lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1Kdy6i-0001hy-BW@titan.mandriva.com>
Date: Thu, 11 Sep 2008 20:10:00 -0600
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2008:192 ] libxml2


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2008:192
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : libxml2
 Date    : September 11, 2008
 Affected: 2007.1, 2008.0, 2008.1, Corporate 3.0, Corporate 4.0
 _______________________________________________________________________

 Problem Description:

 A heap-based buffer overflow was found in how libxml2 handled long
 XML entity names.  If an application linked against libxml2 processed
 untrusted malformed XML content, it could cause the application to
 crash or possibly execute arbitrary code (CVE-2008-3529).
 
 The updated packages have been patched to prevent this issue.
 As well, the patch to fix CVE-2008-3281 has been updated to remove
 the hard-coded entity limit that was set to 5M, instead using XML
 entity density heuristics.  Many thanks to Daniel Veillard of Red Hat
 for his hard work in tracking down and dealing with the edge cases
 discovered with the initial fix to this issue.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3281
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3529
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2007.1:
 9250adec77a5118119d5000f2305540f  2007.1/i586/libxml2-2.6.27-3.4mdv2007.1.i586.rpm
 103dba08606f0038f3a9f4107ceba442  2007.1/i586/libxml2-devel-2.6.27-3.4mdv2007.1.i586.rpm
 a388bf596ef6725fb5baadb4e056a0bd  2007.1/i586/libxml2-python-2.6.27-3.4mdv2007.1.i586.rpm
 d2333e42a538101e36eab7d12467e08b  2007.1/i586/libxml2-utils-2.6.27-3.4mdv2007.1.i586.rpm 
 94a25c63f54693b7ac289223a6a3a687  2007.1/SRPMS/libxml2-2.6.27-3.4mdv2007.1.src.rpm

 Mandriva Linux 2007.1/X86_64:
 343f8656039b69716fe712eeb2d1bf4e  2007.1/x86_64/lib64xml2-2.6.27-3.4mdv2007.1.x86_64.rpm
 320d8dd8245f5ec6db46bedaf07afb3e  2007.1/x86_64/lib64xml2-devel-2.6.27-3.4mdv2007.1.x86_64.rpm
 fb6f52df6831cda42db46502cc761475  2007.1/x86_64/lib64xml2-python-2.6.27-3.4mdv2007.1.x86_64.rpm
 8440fc08fee99f18a81a32035fac166a  2007.1/x86_64/libxml2-utils-2.6.27-3.4mdv2007.1.x86_64.rpm 
 94a25c63f54693b7ac289223a6a3a687  2007.1/SRPMS/libxml2-2.6.27-3.4mdv2007.1.src.rpm

 Mandriva Linux 2008.0:
 c53b40d9c7ebec036f9175c8f4e87b3b  2008.0/i586/libxml2_2-2.6.30-1.4mdv2008.0.i586.rpm
 4a4ed97086b52cab3bbd34fe4d7003a0  2008.0/i586/libxml2-devel-2.6.30-1.4mdv2008.0.i586.rpm
 d3898465dc2797a2b20be8310dd4f484  2008.0/i586/libxml2-python-2.6.30-1.4mdv2008.0.i586.rpm
 34c524fa03b470093bd0b0c679bcb9c4  2008.0/i586/libxml2-utils-2.6.30-1.4mdv2008.0.i586.rpm 
 2dc2f4732992e27aea4c5a098c631ae8  2008.0/SRPMS/libxml2-2.6.30-1.4mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 20ac98b346a1f18b90504cb623c530d8  2008.0/x86_64/lib64xml2_2-2.6.30-1.4mdv2008.0.x86_64.rpm
 fd5907e801bf4f64ee79d097fcaec2b6  2008.0/x86_64/lib64xml2-devel-2.6.30-1.4mdv2008.0.x86_64.rpm
 20f45401e501b9639a9b53d82a4e031f  2008.0/x86_64/libxml2-python-2.6.30-1.4mdv2008.0.x86_64.rpm
 22be20e194ba2177a47d831ee8c82f47  2008.0/x86_64/libxml2-utils-2.6.30-1.4mdv2008.0.x86_64.rpm 
 2dc2f4732992e27aea4c5a098c631ae8  2008.0/SRPMS/libxml2-2.6.30-1.4mdv2008.0.src.rpm

 Mandriva Linux 2008.1:
 61e96824adc6e61b2764bb3a85e2e76d  2008.1/i586/libxml2_2-2.6.31-1.3mdv2008.1.i586.rpm
 6d0cc51d32c7b6ecd609250aad302034  2008.1/i586/libxml2-devel-2.6.31-1.3mdv2008.1.i586.rpm
 1e7c4ddd30677789de05cc464dde9790  2008.1/i586/libxml2-python-2.6.31-1.3mdv2008.1.i586.rpm
 edd477e34b08f94956eeedd387b5e509  2008.1/i586/libxml2-utils-2.6.31-1.3mdv2008.1.i586.rpm 
 b1078a83185c1c97fada7ea5e97df753  2008.1/SRPMS/libxml2-2.6.31-1.3mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 9d25e809ad31decb111a38301b2a74c1  2008.1/x86_64/lib64xml2_2-2.6.31-1.3mdv2008.1.x86_64.rpm
 f35af82dffc02628edb1ce03113c3ba0  2008.1/x86_64/lib64xml2-devel-2.6.31-1.3mdv2008.1.x86_64.rpm
 5819b393de9ff05be4d670c8e5d36080  2008.1/x86_64/libxml2-python-2.6.31-1.3mdv2008.1.x86_64.rpm
 fb670bfb1a1673f99f3c3fc3a72b7777  2008.1/x86_64/libxml2-utils-2.6.31-1.3mdv2008.1.x86_64.rpm 
 b1078a83185c1c97fada7ea5e97df753  2008.1/SRPMS/libxml2-2.6.31-1.3mdv2008.1.src.rpm

 Corporate 3.0:
 82e733037c09b4b7770f5325c7ed1325  corporate/3.0/i586/libxml2-2.6.6-1.5.C30mdk.i586.rpm
 d66da7916f188883fd164cb250431bba  corporate/3.0/i586/libxml2-devel-2.6.6-1.5.C30mdk.i586.rpm
 5df28181424b19132bbff6afa872475a  corporate/3.0/i586/libxml2-python-2.6.6-1.5.C30mdk.i586.rpm
 f7a86c3be6e4926fa101386a9cbbcbdd  corporate/3.0/i586/libxml2-utils-2.6.6-1.5.C30mdk.i586.rpm 
 c64826e1b31ed0c5d4514780ecd52e2e  corporate/3.0/SRPMS/libxml2-2.6.6-1.5.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 76e631bd88c68085dc2c5702235c2a99  corporate/3.0/x86_64/lib64xml2-2.6.6-1.5.C30mdk.x86_64.rpm
 827f9f5bc3a1b869353e3c09879ea432  corporate/3.0/x86_64/lib64xml2-devel-2.6.6-1.5.C30mdk.x86_64.rpm
 caafa3371f80f084e8a945b3114b4533  corporate/3.0/x86_64/lib64xml2-python-2.6.6-1.5.C30mdk.x86_64.rpm
 e37a70f9cd13a7e00982387a9ba97726  corporate/3.0/x86_64/libxml2-utils-2.6.6-1.5.C30mdk.x86_64.rpm 
 c64826e1b31ed0c5d4514780ecd52e2e  corporate/3.0/SRPMS/libxml2-2.6.6-1.5.C30mdk.src.rpm

 Corporate 4.0:
 74eea161b5519eef6c16b2407126a847  corporate/4.0/i586/libxml2-2.6.21-3.4.20060mlcs4.i586.rpm
 5d8d1e0e487022687c1c61fbaf91707e  corporate/4.0/i586/libxml2-devel-2.6.21-3.4.20060mlcs4.i586.rpm
 d5aa677468c9e8baae074a12f6c63c00  corporate/4.0/i586/libxml2-python-2.6.21-3.4.20060mlcs4.i586.rpm
 d51b4b902bb911be69f6a17aeb07d8cf  corporate/4.0/i586/libxml2-utils-2.6.21-3.4.20060mlcs4.i586.rpm 
 ce28651304236296e59d6d3be5525889  corporate/4.0/SRPMS/libxml2-2.6.21-3.4.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 812f2ae0ffa7a72546b07bd7de174453  corporate/4.0/x86_64/lib64xml2-2.6.21-3.4.20060mlcs4.x86_64.rpm
 23ae06098f957e46affa75220cac50af  corporate/4.0/x86_64/lib64xml2-devel-2.6.21-3.4.20060mlcs4.x86_64.rpm
 93cb252dadfadd4249062f903e604f82  corporate/4.0/x86_64/lib64xml2-python-2.6.21-3.4.20060mlcs4.x86_64.rpm
 aeff512a1b349108017e93633fabcf08  corporate/4.0/x86_64/libxml2-utils-2.6.21-3.4.20060mlcs4.x86_64.rpm 
 ce28651304236296e59d6d3be5525889  corporate/4.0/SRPMS/libxml2-2.6.21-3.4.20060mlcs4.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFIyaCLmqjQ0CJFipgRApioAJ9P7O5hzNQ4UuYvEIhTVLyyn9Tv9wCg4DSp
mZuI5mJOfDomJXN1l5E7NSw=
=tPwM
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ