libxml2
| Link | package | bugs open | bugs closed | Wiki | GitHub | web search |
| Description | XML parsing library, version 2 |
| Version |
2.9.12-2 [testing] 2.9.10-9 [extra] |
Open
| Group | Affected | Fixed | Severity | Status | Ticket |
|---|---|---|---|---|---|
| AVG-1883 | 2.9.10-9 | 2.9.11-1 | Medium | Testing | FS#70822 |
| Issue | Group | Severity | Remote | Type | Description |
|---|---|---|---|---|---|
| CVE-2021-3541 | AVG-1883 | Low | Yes | Denial of service | A security issue was found in libxml2 before version 2.9.11. Exponential entity expansion attack its possible bypassing all existing protection mechanisms... |
| CVE-2021-3537 | AVG-1883 | Low | Yes | Denial of service | It was found that libxml2 before version 2.9.11 did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML... |
| CVE-2021-3518 | AVG-1883 | Medium | Yes | Arbitrary code execution | A use-after-free security issue was found in libxml2 before version 2.9.11 in xmlXIncludeDoProcess() in xinclude.c when processing crafted files. |
| CVE-2021-3517 | AVG-1883 | Medium | Yes | Arbitrary code execution | A heap-based buffer overflow was found in libxml2 before version 2.9.11 when processing truncated UTF-8 input. |
| CVE-2021-3516 | AVG-1883 | Medium | No | Arbitrary code execution | A use-after-free security issue was found libxml2 before version 2.9.11 when "xmllint --html --push" is used to process crafted files. |
Resolved
| Group | Affected | Fixed | Severity | Status | Ticket |
|---|---|---|---|---|---|
| AVG-1263 | 2.9.10-5 | 2.9.10-6 | Medium | Fixed | FS#68510 |
| AVG-672 | 2.9.8-4 | 2.9.8-5 | Medium | Fixed | |
| AVG-671 | 2.9.5+6+g07e227ed-1 | 2.9.6+3+g5af594d8-1 | Medium | Fixed | |
| AVG-56 | 2.9.4+4+g3169602-1 | 2.9.4+12+ge905f08-1 | Critical | Fixed |
| Issue | Group | Severity | Remote | Type | Description |
|---|---|---|---|---|---|
| CVE-2020-24977 | AVG-1263 | Medium | Yes | Information disclosure | GNOME project libxml2 <= 2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. |
| CVE-2020-7595 | AVG-1263 | Medium | Yes | Denial of service | xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. |
| CVE-2019-20388 | AVG-1263 | Medium | Yes | Denial of service | A memory leak was found in the xmlSchemaValidateStream function of libxml2. Applications that use this library may be vulnerable to memory not being freed... |
| CVE-2018-9251 | AVG-672 | Medium | Yes | Denial of service | A security issue has been found in libxml2 <= 2.9.8 compiled with LZMA support enabled, in the xz_decomp function in xzlib.c. This flaw allows a remote... |
| CVE-2017-18258 | AVG-671 | Medium | Yes | Denial of service | A security issue has been found in libxml2 <= 2.9.6 compiled with LZMA support enabled, in the xz_head function in xzlib.c. This flaw allows a remote... |
| CVE-2016-5131 | AVG-56 | Critical | Yes | Arbitrary code execution | Bugs in xmlXPathEvalExpr and xmlXPtrRangeToFunction can lead to a use- after-free and allow control of the instruction pointer. |
| CVE-2016-4658 | AVG-56 | Critical | Yes | Arbitrary code execution | A use-after-free vulnerability via namespace nodes in XPointer ranges was found in libxml2. |
Advisories
| Date | Advisory | Group | Severity | Type |
|---|---|---|---|---|
| 17 Nov 2020 | ASA-202011-15 | AVG-1263 | Medium | multiple issues |
| 01 Oct 2018 | ASA-201810-3 | AVG-672 | Medium | denial of service |
| 01 Nov 2016 | ASA-201611-2 | AVG-56 | Critical | arbitrary code execution |