patch to update bundled libxml2 to version 2.9.8 and libxslt to version 1.1.32

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

patch to update bundled libxml2 to version 2.9.8 and libxslt to version 1.1.32

Don Lewis-2
We currently bundle libxml2 version 2.9.4 with trunk.  That version of
libxml2 has four CVEs.  Fortunately they can only be used to cause a
crash (DoS) instead of something worse.

There is one CVE for version 2.9.8, but the vulnerability (an infinite
loop DoS) can only be triggered if libxml2 is built with lzma support,
which we do not.

While here also upgrade libxslt to the latest version since both
libraries come from the same upstream and work together.

Light testing on Windows and CentOS 6 didn't turn up any problems.

OpenOffice on FreeBSD uses the system versions of libxml, version 2.9.7,
and libxslt, version 1.1.32.  No problems have been reported with those
versions.


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

patch-libxml2 (11K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: patch to update bundled libxml2 to version 2.9.8 and libxslt to version 1.1.32

Matthias Seidel

Hi Don,

Am 24.08.2018 um 06:56 schrieb Don Lewis:
We currently bundle libxml2 version 2.9.4 with trunk.  That version of
libxml2 has four CVEs.  Fortunately they can only be used to cause a
crash (DoS) instead of something worse.

There is one CVE for version 2.9.8, but the vulnerability (an infinite
loop DoS) can only be triggered if libxml2 is built with lzma support,
which we do not.

While here also upgrade libxslt to the latest version since both
libraries come from the same upstream and work together.

Light testing on Windows and CentOS 6 didn't turn up any problems.

My Windows build based on r1838788 and your patch applied was successful.
First test show no anomalies.

Regards,
   Matthias


OpenOffice on FreeBSD uses the system versions of libxml, version 2.9.7,
and libxslt, version 1.1.32.  No problems have been reported with those
versions.


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


smime.p7s (5K) Download Attachment