patch to update bundled libxml2 to version 2.9.8 and libxslt to version 1.1.32

[Don Lewis <tr...@apache.org>]

We currently bundle libxml2 version 2.9.4 with trunk.  That version of
libxml2 has four CVEs.  Fortunately they can only be used to cause a
crash (DoS) instead of something worse.

There is one CVE for version 2.9.8, but the vulnerability (an infinite
loop DoS) can only be triggered if libxml2 is built with lzma support,
which we do not.

While here also upgrade libxslt to the latest version since both
libraries come from the same upstream and work together.

Light testing on Windows and CentOS 6 didn't turn up any problems.

OpenOffice on FreeBSD uses the system versions of libxml, version 2.9.7,
and libxslt, version 1.1.32.  No problems have been reported with those
versions.

Re: patch to update bundled libxml2 to version 2.9.8 and libxslt to version 1.1.32

[Matthias Seidel <ma...@hamburg.de>]

Hi Don,

Am 24.08.2018 um 06:56 schrieb Don Lewis:
> We currently bundle libxml2 version 2.9.4 with trunk.  That version of
> libxml2 has four CVEs.  Fortunately they can only be used to cause a
> crash (DoS) instead of something worse.
>
> There is one CVE for version 2.9.8, but the vulnerability (an infinite
> loop DoS) can only be triggered if libxml2 is built with lzma support,
> which we do not.
>
> While here also upgrade libxslt to the latest version since both
> libraries come from the same upstream and work together.
>
> Light testing on Windows and CentOS 6 didn't turn up any problems.

My Windows build based on r1838788 and your patch applied was successful.
First test show no anomalies.

Regards,
   Matthias

>
> OpenOffice on FreeBSD uses the system versions of libxml, version 2.9.7,
> and libxslt, version 1.1.32.  No problems have been reported with those
> versions.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
> For additional commands, e-mail: dev-help@openoffice.apache.org