Описание
Security update for libxml2
This update for libxml2 fixes the following issues:
- CVE-2023-29469: Fixed not deterministic hashing of empty dict strings (bsc#1210412).
- CVE-2023-28484: Fixed NULL dereference in xmlSchemaFixupComplexType (bsc#1210411).
- CVE-2023-39615: Fixed crafted xml can cause global buffer overflow (bsc#1214768).
- CVE-2016-3709: Fixed cross-site scripting vulnerability in libxml (bsc#1201978).
Список пакетов
Container suse/ltss/sle12.5/sles12sp5:latest
Container suse/sles12sp5:latest
Image SLES12-SP5-Azure-BYOS
Image SLES12-SP5-Azure-Basic-On-Demand
Image SLES12-SP5-Azure-HPC-BYOS
Image SLES12-SP5-Azure-HPC-On-Demand
Image SLES12-SP5-Azure-SAP-BYOS
Image SLES12-SP5-Azure-SAP-On-Demand
Image SLES12-SP5-Azure-Standard-On-Demand
Image SLES12-SP5-EC2-BYOS
Image SLES12-SP5-EC2-ECS-On-Demand
Image SLES12-SP5-EC2-On-Demand
Image SLES12-SP5-EC2-SAP-BYOS
Image SLES12-SP5-EC2-SAP-On-Demand
Image SLES12-SP5-GCE-BYOS
Image SLES12-SP5-GCE-On-Demand
Image SLES12-SP5-GCE-SAP-BYOS
Image SLES12-SP5-GCE-SAP-On-Demand
Image SLES12-SP5-SAP-Azure-LI-BYOS-Production
Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production
SUSE Linux Enterprise Server 12 SP5
SUSE Linux Enterprise Server for SAP Applications 12 SP5
SUSE Linux Enterprise Software Development Kit 12 SP5
Ссылки
- Link for SUSE-SU-2023:3665-1
- E-Mail link for SUSE-SU-2023:3665-1
- SUSE Security Ratings
- SUSE Bug 1201978
- SUSE Bug 1210411
- SUSE Bug 1210412
- SUSE Bug 1214768
- SUSE CVE CVE-2016-3709 page
- SUSE CVE CVE-2023-28484 page
- SUSE CVE CVE-2023-29469 page
- SUSE CVE CVE-2023-39615 page
Описание
Possible cross-site scripting vulnerability in libxml after commit 960f0e2.
Затронутые продукты
Ссылки
- CVE-2016-3709
- SUSE Bug 1201978
Описание
In libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c.
Затронутые продукты
Ссылки
- CVE-2023-28484
- SUSE Bug 1210411
Описание
An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\0' value).
Затронутые продукты
Ссылки
- CVE-2023-29469
- SUSE Bug 1210412
Описание
** DISPUTED ** Xmlsoft Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted XML file. NOTE: the vendor's position is that the product does not support the legacy SAX1 interface with custom callbacks; there is a crash even without crafted input.
Затронутые продукты
Ссылки
- CVE-2023-39615
- SUSE Bug 1214768