openoffice-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Don Lewis <truck...@apache.org>
Subject patch to update bundled libxml2 to version 2.9.8 and libxslt to version 1.1.32
Date Fri, 24 Aug 2018 04:56:27 GMT
We currently bundle libxml2 version 2.9.4 with trunk.  That version of
libxml2 has four CVEs.  Fortunately they can only be used to cause a
crash (DoS) instead of something worse.

There is one CVE for version 2.9.8, but the vulnerability (an infinite
loop DoS) can only be triggered if libxml2 is built with lzma support,
which we do not.

While here also upgrade libxslt to the latest version since both
libraries come from the same upstream and work together.

Light testing on Windows and CentOS 6 didn't turn up any problems.

OpenOffice on FreeBSD uses the system versions of libxml, version 2.9.7,
and libxslt, version 1.1.32.  No problems have been reported with those
versions.

Mime
View raw message