Nick Wellnhofer has announced the release of two new versions of libxml2, a widely-used C-based XML toolkit originally developed for the GNOME Project. The new versions, 2.13.9 and 2.14.6, include important updates aimed at fixing various regressions, security vulnerabilities, bugs, and enhancing the library's overall functionality and build systems.
- Regressions:
- Resolved an issue where IDs were incorrectly added during entity content validation.
- Fixed problems with reading from input pipes like stdin on Windows.
- Addressed issues related to handling invalid character references in recovery mode.
- Security Fixes:
- Prevented integer overflows and out-of-bounds array accesses.
- Guarded against type corruption in the tree structure.
- Addressed multiple CVEs related to buffer overflows and null pointer dereferences, ensuring better security and stability.
- Bug Fixes:
- Fixed serialization issues with attribute defaults containing less-than characters.
- Improvements:
- Corrected the argument type for the `xmlSaturatedAddSizeT` function.
- Regressions:
- Ensured IDs are not added during the validation of entity content.
- Fixed the function `initGenericErrorDefaultFunc(NULL)`, as highlighted by contributor Samuel Thibault.
- Undeprecated certain functions (xmlAdd*Decl) that may be important for developers.
- Security Fixes:
- Addressed integer overflow and out-of-bounds array access issues in regex components.
- Continued to guard against potential type corruptions.
- Improvements:
- Corrected the argument type for `xmlSaturatedAddSizeT`, similar to version 2.13.9.
- [libxml2 2.13.9](https://download.gnome.org/sources/libxml2/2.13/libxml2-2.13.9.tar.xz)
- [libxml2 2.14.6](https://download.gnome.org/sources/libxml2/2.14/libxml2-2.14.6.tar.xz)
- libxml2 2.13.9: a2c9ae7b770da34860050c309f903221c67830c86e4a7e760692b803df95143a
- libxml2 2.14.6: 7ce458a0affeb83f0b55f1f4f9e0e55735dbfc1a9de124ee86fb4a66b597203a
Key Updates in libxml2 2.13.9
The release notes for libxml2 2.13.9 highlight significant fixes and improvements, including:- Regressions:
- Resolved an issue where IDs were incorrectly added during entity content validation.
- Fixed problems with reading from input pipes like stdin on Windows.
- Addressed issues related to handling invalid character references in recovery mode.
- Security Fixes:
- Prevented integer overflows and out-of-bounds array accesses.
- Guarded against type corruption in the tree structure.
- Addressed multiple CVEs related to buffer overflows and null pointer dereferences, ensuring better security and stability.
- Bug Fixes:
- Fixed serialization issues with attribute defaults containing less-than characters.
- Improvements:
- Corrected the argument type for the `xmlSaturatedAddSizeT` function.
Key Updates in libxml2 2.14.6
The release notes for libxml2 2.14.6 also outline crucial updates:- Regressions:
- Ensured IDs are not added during the validation of entity content.
- Fixed the function `initGenericErrorDefaultFunc(NULL)`, as highlighted by contributor Samuel Thibault.
- Undeprecated certain functions (xmlAdd*Decl) that may be important for developers.
- Security Fixes:
- Addressed integer overflow and out-of-bounds array access issues in regex components.
- Continued to guard against potential type corruptions.
- Improvements:
- Corrected the argument type for `xmlSaturatedAddSizeT`, similar to version 2.13.9.
Download Links
Users can download the new versions from the following links:- [libxml2 2.13.9](https://download.gnome.org/sources/libxml2/2.13/libxml2-2.13.9.tar.xz)
- [libxml2 2.14.6](https://download.gnome.org/sources/libxml2/2.14/libxml2-2.14.6.tar.xz)
Checksums
The SHA256 checksums for verifying the integrity of the downloads are as follows:- libxml2 2.13.9: a2c9ae7b770da34860050c309f903221c67830c86e4a7e760692b803df95143a
- libxml2 2.14.6: 7ce458a0affeb83f0b55f1f4f9e0e55735dbfc1a9de124ee86fb4a66b597203a
Future Directions
As libxml2 continues to evolve, users can anticipate ongoing enhancements in functionality, security, and compatibility, particularly as the library adapts to newer systems and technologies. Developers are encouraged to stay updated with the latest releases to benefit from improvements and maintain robust XML parsing capabilities in their applications. Further contributions and feedback from the community can help drive future developments and address emerging challenges in XML processingLibxml2 2.13.9 and 2.14.6 released
Nick Wellnhofer has announced the availability of two new versions of libxml2, a C-based XML toolkit: version 2.13.9 and version 2.14.6. These releases address various regressions, security issues, bug fixes, and improvements to the library's functionality and build systems. Notable fixes include preventing integer overflows and out-of-bounds array accesses, resolving issues with reading from pipes on Windows, and undeprecating certain functions.
