[SECURITY] [DLA 691-1] libxml2 security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 691-1] libxml2 security update
From: Thorsten Alteholz <debian@alteholz.de>
Date: Mon, 31 Oct 2016 18:09:55 +0100 (CET)
Message-id: <[🔎] alpine.DEB.2.02.1610311809010.8728@jupiter.server.alteholz.net>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : libxml2
Version        : 2.8.0+dfsg1-7+wheezy7
CVE ID         : CVE-2016-4658 CVE-2016-5131

CVE-2016-4658
     Namespace nodes must be copied to avoid use-after-free errors.
     But they don't necessarily have a physical representation in a
     document, so simply disallow them in XPointer ranges.

CVE-2016-5131
     The old code would invoke the broken xmlXPtrRangeToFunction.
     range-to isn't really a function but a special kind of
     location step. Remove this function and always handle range-to
     in the XPath code.
     The old xmlXPtrRangeToFunction could also be abused to trigger
     a use-after-free error with the potential for remote code
     execution.

For Debian 7 "Wheezy", these problems have been fixed in version
2.8.0+dfsg1-7+wheezy7.

We recommend that you upgrade your libxml2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQJ8BAEBCgBmBQJYF3rkXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHk6kQAKNZdsL5pKUm4AxEN1haC+7z
PiBAnARH80w5vqYWh2P4+1DBBvLor4IbPOi9y3/5b8IRMhDefQwwrZv0RSxROv9k
2VekzC+uJ0mLyyPRGKfF6nwWBaLdaopu1EJK5EkWhUdVksYU9FcsgfMlArcjX5vh
GlOTQtRhmledFPMPnj2G6PBVAd46pw6Jjsu49TAK35jFhPX0Jb3iCqWEB1B42y50
k+kUm3bakvhowD8TkZxbYbDOWQdOcqQL//NKgpHtN4HEQjsQNRvJuCpo8DhYmean
fNxX6MbO7O97+ckEkDD88o7YFNGEm26+SnkWK7Uu3hMsqoUEfaZldY9gOrdXnrva
jVP7YW7/XtXBbPVmNn6jhqgLk5YIJd9QM6K2BX2JcJfEtByPF5ghdJ9wk6yEH1uZ
VGrtGOa7X+KrCD5l62WV0c5zDLHfn6Qvw7ko3seA7/y5IgarwoYYdWXg2Rq93BxO
lF0QXnnnKrmdhee50oRW1WD3U4CmPE6dJoPVOKXXqP+fNoeMjOg/Nlw7qTfrJqRI
QWL2y/pCK8vaXRsfpRltpOpgUD+wmBIinGjnUDaVJqxzKwNzIJcx4+RHUg8k8qYM
Vt25MRM1Qq77w3bu/LnebcX0Zftkp933Vi2IoNHSMrc4jNGAQdSNVrxSHQxEKrWG
LON77oCUYH8mnswxdbZK
=Av/p
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 690-1] tar security update
Previous by thread: [SECURITY] [DLA 690-1] tar security update
Index(es):
- Date
- Thread