</vendor>
<product id="libxml2">
<name>libxml2</name>
- <version>2.8.0</version>
- <last-release> May 23 2012</last-release>
+ <version>v2.9.3</version>
+ <last-release> Nov 20 2015</last-release>
<info-url>http://xmlsoft.org/</info-url>
- <changes> - Features:
- add lzma compression support (Anders F Bjorklund)
+ <changes> - Security:
+ CVE-2015-8242 Buffer overead with HTML parser in push mode (Hugh Davenport),
+ CVE-2015-7500 Fix memory access error due to incorrect entities boundaries (Daniel Veillard),
+ CVE-2015-7499-2 Detect incoherency on GROW (Daniel Veillard),
+ CVE-2015-7499-1 Add xmlHaltParser() to stop the parser (Daniel Veillard),
+ CVE-2015-5312 Another entity expansion issue (David Drysdale),
+ CVE-2015-7497 Avoid an heap buffer overflow in xmlDictComputeFastQKey (David Drysdale),
+ CVE-2015-7498 Avoid processing entities after encoding conversion failures (Daniel Veillard),
+ CVE-2015-8035 Fix XZ compression support loop (Daniel Veillard),
+ CVE-2015-7942-2 Fix an error in previous Conditional section patch (Daniel Veillard),
+ CVE-2015-7942 Another variation of overflow in Conditional sections (Daniel Veillard),
+ CVE-2015-1819 Enforce the reader to run in constant memory (Daniel Veillard)
+ CVE-2015-7941_2 Cleanup conditional section error handling (Daniel Veillard),
+ CVE-2015-7941_1 Stop parsing on entities boundaries errors (Daniel Veillard),
- Documentation:
- xmlcatalog: Add uri and delegateURI to possible add types in man page. (Ville Skyttä),
- Update README.tests (Daniel Veillard),
- URI handling code is not OOM resilient (Daniel Veillard),
- Fix an error in comment (Daniel Veillard),
- Fixed bug #617016 (Daniel Mustieles),
- Fixed two typos in the README document (Daniel Neel),
- add generated html files (Anders F Bjorklund),
- Clarify the need to use xmlFreeNode after xmlUnlinkNode (Daniel Veillard),
- Improve documentation a bit (Daniel Veillard),
- Updated URL for lxml python bindings (Daniel Veillard)
+ Correct spelling of "calling" (Alex Henrie),
+ Fix a small error in xmllint --format description (Fabien Degomme),
+ Avoid XSS on the search of xmlsoft.org (Daniel Veillard)
- Portability:
- Restore code for Windows compilation (Daniel Veillard),
- Remove git error message during configure (Christian Dywan),
- xmllint: Build fix for endTimer if !defined(HAVE_GETTIMEOFDAY) (Patrick R. Gansterer),
- remove a bashism in confgure.in (John Hein),
- undef ERROR if already defined (Patrick R. Gansterer),
- Fix library problems with mingw-w64 (Michael Cronenworth),
- fix windows build. ifdef addition from bug 666491 makes no sense (Rob Richards),
- prefer native threads on win32 (Sam Thursfield),
- Allow to compile with Visual Studio 2010 (Thomas Lemm),
- Fix mingw's snprintf configure check (Andoni Morales),
- fixed a 64bit big endian issue (Marcus Meissner),
- Fix portability failure if netdb.h lacks NO_ADDRESS (Daniel Veillard),
- Fix windows build from lzma addition (Rob Richards),
- autogen: Only check for libtoolize (Colin Walters),
- Fix the Windows build files (Patrick von Reth),
- 634846 Remove a linking option breaking Windows VC10 (Daniel Veillard),
- 599241 fix an initialization problem on Win64 (Andrew W. Nosenko),
- fix win build (Rob Richards)
+ threads: use forward declarations only for glibc (Michael Heimpold),
+ Update Win32 configure.js to search for configure.ac (Daniel Veillard)
- - Bug fixes:
- Part for rand_r checking missing (Daniel Veillard),
- Cleanup on randomization (Daniel Veillard),
- Fix undefined reference in python module (Pacho Ramos),
- Fix a race in xmlNewInputStream (Daniel Veillard),
- Fix weird streaming RelaxNG errors (Noam),
- Fix various bugs in new code raised by the API checking (Daniel Veillard),
- Fix various problems with "make dist" (Daniel Veillard),
- Fix a memory leak in the xzlib code (Daniel Veillard),
- HTML parser error with <noscript> in the <head> (Denis Pauk),
- XSD: optional element in complex type extension (Remi Gacogne),
- Fix html serialization error and htmlSetMetaEncoding() (Daniel Veillard),
- Fix a wrong return value in previous patch (Daniel Veillard),
- Fix an uninitialized variable use (Daniel Veillard),
- Fix a compilation problem with --minimum (Brandon Slack),
- Remove redundant and ungarded include of resolv.h (Daniel Veillard),
- xinclude with parse="text" does not use the entity loader (Shaun McCance),
- Allow to parse 1 byte HTML files (Denis Pauk),
- Patch that fixes the skipping of the HTML_PARSE_NOIMPLIED flag (Martin Schröder),
- Avoid memory leak if xmlParserInputBufferCreateIO fails (Lin Yi-Li),
- Prevent an infinite loop when dumping a node with encoding problems (Timothy Elliott),
- xmlParseNodeInContext problems with an empty document (Tim Elliott),
- HTML element position is not detected propperly (Pavel Andrejs),
- Fix an off by one pointer access (Jüri Aedla),
- Try to fix a problem with entities in SAX mode (Daniel Veillard),
- Fix a crash with xmllint --path on empty results (Daniel Veillard),
- Fixed bug #667946 (Daniel Mustieles),
- Fix a logic error in Schemas Component Constraints (Ryan Sleevi),
- Fix a wrong enum type use in Schemas Types (Nico Weber),
- Fix SAX2 builder in case of undefined attributes namespace (Daniel Veillard),
- Fix SAX2 builder in case of undefined element namespaces (Daniel Veillard),
- fix reference to STDOUT_FILENO on MSVC (Tay Ray Chuan),
- fix a pair of possible out of array char references (Daniel Veillard),
- Fix an allocation error when copying entities (Daniel Veillard),
- Make sure the parser returns when getting a Stop order (Chris Evans),
- Fix some potential problems on reallocation failures(parser.c) (Xia Xinfeng),
- Fix a schema type duration comparison overflow (Daniel Veillard),
- Fix an unimplemented part in RNG value validation (Daniel Veillard),
- Fix missing error status in XPath evaluation (Daniel Veillard),
- Hardening of XPath evaluation (Daniel Veillard),
- Fix an off by one error in encoding (Daniel Veillard),
- Fix RELAX NG include bug #655288 (Shaun McCance),
- Fix XSD validation bug #630130 (Toyoda Eizi),
- Fix some potential problems on reallocation failures (Chris Evans),
- __xmlRaiseError: fix use of the structured callback channel (Dmitry V. Levin),
- __xmlRaiseError: fix the structured callback channel's data initialization (Dmitry V. Levin),
- Fix memory corruption when xmlParseBalancedChunkMemoryInternal is called from xmlParseBalancedChunk (Rob Richards),
- Small fix for previous commit (Daniel Veillard),
- Fix a potential freeing error in XPath (Daniel Veillard),
- Fix a potential memory access error (Daniel Veillard),
- Reactivate the shared library versionning script (Daniel Veillard)
+ - Bug Fixes:
+ Bug on creating new stream from entity (Daniel Veillard),
+ Fix some loop issues embedding NEXT (Daniel Veillard),
+ Do not print error context when there is none (Daniel Veillard),
+ Avoid extra processing of MarkupDecl when EOF (Hugh Davenport),
+ Fix parsing short unclosed comment uninitialized access (Daniel Veillard),
+ Add missing Null check in xmlParseExternalEntityPrivate (Gaurav Gupta),
+ Fix a bug in CData error handling in the push parser (Daniel Veillard),
+ Fix a bug on name parsing at the end of current input buffer (Daniel Veillard),
+ Fix the spurious ID already defined error (Daniel Veillard),
+ Fix previous change to node sort order (Nick Wellnhofer),
+ Fix a self assignment issue raised by clang (Scott Graham),
+ Fail parsing early on if encoding conversion failed (Daniel Veillard),
+ Do not process encoding values if the declaration if broken (Daniel Veillard),
+ Silence clang's -Wunknown-attribute (Michael Catanzaro),
+ xmlMemUsed is not thread-safe (Martin von Gagern),
+ Fix support for except in nameclasses (Daniel Veillard),
+ Fix order of root nodes (Nick Wellnhofer),
+ Allow attributes on descendant-or-self axis (Nick Wellnhofer),
+ Fix the fix to Windows locking (Steve Nairn),
+ Fix timsort invariant loop re: Envisage article (Christopher Swenson),
+ Don't add IDs in xmlSetTreeDoc (Nick Wellnhofer),
+ Account for ID attributes in xmlSetTreeDoc (Nick Wellnhofer),
+ Remove various unused value assignments (Philip Withnall),
+ Fix missing entities after CVE-2014-3660 fix (Daniel Veillard),
+ Revert "Missing initialization for the catalog module" (Daniel Veillard)
- Improvements:
- use mingw C99 compatible functions {v}snprintf instead those from MSVC runtime (Roumen Petrov),
- New symbols added for the next release (Daniel Veillard),
- xmlTextReader bails too quickly on error (Andy Lutomirski),
- Use a hybrid allocation scheme in xmlNodeSetContent (Conrad Irwin),
- Use buffers when constructing string node lists. (Conrad Irwin),
- Add HTML parser support for HTML5 meta charset encoding declaration (Denis Pauk),
- wrong message for double hyphen in comment XML error (Bryan Henderson),
- Fix "make tst" to grab lzma lib too (Daniel Veillard),
- Add "whereis" command to xmllint shell (Ryan),
- Improve xmllint shell (Ryan),
- add function xmlTextReaderRelaxNGValidateCtxt() (Noam Postavsky),
- Add --system support to autogen.sh (Daniel Veillard),
- Add hash randomization to hash and dict structures (Daniel Veillard),
- included xzlib in dist (Anders F Bjorklund),
- move xz/lzma helpers to separate included files (Anders F Bjorklund),
- add generated devhelp files (Anders F Bjorklund),
- add XML_WITH_LZMA to api (Anders F Bjorklund),
- autogen.sh: Honor NOCONFIGURE environment variable (Colin Walters),
- Improve the error report on undefined REFs (Daniel Veillard),
- Add exception for new W3C PI xml-model (Daniel Veillard),
- Add options to ignore the internal encoding (Daniel Veillard),
- testapi: use the right type for the check (Stefan Kost),
- various: handle return values of write calls (Stefan Kost),
- testWriter: xmlTextWriterWriteFormatElement wants an int instead of a long int (Stefan Kost),
- runxmlconf: update to latest testsuite version (Stefan Kost),
- configure: add -Wno-long-long to CFLAGS (Stefan Kost),
- configure: support silent automake rules if possible (Stefan Kost),
- xmlmemory: add a cast as size_t has no portable printf modifier (Stefan Kost),
- __xmlRaiseError: remove redundant schannel initialization (Dmitry V. Levin),
- __xmlRaiseError: do cheap code check early (Dmitry V. Levin)
+ Reuse xmlHaltParser() where it makes sense (Daniel Veillard),
+ xmlStopParser reset errNo (Daniel Veillard),
+ Reenable xz support by default (Daniel Veillard),
+ Recover unescaped less-than character in HTML recovery parsing (Daniel Veillard),
+ Allow HTML serializer to output HTML5 DOCTYPE (Shaun McCance),
+ Regression test for bug #695699 (Nick Wellnhofer),
+ Add a couple of XPath tests (Nick Wellnhofer),
+ Add Python 3 rpm subpackage (Tomas Radej),
+ libxml2-config.cmake.in: update include directories (Samuel Martin),
+ Adding example from bugs 738805 to regression tests (Daniel Veillard)
- Cleanups:
- Cleanups before 2.8.0-rc2 (Daniel Veillard),
- Avoid an extra operation (Daniel Veillard),
- Remove vestigial de-ANSI-fication support. (Javier Jardón),
- autogen.sh: Fix typo (Javier Jardón),
- Do not use unsigned but unsigned int (Daniel Veillard),
- Remove two references to u_short (Daniel Veillard),
- Fix -Wempty-body warning from clang (Nico Weber),
- Cleanups of lzma support (Daniel Veillard),
- Augment the list of ignored files (Daniel Veillard),
- python: remove unused variable (Stefan Kost),
- python: flag two unused args (Stefan Kost),
- configure: acconfig.h is deprecated since autoconf-2.50 (Stefan Kost),
- xpath: remove unused variable (Stefan Kost)
</changes>