| From: | Kevin Grittner <kgrittn(at)gmail(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Another XML build issue |
| Date: | 2015-12-14 15:53:51 |
| Message-ID: | CACjxUsNEU_EvMyJ3978BiYLxpcAWMy6h0tP0r8v9VOZG05Z3sw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Mon, Dec 14, 2015 at 9:44 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Can you look to see if Ubuntu is carrying some
> distro-specific patch that affects this?
Here's what is in the log for the change that I think is the one that
came through today:
============================================================
libxml2 (2.9.1+dfsg1-3ubuntu4.6) trusty-security; urgency=medium
* SECURITY UPDATE: denial of service via entity expansion issue
- debian/patches/CVE-2015-5312.patch: properly exit when entity
expansion is detected in parser.c.
- CVE-2015-5312
* SECURITY UPDATE: heap buffer overflow in xmlDictComputeFastQKey
- debian/patches/CVE-2015-7497.patch: check offset in dict.c.
- CVE-2015-7497
* SECURITY UPDATE: denial of service via encoding conversion failures
- debian/patches/CVE-2015-7498.patch: avoid processing entities after
encoding conversion failures in parser.c.
- CVE-2015-7498
* SECURITY UPDATE: out of bounds read in xmlGROW
- debian/patches/CVE-2015-7499-1.patch: add xmlHaltParser() to stop the
parser in parser.c.
- debian/patches/CVE-2015-7499-2.patch: check input in parser.c.
- CVE-2015-7499
* SECURITY UPDATE: out of bounds read in xmlParseMisc
- debian/patches/CVE-2015-7500.patch: check entity boundaries in
parser.c.
- CVE-2015-7500
* SECURITY UPDATE: denial of service via extra processing of MarkupDecl
- debian/patches/CVE-2015-8241.patch: add extra EOF check in parser.c.
- CVE-2015-8241
* SECURITY UPDATE: buffer overead with HTML parser in push mode
- debian/patches/CVE-2015-8242.patch: use pointer in the input in
HTMLparser.c.
- CVE-2015-8242
* SECURITY UPDATE: denial of service via encoding failures
- debian/patches/CVE-2015-8317-1.patch: do not process encoding values
if the declaration is broken in parser.c.
- debian/patches/CVE-2015-8317-2.patch: fail parsing if the encoding
conversion failed in parser.c.
- CVE-2015-8317
-- Marc Deslauriers <marc(dot)deslauriers(at)ubuntu(dot)com> Wed, 09 Dec 2015
12:00:30 -0500
============================================================
I don't know how that compares to other distros...
--
Kevin Grittner
EDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2015-12-14 16:00:32 | Re: Fixing warnings in back branches? |
| Previous Message | Tom Lane | 2015-12-14 15:44:12 | Re: Another XML build issue |