Nick, thank you for shipping this release! Is there any additional information about CVE-2022-23308 (other than the commit log) that would help downstream projects triage? Was there a CVSS score calculated or severity assigned?
On Sun, Feb 20, 2022 at 7:53 AM Nick Wellnhofer via xml <xml@gnome.org> wrote: > Version 2.9.13 of libxml2 is available at: > > https://download.gnome.org/sources/libxml2/2.9/ > > Note that starting with this release, libxml2 tarballs are published on > download.gnome.org instead of ftp.xmlsoft.org. > > ### Security > > - [CVE-2022-23308] Use-after-free of ID and IDREF attributes > (Thanks to Shinji Sato for the report) > - Use-after-free in xmlXIncludeCopyRange (David Kilzer) > - Fix null deref in xmlSchemaGetComponentTargetNs (huangduirong) > - Fix memory leak in xmlXPathCompNodeTest > - Fix null pointer deref in xmlStringGetNodeList > - Fix several memory leaks found by Coverity (David King) > > ### Fixed regressions > > - Fix regression in RelaxNG pattern matching > - Properly handle nested documents in xmlFreeNode > - Fix regression with PEs in external DTD > - Fix random dropping of characters on dumping ASCII encoded XML (Mohammad > Razavi) > - Revert "Make schema validation fail with multiple top-level elements" > - Fix regression when parsing invalid HTML tags in push mode > - Fix regression parsing public IDs literals in HTML > - Fix buffering in xmlOutputBufferWrite > - Fix whitespace when serializing empty HTML documents > - Fix XPath recursion limit > - Fix regression in xmlNodeDumpOutputInternal > - Work around lxml API abuse > > ### Bug fixes > > - Fix xmlSetTreeDoc with entity references > - Fix double counting of CRLF in comments > - Make sure to grow input buffer in xmlParseMisc > - Don't ignore xmllint options after "-" > - Don't normalize namespace URIs in XPointer xmlns() scheme > - Fix handling of XSD with empty namespace > - Also register HTML document nodes > - Make xmllint return an error if arguments are missing > - Fix handling of ctxt->base in xmlXPtrEvalXPtrPart > - Fix xmllint --maxmem > - Fix htmlReadFd, which was using a mix of xml and html context functions > (Finn Barber) > - Move current position before possible calling of ctxt->sax->characters > (Yulin Li) > - Fix parse failure when 4-byte character in UTF-16 BE is split across a > chunk > (David Kilzer) > - Patch to forbid epsilon-reduction of final states (Arne Becker) > - Avoid segfault at exit when using custom memory functions (Mike Dalessio) > > ### Tests, code quality, fuzzing > > - Remove .travis.yml > - Make xmlFuzzReadString return a zero size in error case > - Fix unused function warning in testapi.c > - Update NewsML DTD in test suite > - Add more checks for malloc failures in xmllint.c > - Avoid potential integer overflow in xmlstring.c > - Run CI tests with UBSan implicit-conversion checks > - Fix casting of line numbers in SAX2.c > - Fix integer conversion warnings in hash.c > - Add explicit casts in runtest.c > - Fix integer conversion warning in xmlIconvWrapper > - Add suffix to unsigned constant in xmlmemory.c > - Add explicit casts in testchar.c > - Fix integer conversion warnings in xmlstring.c > - Add explicit cast in xmlURIUnescapeString > - Remove unused variable in xmlCharEncOutFunc (David King) > > ### Build system, portability > > - Remove xmlwin32version.h > - Fix fuzzer test with VPATH build > - Support custom prefix when installing Python module > - Remove Makefile.win > - Remove CVS and SVN-related code > - Port python 3.x module to Windows and improve distutils (Chun-wei Fan) > - Correctly install the HTML examples into their subdirectory (Mattia > Rizzolo) > - Refactor the settings of $docdir (Mattia Rizzolo) > - Remove unused configure checks (Ben Boeckel) > - python/Makefile.am: use *_LIBADD, not *_LDFLAGS for LIBS (Sam James) > - Fix check for libtool in autogen.sh > - Use version in configure.ac for CMake (Timothy Lyanguzov) > - Add CMake alias targets for embedded projects (Markus Rickert) > > ### Documentation > > - Remove SVN keyword anchors > - Rework README > - Remove README.cvs-commits > - Remove old ChangeLog > - Update hyperlinks > - Remove README.docs > - Remove MAINTAINERS > - Remove xmltutorial.pdf > - Upload documentation to GitLab pages > - Document how to escape XML_CATALOG_FILES > - Fix libxml2.doap > - Update URL for libxml++ C++ binding (Kjell Ahlstedt) > - Generate devhelp2 index file (Emmanuele Bassi) > - Mention XML_CATALOG_FILES is space-separated (Jan Tojnar) > - Add documentaiton for xmllint exit code 10 (Rainer Canavan) > - Fix some validation errors in the FAQ (David King) > - Add instructions on how to use CMake to compile libxml (Markus Rickert) > > Thanks to all contributors! > > Nick > > _______________________________________________ > xml mailing list, project page http://xmlsoft.org/ > xml@gnome.org > https://mail.gnome.org/mailman/listinfo/xml >
_______________________________________________ xml mailing list, project page http://xmlsoft.org/ xml@gnome.org https://mail.gnome.org/mailman/listinfo/xml
