logo
DATABASE RESOURCES PRICING ABOUT US

Debian DLA-691-1 : libxml2 security update

Description

CVE-2016-4658 Namespace nodes must be copied to avoid use-after-free errors. But they don't necessarily have a physical representation in a document, so simply disallow them in XPointer ranges. CVE-2016-5131 The old code would invoke the broken xmlXPtrRangeToFunction. range-to isn't really a function but a special kind of location step. Remove this function and always handle range-to in the XPath code. The old xmlXPtrRangeToFunction could also be abused to trigger a use-after-free error with the potential for remote code execution. For Debian 7 'Wheezy', these problems have been fixed in version 2.8.0+dfsg1-7+wheezy7. We recommend that you upgrade your libxml2 packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.


Related