Possible use after free vulnerability via namespace nodes in XPointer ranges was found. Upstream patch: https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b
Created libxml2 tracking bugs for this issue: Affects: fedora-all [bug 1384427]
Created mingw-libxml2 tracking bugs for this issue: Affects: fedora-all [bug 1384429] Affects: epel-7 [bug 1384430]
(In reply to Adam Mariš from comment #0) > Possible use after free vulnerability via namespace nodes in XPointer ranges > was found. > > Upstream patch: > > https://git.gnome.org/browse/libxml2/commit/ > ?id=c1d1f7121194036608bf555f08d3062a36fd344b Hello Adam, We have been monitoring the URL ftp://xmlsoft.org/libxml2/ for the latest release of the official patch of libxml2 containing the patches for the bugs associated with the CVE-2016-4658, CVE-2016-9318 and CVE-2016-9597, but have observed that no binary files have been released yet. From the URL http://rpmfind.net/linux/RPM/opensuse/updates/leap/42.2/oss/src/libxml2-2.9.4-3.1.src.html we found that a RPM file has been released, but as our requirement is a binary version we can't go for the RPM version. Could you kindly confirm the ETA for the release of the official libxml2 2.9.4-3.1 binary package containing all the above mentioned patches? Kind regards, Maumita Mandal
Is this still being considered for a fix? Please let me know.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:3810 https://access.redhat.com/errata/RHSA-2021:3810
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days