touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #129808
[Bug 1525996] Re: missing patch in USN-2834-1 security updates
This bug was fixed in the package libxml2 - 2.9.2+dfsg1-3ubuntu0.3
---------------
libxml2 (2.9.2+dfsg1-3ubuntu0.3) vivid-security; urgency=medium
* SECURITY UPDATE: incomplete fix for out of bounds read in xmlGROW
(LP: #1525996)
- add extra commits to this previously-fixed CVE
- debian/patches/CVE-2015-7499-3.patch: reuse xmlHaltParser() where it
makes sense in parser.c.
- debian/patches/CVE-2015-7499-4.patch: do not print error context when
there is none in error.c.
- CVE-2015-7499
* SECURITY UPDATE: out of bounds memory access via unclosed html comment
- debian/patches/CVE-2015-8710.patch: fix parsing short unclosed
comment uninitialized access in HTMLparser.c.
- CVE-2015-8710
-- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx> Thu, 14 Jan 2016
13:12:24 -0500
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libxml2 in Ubuntu.
https://bugs.launchpad.net/bugs/1525996
Title:
missing patch in USN-2834-1 security updates
Status in libxml2 package in Ubuntu:
Fix Released
Status in libxml2 source package in Precise:
Confirmed
Status in libxml2 source package in Trusty:
Confirmed
Status in libxml2 source package in Vivid:
Fix Released
Status in libxml2 source package in Wily:
Fix Released
Status in libxml2 source package in Xenial:
Fix Released
Bug description:
USN-2834-1 contained a fix for CVE-2015-7499, but did not contain the
following subsequent commit:
https://git.gnome.org/browse/libxml2/commit/?id=ce0b0d0d81fdbb5f722a890432b52d363e4de57b
See post from Tom Lane here:
http://www.postgresql.org/message-id/31003.1450111414@xxxxxxxxxxxxx
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libxml2/+bug/1525996/+subscriptions
References