[Issue 126893] New: bundled libxml2 version 2.7.8 has many security vulnerabilities

Sun, 27 Mar 2016 21:36:07 -0700 

https://bz.apache.org/ooo/show_bug.cgi?id=126893

          Issue ID: 126893
        Issue Type: DEFECT
           Summary: bundled libxml2 version 2.7.8 has many security
                    vulnerabilities
           Product: Build Tools
           Version: 4.2.0-dev
          Hardware: All
                OS: All
            Status: CONFIRMED
          Severity: Normal
          Priority: P5 (lowest)
         Component: external prerequisites
          Assignee: [email protected]
          Reporter: [email protected]

Created attachment 85370
  --> https://bz.apache.org/ooo/attachment.cgi?id=85370&action=edit
patch to upgrade bundled libxml2 to version 2.9.3 and libxslt to version 1.1.28

The libxml2-2.7.8 software bundled with OpenOffice has these security
vulnerabilities:
    CVE-2011-3202
    CVE-2011-3919
    CVE-2013-0338
    CVE-2013-0339
    CVE-2013-2877
    CVE-2014-0191
    CVE-2014-3660
    CVE-2015-1819
    CVE-2015-5312
    CVE-2015-7497
    CVE-2015-7498
    CVE-2015-7499
    CVE-2015-7500
    CVE-2015-7941
    CVE-2015-7942
    CVE-2015-8035
    CVE-2015-8241
    CVE-2015-8242

The attached patch upgrades libxml2 to version 2.9.3 which has no
publicly disclosed vulnerabilities at this time.  The closely
related libxslt is also upgraded from 1.1.26 to 1.1.28, and
the libxslt-CVE-2015-7995.patch to fix CVE-2015-7995 is imported
from the FreeBSD port, which appears to have cherry picked it
from upstream.

The libxml2-configure.patch file was rebased to the new version
of libxml2.  The freebsd-elf change to ltmain.sh was no longer
necessary and was eliminated from the patch.  The fixes in
libxml2-fixes.patch were either fixed upstream or don't seem
to apply anymore, so this patch file was deleted.  The fixes in
libxml2-testapi.patch and libxml2-runtest.patch are in now in
the upstream source, so these patch files have been deleted.
The libxml2-mingw.patch and Solaris-specific
libxml2-global-symbols.patch were not updated and were
disconnected from the build.  Several of the fixes in
libxml2-long-path.patch are now fixed upstream.

The libxslt-configure.patch was rebased to the new version of
libxslt, with the libtool-related changes coming from the
libxslt port to FreeBSD. The fixes in libxslt-bsd.patch are
now present in the upstream source, so this patch was deleted.

-- 
You are receiving this mail because:
You are the assignee for the issue.

Reply via email to