Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2017:0380-1

Опубликовано: 03 фев. 2017
Источник: suse-cvrf

Описание

Security update for libxml2

This update for libxml2 fixes the following issues:

  • CVE-2016-4658: use-after-free error could lead to crash [bsc#1005544]
  • Fix NULL dereference in xpointer.c when in recovery mode [bsc#1014873]
  • CVE-2016-9597: An XML document with many opening tags could have caused a overflow of the stack not detected by the recursion limits, allowing for DoS (bsc#1017497).

For CVE-2016-9318 we decided not to ship a fix since it can break existing setups. Please take appropriate actions if you parse untrusted XML files and use the new -noxxe flag if possible (bnc#1010675, bnc#1013930).

Список пакетов

SUSE Linux Enterprise Desktop 12 SP2
libxml2-2-2.9.4-33.1
libxml2-2-32bit-2.9.4-33.1
libxml2-tools-2.9.4-33.1
python-libxml2-2.9.4-33.1
SUSE Linux Enterprise Server 12 SP2
libxml2-2-2.9.4-33.1
libxml2-2-32bit-2.9.4-33.1
libxml2-doc-2.9.4-33.1
libxml2-tools-2.9.4-33.1
python-libxml2-2.9.4-33.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
libxml2-2-2.9.4-33.1
libxml2-doc-2.9.4-33.1
libxml2-tools-2.9.4-33.1
python-libxml2-2.9.4-33.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2
libxml2-2-2.9.4-33.1
libxml2-2-32bit-2.9.4-33.1
libxml2-doc-2.9.4-33.1
libxml2-tools-2.9.4-33.1
python-libxml2-2.9.4-33.1
SUSE Linux Enterprise Software Development Kit 12 SP2
libxml2-devel-2.9.4-33.1

Ссылки

Описание

xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3, and other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory corruption) via a crafted XML document.

Затронутые продукты
SUSE Linux Enterprise Desktop 12 SP2:libxml2-2-2.9.4-33.1
SUSE Linux Enterprise Desktop 12 SP2:libxml2-2-32bit-2.9.4-33.1
SUSE Linux Enterprise Desktop 12 SP2:libxml2-tools-2.9.4-33.1
SUSE Linux Enterprise Desktop 12 SP2:python-libxml2-2.9.4-33.1
Ссылки

Описание

libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document.

Затронутые продукты
SUSE Linux Enterprise Desktop 12 SP2:libxml2-2-2.9.4-33.1
SUSE Linux Enterprise Desktop 12 SP2:libxml2-2-32bit-2.9.4-33.1
SUSE Linux Enterprise Desktop 12 SP2:libxml2-tools-2.9.4-33.1
SUSE Linux Enterprise Desktop 12 SP2:python-libxml2-2.9.4-33.1
Ссылки

Описание

It was found that Red Hat JBoss Core Services erratum RHSA-2016:2957 for CVE-2016-3705 did not actually include the fix for the issue found in libxml2, making it vulnerable to a Denial of Service attack due to a Stack Overflow. This is a regression CVE for the same issue as CVE-2016-3705.

Затронутые продукты
SUSE Linux Enterprise Desktop 12 SP2:libxml2-2-2.9.4-33.1
SUSE Linux Enterprise Desktop 12 SP2:libxml2-2-32bit-2.9.4-33.1
SUSE Linux Enterprise Desktop 12 SP2:libxml2-tools-2.9.4-33.1
SUSE Linux Enterprise Desktop 12 SP2:python-libxml2-2.9.4-33.1
Ссылки
Уязвимость SUSE-SU-2017:0380-1