ELA-837-1 libxml2 security update
Package : libxml2
ELA-837-1 libxml2 security update
Version : 2.9.1+dfsg1-5+deb8u15 (jessie), 2.9.4+dfsg1-2.2+deb9u10 (stretch)
Related CVEs :
CVE-2017-5130
CVE-2017-5969
CVE-2023-28484
CVE-2023-29469
Multiple issues were found in libxml2, the GNOME XML library, which possibly
allows an remote attacker to trigger a potential heap memory corruption or
trigger a denial of service or other unspecified impact.
The Jessie update 2.9.1+dfsg1-5+deb8u15 fixes all mentioned CVEs.
The Stretch update 2.9.4+dfsg1-2.2+deb9u10 fixes CVE-2023-28484 and CVE-2023-29469,
as the other have been fixed by an previous upload – see DLA-2972-1 for details.
CVE-2017-5130
An integer overflow in xmlmemory.c in libxml2 before 2.9.5, as used in
Google Chrome prior to 62.0.3202.62 and other products, allowed a remote
attacker to potentially exploit heap corruption via a crafted XML file.
CVE-2017-5969
libxml2 2.9.4, when used in recover mode, allows one to cause a denial
of service (NULL pointer dereference) via a crafted XML document.
CVE-2023-28484
NULL dereference in xmlSchemaFixupComplexType.
CVE-2023-29469
Hashing of empty dict strings isn't deterministic.
A libxml2 security update has been released for Debian GNU/Linux 8 and 9 Extended LTS to address multiple issues.
