Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2017:1366-1

Опубликовано: 22 мая 2017
Источник: suse-cvrf

Описание

Security update for libxml2

This update for libxml2 fixes the following issues:

  • Fix NULL dereference in xpointer.c when in recovery mode [bsc#1014873]
  • CVE-2016-9597: An XML document with many opening tags could have caused a overflow of the stack not detected by the recursion limits, allowing for DoS (bsc#1017497)
  • CVE-2014-0191: External parameter entity loaded when entity substitution is disabled could cause a DoS. (bsc#876652)
  • CVE-2016-9318: XML External Entity (XXE) could be abused via crafted document. (bsc#1010675)

Список пакетов

SUSE Linux Enterprise Desktop 12 SP1
libxml2-2-2.9.1-26.12.1
libxml2-2-32bit-2.9.1-26.12.1
libxml2-tools-2.9.1-26.12.1
python-libxml2-2.9.1-26.12.1
SUSE Linux Enterprise Server 12 SP1
libxml2-2-2.9.1-26.12.1
libxml2-2-32bit-2.9.1-26.12.1
libxml2-doc-2.9.1-26.12.1
libxml2-tools-2.9.1-26.12.1
python-libxml2-2.9.1-26.12.1
SUSE Linux Enterprise Server for SAP Applications 12 SP1
libxml2-2-2.9.1-26.12.1
libxml2-2-32bit-2.9.1-26.12.1
libxml2-doc-2.9.1-26.12.1
libxml2-tools-2.9.1-26.12.1
python-libxml2-2.9.1-26.12.1
SUSE Linux Enterprise Software Development Kit 12 SP1
libxml2-devel-2.9.1-26.12.1

Ссылки

Описание

The xmlParserHandlePEReference function in parser.c in libxml2 before 2.9.2, as used in Web Listener in Oracle HTTP Server in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 and other products, loads external parameter entities regardless of whether entity substitution or validation is enabled, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XML document.

Затронутые продукты
SUSE Linux Enterprise Desktop 12 SP1:libxml2-2-2.9.1-26.12.1
SUSE Linux Enterprise Desktop 12 SP1:libxml2-2-32bit-2.9.1-26.12.1
SUSE Linux Enterprise Desktop 12 SP1:libxml2-tools-2.9.1-26.12.1
SUSE Linux Enterprise Desktop 12 SP1:python-libxml2-2.9.1-26.12.1
Ссылки

Описание

libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document.

Затронутые продукты
SUSE Linux Enterprise Desktop 12 SP1:libxml2-2-2.9.1-26.12.1
SUSE Linux Enterprise Desktop 12 SP1:libxml2-2-32bit-2.9.1-26.12.1
SUSE Linux Enterprise Desktop 12 SP1:libxml2-tools-2.9.1-26.12.1
SUSE Linux Enterprise Desktop 12 SP1:python-libxml2-2.9.1-26.12.1
Ссылки

Описание

It was found that Red Hat JBoss Core Services erratum RHSA-2016:2957 for CVE-2016-3705 did not actually include the fix for the issue found in libxml2, making it vulnerable to a Denial of Service attack due to a Stack Overflow. This is a regression CVE for the same issue as CVE-2016-3705.

Затронутые продукты
SUSE Linux Enterprise Desktop 12 SP1:libxml2-2-2.9.1-26.12.1
SUSE Linux Enterprise Desktop 12 SP1:libxml2-2-32bit-2.9.1-26.12.1
SUSE Linux Enterprise Desktop 12 SP1:libxml2-tools-2.9.1-26.12.1
SUSE Linux Enterprise Desktop 12 SP1:python-libxml2-2.9.1-26.12.1
Ссылки
Уязвимость SUSE-SU-2017:1366-1