This bug was fixed in the package libxml2 - 2.9.3+dfsg1-1ubuntu0.2 --------------- libxml2 (2.9.3+dfsg1-1ubuntu0.2) xenial-security; urgency=medium
* SECURITY UPDATE: format string vulnerabilities - debian/patches/CVE-2016-4448-1.patch: fix format string warnings in HTMLparser.c, SAX2.c, catalog.c, configure.ac, debugXML.c, encoding.c, entities.c, error.c, include/libxml/parserInternals.h, include/libxml/xmlerror.h, include/libxml/xmlstring.h, libxml.h, parser.c, parserInternals.c, relaxng.c, schematron.c, testModule.c, valid.c, xinclude.c, xmlIO.c, xmllint.c, xmlreader.c, xmlschemas.c, xmlstring.c, xmlwriter.c, xpath.c, xpointer.c. - debian/patches/CVE-2016-4448-2.patch: fix format string warnings in libxml.h, relaxng.c, xmlschemas.c, xmlstring.c. - debian/libxml2.symbols: added new symbol. - CVE-2016-4448 * SECURITY UPDATE: use-after-free via namespace nodes in XPointer ranges - debian/patches/CVE-2016-4658.patch: disallow namespace nodes in XPointer ranges in xpointer.c. - CVE-2016-4658 * SECURITY UPDATE: use-after-free in XPointer range-to function - debian/patches/CVE-2016-5131-1.patch: fix XPointer paths beginning with range-to in xpath.c, xpointer.c. - debian/patches/CVE-2016-5131-2.patch: fix comparison with root node in xmlXPathCmpNodes in xpath.c. - CVE-2016-5131 * debian/patches/lp1652325.patch: XML push parser fails with bogus UTF-8 encoding error when multi-byte character in large CDATA section is split across buffer (LP: #1652325) -- Marc Deslauriers <marc.deslauri...@ubuntu.com> Tue, 14 Mar 2017 16:06:13 -0400 ** Changed in: libxml2 (Ubuntu Xenial) Status: Confirmed => Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-4448 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-4658 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-5131 -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1652325 Title: Libxml2 2.9.3 fails to parse multi-byte character in large CDATA section that is split across buffer Status in libxml2: Fix Released Status in libxml2 package in Ubuntu: Invalid Status in libxml2 source package in Xenial: Fix Released Bug description: Ubuntu 16.04 packages libxml2 version 2.9.3*, which contains a regression documented here: https://git.gnome.org/browse/libxml2/commit/?id=4f8606c13cb7f2684839f850b83de5ce647d3ca7 Full release notes of 2.9.4 can be seen here: http://xmlsoft.org/news.html The bug will affect XML push parser that fails with bogus UTF-8 encoding error when multi-byte character in large CDATA section is split across buffer, which can be quite common. As Xenial is an LTS version and this bug is quite *critical*, I wonder if we should provide an update to fix this one. If I remember correctly, we're not supposed to update to a newer version a given package for a given version of Ubuntu, but as this version of Ubuntu will be used in many servers in the coming years and XML parsing is quite a common task, it may help a lot of developers to have a backported fix of this issue. Let me know you if you need more information. To manage notifications about this bug go to: https://bugs.launchpad.net/libxml2/+bug/1652325/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp