[xml] Release of libvirt-2.9.3
This is a security release, I didn't tried to push a number of other patches considering urgency. That release is dedicated to the memory of Bill Brack who was my co-maintainer for many years on libxml2 and libxslt, we became friends, he has a huge influence still on way I do things. Unfortunately he passed away last February. I'm sure he would have commented that celebrating his legacy with a release with so many CVE would be a tribute to his programming skills, because he always approached life with a sense of humor. RIP Bill, the code still lives but OpenSource is more about people than code ! So yes that release is packed with Security and ugly bugs fixes, more than overall improvements, I have put signed tarballs and rpms to the usual place at ftp://xmlsoft.org/libxml2/ Update is strongly suggested ! Security: - CVE-2015-8242 Buffer overead with HTML parser in push mode (Hugh Davenport) - CVE-2015-7500 Fix memory access error due to incorrect entities boundaries (Daniel Veillard) - CVE-2015-7499-2 Detect incoherency on GROW (Daniel Veillard) - CVE-2015-7499-1 Add xmlHaltParser() to stop the parser (Daniel Veillard) - CVE-2015-5312 Another entity expansion issue (David Drysdale) - CVE-2015-7497 Avoid an heap buffer overflow in xmlDictComputeFastQKey (David Drysdale) - CVE-2015-7498 Avoid processing entities after encoding conversion failures (Daniel Veillard) - CVE-2015-8035 Fix XZ compression support loop (Daniel Veillard) - CVE-2015-7942-2 Fix an error in previous Conditional section patch (Daniel Veillard) - CVE-2015-7942 Another variation of overflow in Conditional sections (Daniel Veillard) - CVE-2015-1819 Enforce the reader to run in constant memory (Daniel Veillard) - CVE-2015-7941_2 Cleanup conditional section error handling (Daniel Veillard) - CVE-2015-7941_1 Stop parsing on entities boundaries errors (Daniel Veillard) Documentation: - Correct spelling of "calling" (Alex Henrie) - Fix a small error in xmllint --format description (Fabien Degomme) - Avoid XSS on the search of xmlsoft.org (Daniel Veillard) Portability: - threads: use forward declarations only for glibc (Michael Heimpold) - Update Win32 configure.js to search for configure.ac (Daniel Veillard) - os400: lot of docs fixes and mprovements (Patrick Monnerat) Bug Fixes: - Bug on creating new stream from entity (Daniel Veillard) - Fix some loop issues embedding NEXT (Daniel Veillard) - Do not print error context when there is none (Daniel Veillard) - Avoid extra processing of MarkupDecl when EOF (Hugh Davenport) - Fix parsing short unclosed comment uninitialized access (Daniel Veillard) - Add missing Null check in xmlParseExternalEntityPrivate (Gaurav Gupta) - Fix a bug in CData error handling in the push parser (Daniel Veillard) - Fix a bug on name parsing at the end of current input buffer (Daniel Veillard) - Fix the spurious ID already defined error (Daniel Veillard) - Fix previous change to node sort order (Nick Wellnhofer) - Fix a self assignment issue raised by clang (Scott Graham) - Fail parsing early on if encoding conversion failed (Daniel Veillard) - Do not process encoding values if the declaration if broken (Daniel Veillard) - Silence clang's -Wunknown-attribute (Michael Catanzaro) - xmlMemUsed is not thread-safe (Martin von Gagern) - Fix support for except in nameclasses (Daniel Veillard) - Fix order of root nodes (Nick Wellnhofer) - Allow attributes on descendant-or-self axis (Nick Wellnhofer) - Fix the fix to Windows locking (Steve Nairn) - Fix timsort invariant loop re: Envisage article (Christopher Swenson) - Don't add IDs in xmlSetTreeDoc (Nick Wellnhofer) - Account for ID attributes in xmlSetTreeDoc (Nick Wellnhofer) - Remove various unused value assignments (Philip Withnall) - Fix missing entities after CVE-2014-3660 fix (Daniel Veillard) - Revert "Missing initialization for the catalog module" (Daniel Veillard) Improvements: - Reuse xmlHaltParser() where it makes sense (Daniel Veillard) - Add xmlHaltParser() to stop the parser (Daniel Veillard) - xmlStopParser reset errNo (Daniel Veillard) - Reenable xz support by default (Daniel Veillard) - Recover unescaped less-than character in HTML recovery parsing (Daniel Veillard) - Allow HTML serializer to output HTML5 DOCTYPE (Shaun McCance) - Regression test for bug #695699 (Nick Wellnhofer) - Add a couple of XPath tests (Nick Wellnhofer) - Add Python 3 rpm subpackage (Tomas Radej) - libxml2-config.cmake.in: update include directories (Samuel Martin) - Adding example from bugs 738805 to regression tests (Daniel Veillard) Thanks everybody for contributions to this release, I know there is a lot of other non-security oriented patches floating around, now that is mostly off my back, I will start looking at those. Reminders on the list may be helpful ! Daniel -- Daniel Veillard | Open Source and Standards, Red Hat veill...@redhat.com | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ http://veillard.com/ | virtualization library
Re: [xml] Release of libxml2-2.9.3
On 20.11.2015 11:17, Daniel Veillard wrote: > So yes that release is packed with Security and ugly bugs fixes, > more than overall improvements, I have put signed tarballs and rpms > to the usual place at > >ftp://xmlsoft.org/libxml2/ > > Update is strongly suggested ! so this is a release of libxml2, not libvirt - updated the subject. ___ xml mailing list, project page http://xmlsoft.org/ xml@gnome.org https://mail.gnome.org/mailman/listinfo/xml
Re: [xml] Release of libvirt-2.9.3
Hi Daniel and all, On Fri, 20 Nov 2015 18:17:56 +0800 Daniel Veillardwrote: > This is a security release, I didn't tried to push a number of other > patches considering urgency. > > That release is dedicated to the memory of Bill Brack who was my > co-maintainer for many years on libxml2 and libxslt, we became friends, > he has a huge influence still on way I do things. Unfortunately he passed > away last February. I'm sure he would have commented that celebrating > his legacy with a release with so many CVE would be a tribute to his > programming skills, because he always approached life with a sense of > humor. RIP Bill, the code still lives but OpenSource is more about > people than code ! RIP Bill! Sorry to hear about his death. And I enjoyed reading this paragraph dedicated to his memory. That put aside: 1. The Subject line says "libvirt" instead of "libxml2". 2. I have packaged and submitted libxml2-2.9.3 for Mageia Linux Cauldron. So it should appear in its repositories soon. Seems like all of our downstream patches were no longer necessary. Regards, Shlomi Fish -- - Shlomi Fish http://www.shlomifish.org/ What does “Zionism” mean? - http://shlom.in/def-zionism Chuck Norris is the reason why the Knights who until Recently Said “Ni”, are no longer saying “Ni”. — http://www.shlomifish.org/humour/bits/facts/Chuck-Norris/ Please reply to list if it's a mailing list post - http://shlom.in/reply . ___ xml mailing list, project page http://xmlsoft.org/ xml@gnome.org https://mail.gnome.org/mailman/listinfo/xml
Re: [xml] Release of libvirt-2.9.3
On Fri, Nov 20, 2015 at 02:17:38PM +0200, Shlomi Fish wrote: > Hi Daniel and all, Heya, > On Fri, 20 Nov 2015 18:17:56 +0800 > Daniel Veillardwrote: > > > This is a security release, I didn't tried to push a number of other > > patches considering urgency. > > > > That release is dedicated to the memory of Bill Brack who was my > > co-maintainer for many years on libxml2 and libxslt, we became friends, > > he has a huge influence still on way I do things. Unfortunately he passed > > away last February. I'm sure he would have commented that celebrating > > his legacy with a release with so many CVE would be a tribute to his > > programming skills, because he always approached life with a sense of > > humor. RIP Bill, the code still lives but OpenSource is more about > > people than code ! > > RIP Bill! Sorry to hear about his death. And I enjoyed reading this paragraph > dedicated to his memory. > > > > That put aside: > > 1. The Subject line says "libvirt" instead of "libxml2". I'm doing upstream releases for libvirt every month, Pavlov in action, sorry about that, yes it's definitely a libxml2-2.9.3 release > 2. I have packaged and submitted libxml2-2.9.3 for Mageia Linux Cauldron. So > it > should appear in its repositories soon. Seems like all of our downstream > patches were no longer necessary. Ack, thanks to all downstream packagers to push that down to users ! Daniel -- Daniel Veillard | Open Source and Standards, Red Hat veill...@redhat.com | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ http://veillard.com/ | virtualization library http://libvirt.org/ ___ xml mailing list, project page http://xmlsoft.org/ xml@gnome.org https://mail.gnome.org/mailman/listinfo/xml