| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <E1Yc9EG-0006Ul-Ce@titan.mandriva.com> Date: Sun, 29 Mar 2015 11:10:00 +0200 From: security@...driva.com To: bugtraq@...urityfocus.com Subject: [ MDVSA-2015:111 ] libxml2 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:111 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : libxml2 Date : March 29, 2015 Affected: Business Server 2.0 _______________________________________________________________________ Problem Description: Updated libxml2 packages fix security vulnerabilities: It was discovered that libxml2, a library providing support to read, modify and write XML files, incorrectly performs entity substituton in the doctype prolog, even if the application using libxml2 disabled any entity substitution. A remote attacker could provide a specially-crafted XML file that, when processed, would lead to the exhaustion of CPU and memory resources or file descriptors (CVE-2014-0191). A denial of service flaw was found in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, would lead to excessive CPU consumption (denial of service) based on excessive entity substitutions, even if entity substitution was disabled, which is the parser default behavior (CVE-2014-3660). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0191 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3660 http://advisories.mageia.org/MGASA-2014-0214.html http://advisories.mageia.org/MGASA-2014-0418.html _______________________________________________________________________ Updated Packages: Mandriva Business Server 2/X86_64: a35559f4de0f536e3a6468d310edb22a mbs2/x86_64/lib64xml2_2-2.9.1-3.1.mbs2.x86_64.rpm 0a6a1369092011423c7166a214e8c828 mbs2/x86_64/lib64xml2-devel-2.9.1-3.1.mbs2.x86_64.rpm 4b0c0e185dd14ecdb6f7440e324ca1af mbs2/x86_64/libxml2-python-2.9.1-3.1.mbs2.x86_64.rpm c80299579258833fd0899b9ec4ed1cfd mbs2/x86_64/libxml2-utils-2.9.1-3.1.mbs2.x86_64.rpm bcacc9a4c667c5511db76d0512a38d29 mbs2/SRPMS/libxml2-2.9.1-3.1.mbs2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFVF7NzmqjQ0CJFipgRAkTqAJ0Wy3rhdRALQuZhOglWO+C15uowWgCfaoys i1Yd1rUMC67jFCPkumBZamo= =SUXj -----END PGP SIGNATURE-----
Powered by blists - more mailing lists