgarwoYYdWXg2Rq93BxO
lF0QXnnnKrmdhee50oRW1WD3U4CmPE6dJoPVOKXXqP+fNoeMjOg/Nlw7qTfrJqRI
QWL2y/pCK8vaXRsfpRltpOpgUD+wmBIinGjnUDaVJqxzKwNzIJcx4+RHUg8k8qYM
Vt25MRM1Qq77w3bu/LnebcX0Zftkp933Vi2IoNHSMrc4jNGAQdSNVrxSHQxEKrWG
LON77oCUYH8mnswxdbZK
=Av/p
-----END PGP SIGNATURE-----
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds