On Mon, Dec 14, 2015 at 9:44 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> Can you look to see if Ubuntu is carrying some
> distro-specific patch that affects this?
Here's what is in the log for the change that I think is the one that
came through today:
============================================================
libxml2 (2.9.1+dfsg1-3ubuntu4.6) trusty-security; urgency=medium
* SECURITY UPDATE: denial of service via entity expansion issue - debian/patches/CVE-2015-5312.patch: properly exit
whenentity expansion is detected in parser.c. - CVE-2015-5312 * SECURITY UPDATE: heap buffer overflow in
xmlDictComputeFastQKey - debian/patches/CVE-2015-7497.patch: check offset in dict.c. - CVE-2015-7497 * SECURITY
UPDATE:denial of service via encoding conversion failures - debian/patches/CVE-2015-7498.patch: avoid processing
entitiesafter encoding conversion failures in parser.c. - CVE-2015-7498 * SECURITY UPDATE: out of bounds read in
xmlGROW - debian/patches/CVE-2015-7499-1.patch: add xmlHaltParser() to stop the parser in parser.c. -
debian/patches/CVE-2015-7499-2.patch:check input in parser.c. - CVE-2015-7499 * SECURITY UPDATE: out of bounds read
inxmlParseMisc - debian/patches/CVE-2015-7500.patch: check entity boundaries in parser.c. - CVE-2015-7500 *
SECURITYUPDATE: denial of service via extra processing of MarkupDecl - debian/patches/CVE-2015-8241.patch: add extra
EOFcheck in parser.c. - CVE-2015-8241 * SECURITY UPDATE: buffer overead with HTML parser in push mode -
debian/patches/CVE-2015-8242.patch:use pointer in the input in HTMLparser.c. - CVE-2015-8242 * SECURITY UPDATE:
denialof service via encoding failures - debian/patches/CVE-2015-8317-1.patch: do not process encoding values if
thedeclaration is broken in parser.c. - debian/patches/CVE-2015-8317-2.patch: fail parsing if the encoding
conversionfailed in parser.c. - CVE-2015-8317
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 09 Dec 2015
12:00:30 -0500
============================================================
I don't know how that compares to other distros...
--
Kevin Grittner
EDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company