[SECURITY] [DLA 151-1] libxml2 security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 151-1] libxml2 security update
From: Thorsten Alteholz <debian@alteholz.de>
Date: Sat, 7 Feb 2015 17:07:17 +0100 (CET)
Message-id: <[🔎] alpine.DEB.2.02.1502071706260.10949@jupiter.server.alteholz.net>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : libxml2
Version        : 2.7.8.dfsg-2+squeeze11
CVE ID         : CVE-2014-0191 CVE-2014-3660
Debian Bug     : 768089

It was discovered that the update released for libxml2 in DSA 2978 fixing
CVE-2014-0191 was incomplete. This caused libxml2 to still fetch external
entities regardless of whether entity substitution or validation is
enabled.

In addition, this update addresses a regression introduced in DSA 3057 by
the patch fixing CVE-2014-3660. This caused libxml2 to not parse an
entity when it's used first in another entity referenced from an
attribute value.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQJ8BAEBCgBmBQJU1jg1XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHe7wP/RdD/ezlWbyisxeqRwxUvLGY
H05MeDyxedj1440jFofCv843nx0LeEtnLf49Uz3nqhdgIjeaQuVXTiDT9CVyfWOV
GrcylTMjuN0tTIaYRfLGP8197W+PYjZ6iQRDAh6zwyO+aI8AIOCwPf07XizxzsbU
4gXOciRV7Cpau6QhV5gXC197JaYxlmDaIcLtMgncEtN99rJVruvwvRltivk8PVqG
72QW77hOjapRq/S+91vlMsqr3GyrKCFp2mWRrlrivHfxmxmS2TnlmRYxVkX7gFn0
TzX393x/XtCXHzB4DQnV8r230vbbaOn387TUu1lUq56JRBiXYLel2wdZ3DhxXGa4
vlPmO14Y+Gyc861RsIVsGf04onN5swWQWgS5Ts8S1E92ASeqNz+9o20Q5isqRGkW
lgfbhwCVNaMnkQ+FMksAgr19mk38cIC2sZuPBGavdLJxj44wYzp57Gb3TZMb7cCZ
LMQ2hhEyHfq5BM1gcL26SNDgatl1PyQuRgMHVmgEmAuBJqLgvF8UeV8nTbwXxo/D
zXyMstntZCfdNb4PoXaGH2yAcmX4Fhni+rx5IGk4FBgrgJakACwP1aqLsD2SJrwE
XnQlvvhxJHnh0hODYtMBGI/BvVY/Sv42Uc4becCU98SwJOljbMWLnh7yTBWIO6Op
Mvhx8ZeYIIQNO3d1VAhs
=1kxf
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 149-1] ntp security update
Next by Date: [SECURITY] [DLA-152-1] postgresql-8.4 update
Previous by thread: [SECURITY] [DLA 149-1] ntp security update
Next by thread: [SECURITY] [DLA-152-1] postgresql-8.4 update
Index(es):
- Date
- Thread