lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20041029195248.GA17660@box79162.elkhouse.de>
Date: Fri, 29 Oct 2004 21:52:49 +0200
From: Martin Pitt <martin.pitt@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com
Subject: [USN-10-1] XML library vulnerabilities

===========================================================
Ubuntu Security Notice USN-10-1            October 28, 2004
XML library vulnerabilities
CAN-2004-0981
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:

libxml2

The problem can be corrected by upgrading the affected package to
version 2.6.11-3ubuntu1.1. In general, a standard system upgrade is
sufficient to effect the necessary changes.

Details follow:

Several buffer overflows have been discovered in libxml2's FTP connection
and DNS resolution functions. Supplying very long FTP URLs or IP
addresses might result in execution of arbitrary code with the
privileges of the process using libxml2.

Since libxml2 is used in packages like php4-imagick, the vulnerability
also might lead to privilege escalation, like executing attacker
supplied code with a web server's privileges.

However, this does not affect the core XML parsing code, which is what
the majority of programs use this library for.

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.11-3ubuntu1.1.diff.gz
      Size/MD5:    81651 eae051ac1100f886cbd8283edf8e5607
    http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.11-3ubuntu1.1.dsc
      Size/MD5:      789 918f6210e51f5bc9832ae6c0a1b9b01c
    http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.11.orig.tar.gz
      Size/MD5:  3693599 c391173a26ec7c2ac702b54d06420fdb

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-doc_2.6.11-3ubuntu1.1_all.deb
      Size/MD5:   982544 841f55ccc2187805a18e58f13c38a326

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dev_2.6.11-3ubuntu1.1_amd64.deb
      Size/MD5:  1329748 de1f602df0902fdbe933a9642b8a8c69
    http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-python2.3_2.6.11-3ubuntu1.1_amd64.deb
      Size/MD5:   489060 f1e515cb1c197e5e560940e235a6a25b
    http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.6.11-3ubuntu1.1_amd64.deb
      Size/MD5:   257016 62c9834d6c4f9f24bc5d8fe95c06a6d3
    http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.11-3ubuntu1.1_amd64.deb
      Size/MD5:   672770 7723dbd0c5766dd5ac665b8a136ae424

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dev_2.6.11-3ubuntu1.1_i386.deb
      Size/MD5:  1255242 825d79ae6985fb4b802647f092e9b054
    http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-python2.3_2.6.11-3ubuntu1.1_i386.deb
      Size/MD5:   458560 8b1dd60cfadcf398d738747f4c0bc2c7
    http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.6.11-3ubuntu1.1_i386.deb
      Size/MD5:   254420 e98777bd621906359d84d186102ad91b
    http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.11-3ubuntu1.1_i386.deb
      Size/MD5:   629992 f5cfca49f3212efaaf58d226ad4bc688

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dev_2.6.11-3ubuntu1.1_powerpc.deb
      Size/MD5:  1416378 ec8500e62980b717e0acfe72a0898770
    http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-python2.3_2.6.11-3ubuntu1.1_powerpc.deb
      Size/MD5:   484820 ae0eb37b289128fb64ccf69120437424
    http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.6.11-3ubuntu1.1_powerpc.deb
      Size/MD5:   258252 c605662898a320d67bca0fe082a64110
    http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.11-3ubuntu1.1_powerpc.deb
      Size/MD5:   675066 5f9ce27c76c23031b25239b3d3607d71


Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ