Debian Long Term Support / LTS Security Information / 2015 / Security Information -- DLA-355-1 libxml2

Debian Security Advisory

DLA-355-1 libxml2 -- LTS security update

Date Reported:

29 Nov 2015

Affected Packages:

libxml2

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 806384.
In Mitre's CVE dictionary: CVE-2015-8241, CVE-2015-8317.

More information:

• CVE-2015-8241

  Buffer overread with XML parser in xmlNextChar

• CVE-2015-8317
  • issues in the xmlParseXMLDecl function: If we fail conversing the current input stream while processing the encoding declaration of the XMLDecl then it's safer to just abort there and not try to report further errors.
  • If the string is not properly terminated do not try to convert to the given encoding.

Additional fix for off by one error in previous patch for CVE-2015-7942 (thanks to Salvatore for spotting this)