From NEWS: """ +v2.11.0: Apr 28 2023 + +### Major changes + +Protection against entity expansion attacks, also known as "billion laughs" +has been greatly improved. Malicious files should be detected reliably now +and false positives should be reduced. It is possible though that large +documents which make heavy use of entities are rejected now. + [...] +### Security + +- Fix use-after-free in xmlParseContentInternal() (David Kilzer) +- xmllint: Fix use-after-free with --maxmem +- parser: Fix OOB read when formatting error message +- entities: Rework entity amplification checks [...] """
This version is currently masked for testing. Alpine already had to fix a bunch of test failures (or skip stuff for now). # Sam James <sam@gentoo.org> (2023-05-01) # Masked for testing. Other distros seem to have hit a bunch of new test # failures in various applications, and initially there were ABI issues in .0. >=dev-libs/libxml2-2.11.0
commit 9b2ad65342b2445a38775260e7f4497d06466ee4 Author: Sam James <sam@gentoo.org> Date: Wed May 10 20:33:44 2023 +0100 profiles: unmask new libxml2 Seems to have fixed the python bindings issue too: https://gitlab.gnome.org/GNOME/libxml2/-/commit/76c6da420923f2721a2e16adfcef8707a2454a1b. Closes: https://bugs.gentoo.org/745162 Signed-off-by: Sam James <sam@gentoo.org>
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=64f596cbb52d0955503281d6998154eacb48d065 commit 64f596cbb52d0955503281d6998154eacb48d065 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-05-19 00:29:27 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-19 00:29:27 +0000 dev-libs/libxml2: add 2.11.4 This _might_ fix the LibreOffice issue. Bug: https://bugs.gentoo.org/905399 Bug: https://bugs.gentoo.org/906206 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/libxml2/Manifest | 1 + dev-libs/libxml2/libxml2-2.11.4.ebuild | 195 +++++++++++++++++++++++++++++++++ 2 files changed, 196 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=74742dfaadb00f833e7c786c9ea99e0c5e165176 commit 74742dfaadb00f833e7c786c9ea99e0c5e165176 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-05-20 07:17:48 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-20 07:17:48 +0000 profiles: mask intermediate bad libxml2-2.11.* (before <2.11.4) >=2.11.4 is fine, just 2.11.1 up to 2.11.3 were buggy. Mask to avoid confusing bug reports. Bug: https://bugs.gentoo.org/906206 Bug: https://bugs.gentoo.org/905399 Signed-off-by: Sam James <sam@gentoo.org> profiles/package.mask | 7 +++++++ 1 file changed, 7 insertions(+)
I've just removed the dev-ruby/nokogiri versions that required libxml-2.10 specifically, so the vulnerable versions can now be removed.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=889ba46a2e07a740429cf26c3472ba6f6d527a2f commit 889ba46a2e07a740429cf26c3472ba6f6d527a2f Author: Sam James <sam@gentoo.org> AuthorDate: 2023-12-28 03:37:49 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-12-28 03:37:49 +0000 dev-libs/libxml2: drop 2.10.4, 2.11.4 Bug: https://bugs.gentoo.org/905399 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/libxml2/Manifest | 2 - dev-libs/libxml2/libxml2-2.10.4.ebuild | 203 --------------------------------- dev-libs/libxml2/libxml2-2.11.4.ebuild | 202 -------------------------------- 3 files changed, 407 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=e85e47ba7c520c0a553d527c33c5c297cb8ff286 commit e85e47ba7c520c0a553d527c33c5c297cb8ff286 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-02-09 09:36:36 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-02-09 09:37:22 +0000 [ GLSA 202402-11 ] libxml2: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/904202 Bug: https://bugs.gentoo.org/905399 Bug: https://bugs.gentoo.org/915351 Bug: https://bugs.gentoo.org/923806 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202402-11.xml | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+)