lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20080826175323.GA11324@steve.org.uk>
Date: Tue, 26 Aug 2008 18:53:23 +0100
From: Steve Kemp <skx@...ian.org>
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 1631-1] New libxml2 packages fix denial of service

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1631-2                  security@...ian.org
http://www.debian.org/security/                               Steve Kemp
August 26, 2008                       http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : libxml2
Vulnerability  : denial of service
Problem type   : local
Debian-specific: no
CVE Id(s)      : CVE-2008-3281

The previous security update of the libxml2 package introduced
some problems with other packages, most notably with librsvg.
This update corrects these problems whilst still fixing the
reported scurity problem.

For reference the text of the previous security announcement
follows:

Andreas Solberg discovered that libxml2, the GNOME XML library,
could be forced to recursively evaluate entities, until available
CPU & memory resources were exhausted.

For the stable distribution (etch), this problem has been fixed in version
2.6.27.dfsg-4.

For the unstable distribution (sid), this problem has been fixed in
version 2.6.32.dfsg-3.

We recommend that you upgrade your libxml2 package.


Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-4.dsc
    Size/MD5 checksum:      893 71d8dbd9fb4d082a273289513941da33
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg.orig.tar.gz
    Size/MD5 checksum:  3416175 5ff71b22f6253a6dd9afc1c34778dec3
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-4.diff.gz
    Size/MD5 checksum:   145887 5579bcc5d4fb2e33789853d826e265a3

Architecture independent packages:

  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-doc_2.6.27.dfsg-4_all.deb
    Size/MD5 checksum:  1328140 adb1d2d477eacbaf8347aa50eac782bb

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-4_alpha.deb
    Size/MD5 checksum:   820516 31ef1df11042703555ae2be4cd070d77
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-4_alpha.deb
    Size/MD5 checksum:   881632 3ed598806d32756af480a32db50d29bb
  http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-4_alpha.deb
    Size/MD5 checksum:   184762 9dcde3e1f90ff7dfc42b2c8ce0c0e24e
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-4_alpha.deb
    Size/MD5 checksum:   916300 ed1c5f1efa3dc141d5d4c79820bfef3c
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-4_alpha.deb
    Size/MD5 checksum:    37978 47fe74c3d93abc8e596d836ef4eb8fcb

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-4_amd64.deb
    Size/MD5 checksum:   184120 58ab6cccdd5484e4bfcf4b6dd27c9e00
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-4_amd64.deb
    Size/MD5 checksum:    36680 dd0b6f7984f011ae92bd7e09bf83f02f
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-4_amd64.deb
    Size/MD5 checksum:   795770 4063d07d3876bfbc3f6fcf19e5cafb4a
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-4_amd64.deb
    Size/MD5 checksum:   891790 b727f5ae98ce30abe97a1fba3ac40d38
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-4_amd64.deb
    Size/MD5 checksum:   745276 5af9ee2e1337339b2e892fedba428e3c

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-4_arm.deb
    Size/MD5 checksum:   165294 ad35b56851b1593e360b686ecfec65fc
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-4_arm.deb
    Size/MD5 checksum:   672778 b08822852ad4599685c9dc3188373c4d
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-4_arm.deb
    Size/MD5 checksum:   741398 47071e65bd39d46da2671a307254ae1e
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-4_arm.deb
    Size/MD5 checksum:   816988 f52a68650d018f67aab33ae26d5dd143
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-4_arm.deb
    Size/MD5 checksum:    34672 a936724e14d1319ca9a79a0f3711d250

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-4_hppa.deb
    Size/MD5 checksum:   192854 81a84d2b04ad199969eff68a5132850e
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-4_hppa.deb
    Size/MD5 checksum:    36858 2473f5535d88f7f15d5828896384c40a
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-4_hppa.deb
    Size/MD5 checksum:   849856 99c8f064ed4f2eaad000bb5069ef302e
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-4_hppa.deb
    Size/MD5 checksum:   863750 e830ea5314f70dee660743fc1c9b158d
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-4_hppa.deb
    Size/MD5 checksum:   858008 4fea504a87f852497df6288315275ccf

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-4_i386.deb
    Size/MD5 checksum:   681202 30924287393f6c3be0cabd7459233384
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-4_i386.deb
    Size/MD5 checksum:   755716 8d5a4b27d85883876fb6a801b81e4a22
  http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-4_i386.deb
    Size/MD5 checksum:   169028 e888a4121857a3e71a2e7fa45a047571
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-4_i386.deb
    Size/MD5 checksum:    34496 53a91e24ea34079fe292b4fab6b2896b
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-4_i386.deb
    Size/MD5 checksum:   857040 8b37acacabb9d85ab8992d5426f28c82

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-4_ia64.deb
    Size/MD5 checksum:  1105708 88c594f73ceaaca62dfa28274bd31fe9
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-4_ia64.deb
    Size/MD5 checksum:  1079688 f2a9fa0eb94dcdb5175111f6b3359bc9
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-4_ia64.deb
    Size/MD5 checksum:   873912 c7ba5c84b4972aa287c2d27a0427864e
  http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-4_ia64.deb
    Size/MD5 checksum:   196530 5ee6abed0af70043dbdc76f4d4623fe9
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-4_ia64.deb
    Size/MD5 checksum:    48498 f868a6d64cb5bdb14bdcf97e8aa0dd1e

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-3_mips.deb
    Size/MD5 checksum:   171664 355f77c5275a13f3eb83527068cff621
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-3_mips.deb
    Size/MD5 checksum:   769486 cfa1b956ceb1e04ecbd9509df27dfa6a
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-4_mips.deb
    Size/MD5 checksum:    34426 91378abe49acd1892f74cb46ade696e1
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-3_mips.deb
    Size/MD5 checksum:   926324 05a3b536190e243ab38ab8be3dc0b2e1
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-3_mips.deb
    Size/MD5 checksum:   839986 e125b22dd4493e44127569c0c6c2a123
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-4_mips.deb
    Size/MD5 checksum:   840028 454d30d21466c6991d36709d545bb616
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-4_mips.deb
    Size/MD5 checksum:   769770 a9fdc081287daeac42162ce1a2175ab4
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-3_mips.deb
    Size/MD5 checksum:    34426 dbc7089955d66008c4f5cf83dc9b99d1
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-4_mips.deb
    Size/MD5 checksum:   926092 7eb78aa1b849416a958e1348af488859
  http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-4_mips.deb
    Size/MD5 checksum:   171672 27c5bdf91c1d4b60968907e1b62cca4d

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-4_mipsel.deb
    Size/MD5 checksum:   832738 a6de09f65ab37e850751d97829cc6617
  http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-4_mipsel.deb
    Size/MD5 checksum:   168694 2f29cc087add99df4f6ab916a9926811
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-4_mipsel.deb
    Size/MD5 checksum:   897444 867b3e92f1a42f0bc65f7238ce560f46
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-4_mipsel.deb
    Size/MD5 checksum:   768592 cb9819c21c8e6b030f9859db384c57aa
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-4_mipsel.deb
    Size/MD5 checksum:    34402 ab51ba73d01bcd7565a3484f2f0773b4

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-4_powerpc.deb
    Size/MD5 checksum:    37664 44817ba18e1cbef8bb632931619799b8
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-4_powerpc.deb
    Size/MD5 checksum:   897608 ace5c9edc38cf6a827c2a3bdd8f148d2
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-4_powerpc.deb
    Size/MD5 checksum:   779646 d9a1addfd80b91de74d135ae721f2289
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-4_powerpc.deb
    Size/MD5 checksum:   770646 aea60a0c32642ff21a7b4df0a8cf718f
  http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-4_powerpc.deb
    Size/MD5 checksum:   172734 4777957bb08a5078eaa157fb1137198d

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-4_s390.deb
    Size/MD5 checksum:   805482 3a09ab61016672208e30a5e217305f1a
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-4_s390.deb
    Size/MD5 checksum:   749824 9277f1e383f35050030bc4d22cf6c835
  http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-4_s390.deb
    Size/MD5 checksum:   185726 03cd09eb4a14e6905211421ed425df4e
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-4_s390.deb
    Size/MD5 checksum:   884934 80a368f56c164922488988957898b702
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-4_s390.deb
    Size/MD5 checksum:    36372 d1e9cb343470264435e5fb6642f2ca3f

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-4_sparc.deb
    Size/MD5 checksum:   712810 804bcef65cec53bb7b801fc15736c435
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-4_sparc.deb
    Size/MD5 checksum:   759322 42dc3f7722459a697efad99eadbe357e
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-4_sparc.deb
    Size/MD5 checksum:   781040 4f066aa412fd8c29e9780d8d0a690ccd
  http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-4_sparc.deb
    Size/MD5 checksum:    34576 ad057148379fcd1ca730e17fd2d4cf00
  http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-4_sparc.deb
    Size/MD5 checksum:   176872 49f013c4d6097a188d85c80edcda1ced


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFItEK6wM/Gs81MDZ0RAmbkAKCLssK/lsN+yKcYnfKm1qSNme8wQQCfRen2
kIpqRbjJBLr7yInFLT4S5Oo=
=LFMV
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ