lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1NGwTN-0001e9-Az@titan.mandriva.com>
Date: Sat, 05 Dec 2009 16:23:01 +0100
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2009:316 ] expat


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:316
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : expat
 Date    : December 5, 2009
 Affected: 2008.0, 2009.0, 2009.1, 2010.0, Corporate 3.0, Corporate 4.0,
           Enterprise Server 5.0, Multi Network Firewall 2.0
 _______________________________________________________________________

 Problem Description:

 A vulnerability has been found and corrected in expat:
 
 The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1,
 as used in the XML-Twig module for Perl, allows context-dependent
 attackers to cause a denial of service (application crash) via an
 XML document with malformed UTF-8 sequences that trigger a buffer
 over-read, related to the doProlog function in lib/xmlparse.c,
 a different vulnerability than CVE-2009-2625 and CVE-2009-3720
 (CVE-2009-3560).
 
 Packages for 2008.0 are being provided due to extended support for
 Corporate products.
 
 This update provides a solution to these vulnerabilities.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.0:
 9108b905fb1da6ed2fa0f83a0c386641  2008.0/i586/expat-2.0.1-4.2mdv2008.0.i586.rpm
 f204a06346e382581b0d3f3301ffadd3  2008.0/i586/libexpat1-2.0.1-4.2mdv2008.0.i586.rpm
 ab9269a6452f0191d17b88a7cae90949  2008.0/i586/libexpat1-devel-2.0.1-4.2mdv2008.0.i586.rpm 
 6363348acd6f5f6f0fa5c4aa61a6ebbd  2008.0/SRPMS/expat-2.0.1-4.2mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 03e2988fe55ecd7c7888cdb87ca9e779  2008.0/x86_64/expat-2.0.1-4.2mdv2008.0.x86_64.rpm
 8322f60c8e9ac7f21243b220951d52ec  2008.0/x86_64/lib64expat1-2.0.1-4.2mdv2008.0.x86_64.rpm
 7433c14fc17e7c5eaf177c002cc1d75c  2008.0/x86_64/lib64expat1-devel-2.0.1-4.2mdv2008.0.x86_64.rpm 
 6363348acd6f5f6f0fa5c4aa61a6ebbd  2008.0/SRPMS/expat-2.0.1-4.2mdv2008.0.src.rpm

 Mandriva Linux 2009.0:
 a3406f038312e930bcf6e37591cf872a  2009.0/i586/expat-2.0.1-7.2mdv2009.0.i586.rpm
 15a6e0faa82f77c0a29b9db9abbb8930  2009.0/i586/libexpat1-2.0.1-7.2mdv2009.0.i586.rpm
 7d6e768b90064aed25977f3fa66a86a8  2009.0/i586/libexpat1-devel-2.0.1-7.2mdv2009.0.i586.rpm 
 778a521e0fe9de8444aebbea544aaceb  2009.0/SRPMS/expat-2.0.1-7.2mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 7cffc848d7c1018ef8cf2f6ead9c56c7  2009.0/x86_64/expat-2.0.1-7.2mdv2009.0.x86_64.rpm
 314b0c2ee406f43fa2d48edccb40465d  2009.0/x86_64/lib64expat1-2.0.1-7.2mdv2009.0.x86_64.rpm
 eeda32bc03d649fe1c1975433532c78d  2009.0/x86_64/lib64expat1-devel-2.0.1-7.2mdv2009.0.x86_64.rpm 
 778a521e0fe9de8444aebbea544aaceb  2009.0/SRPMS/expat-2.0.1-7.2mdv2009.0.src.rpm

 Mandriva Linux 2009.1:
 1700ce9cfb27620758d354d996433e76  2009.1/i586/expat-2.0.1-8.2mdv2009.1.i586.rpm
 517a6e6356a1fc05cea9a7a473ccfd61  2009.1/i586/libexpat1-2.0.1-8.2mdv2009.1.i586.rpm
 38d04bf472e9d4008fb636149d25fbeb  2009.1/i586/libexpat1-devel-2.0.1-8.2mdv2009.1.i586.rpm 
 3e6ab6cdb43fff3547b4f24aab4ec82b  2009.1/SRPMS/expat-2.0.1-8.2mdv2009.1.src.rpm

 Mandriva Linux 2009.1/X86_64:
 0c0b11d85cac8a9f3da701e452acb6ad  2009.1/x86_64/expat-2.0.1-8.2mdv2009.1.x86_64.rpm
 ac3512d4f42111bbee9987c5c93c7005  2009.1/x86_64/lib64expat1-2.0.1-8.2mdv2009.1.x86_64.rpm
 fd409ba4722686326c9fe1d9db3ead42  2009.1/x86_64/lib64expat1-devel-2.0.1-8.2mdv2009.1.x86_64.rpm 
 3e6ab6cdb43fff3547b4f24aab4ec82b  2009.1/SRPMS/expat-2.0.1-8.2mdv2009.1.src.rpm

 Mandriva Linux 2010.0:
 d9a3e00019a7a0486f22988ba923b22f  2010.0/i586/expat-2.0.1-10.1mdv2010.0.i586.rpm
 bdcf6e26502cde43c8239de13841afb2  2010.0/i586/libexpat1-2.0.1-10.1mdv2010.0.i586.rpm
 cd58e1d189212d7b54dc1fda48aa915c  2010.0/i586/libexpat1-devel-2.0.1-10.1mdv2010.0.i586.rpm 
 c7a0caabeee91810964149052325fc41  2010.0/SRPMS/expat-2.0.1-10.1mdv2010.0.src.rpm

 Mandriva Linux 2010.0/X86_64:
 520af61cc436ac5fcef44464e41467e8  2010.0/x86_64/expat-2.0.1-10.1mdv2010.0.x86_64.rpm
 42198ace124689b5303611d03974d2a3  2010.0/x86_64/lib64expat1-2.0.1-10.1mdv2010.0.x86_64.rpm
 42bb51a93dfd026f91c7c4181f53988b  2010.0/x86_64/lib64expat1-devel-2.0.1-10.1mdv2010.0.x86_64.rpm 
 c7a0caabeee91810964149052325fc41  2010.0/SRPMS/expat-2.0.1-10.1mdv2010.0.src.rpm

 Corporate 3.0:
 b6aaa4059149ce789b85618334255c76  corporate/3.0/i586/expat-1.95.6-4.2.C30mdk.i586.rpm
 f4a9f6fb4d3e53446ef059fbe3b93bdd  corporate/3.0/i586/libexpat0-1.95.6-4.2.C30mdk.i586.rpm
 b9d823b63878bb690dc9fddac1ca2a61  corporate/3.0/i586/libexpat0-devel-1.95.6-4.2.C30mdk.i586.rpm 
 43e083dc87a85e530d7f8206102e1eac  corporate/3.0/SRPMS/expat-1.95.6-4.2.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 44e65c80d7feb44d67c2e8a168595f66  corporate/3.0/x86_64/expat-1.95.6-4.2.C30mdk.x86_64.rpm
 de22ad66c1d6b83a6c5310dd3e179927  corporate/3.0/x86_64/lib64expat0-1.95.6-4.2.C30mdk.x86_64.rpm
 da53e544b02e14ed23096ce9a71353b9  corporate/3.0/x86_64/lib64expat0-devel-1.95.6-4.2.C30mdk.x86_64.rpm 
 43e083dc87a85e530d7f8206102e1eac  corporate/3.0/SRPMS/expat-1.95.6-4.2.C30mdk.src.rpm

 Corporate 4.0:
 a49316221d42e4a2cfe15b1788474e7b  corporate/4.0/i586/expat-1.95.8-1.2.20060mlcs4.i586.rpm
 9e83fb9d0ca5799399ca5f10e92fb4cd  corporate/4.0/i586/libexpat0-1.95.8-1.2.20060mlcs4.i586.rpm
 3d1a006b0039c30babe0407db5f26ee2  corporate/4.0/i586/libexpat0-devel-1.95.8-1.2.20060mlcs4.i586.rpm 
 2695cdbc0f4c8af7c8d6b89cf28675f8  corporate/4.0/SRPMS/expat-1.95.8-1.2.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 df66dc609fb70e7022c6c5aa8dcce5c9  corporate/4.0/x86_64/expat-1.95.8-1.2.20060mlcs4.x86_64.rpm
 e9b731d1ef96d3f4cd7390596a97cd3a  corporate/4.0/x86_64/lib64expat0-1.95.8-1.2.20060mlcs4.x86_64.rpm
 5e1a4cedad5e8d32eb1deabbbd6fa231  corporate/4.0/x86_64/lib64expat0-devel-1.95.8-1.2.20060mlcs4.x86_64.rpm 
 2695cdbc0f4c8af7c8d6b89cf28675f8  corporate/4.0/SRPMS/expat-1.95.8-1.2.20060mlcs4.src.rpm

 Mandriva Enterprise Server 5:
 4c7a80c4e63028d9c22feec7ea39863a  mes5/i586/expat-2.0.1-7.2mdvmes5.i586.rpm
 e3f6943d2fdc244cc6c320cef17398fe  mes5/i586/libexpat1-2.0.1-7.2mdvmes5.i586.rpm
 9e049d963fd965626bf9423ef115b693  mes5/i586/libexpat1-devel-2.0.1-7.2mdvmes5.i586.rpm 
 7787fe800e5725bce292f823d0c8ab73  mes5/SRPMS/expat-2.0.1-7.2mdvmes5.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 236584ced4908443a73c28912e01c643  mes5/x86_64/expat-2.0.1-7.2mdvmes5.x86_64.rpm
 1e7646bc5048a8718d60a028a8d30fe2  mes5/x86_64/lib64expat1-2.0.1-7.2mdvmes5.x86_64.rpm
 5b866d88e7846ab08b43858a84257b70  mes5/x86_64/lib64expat1-devel-2.0.1-7.2mdvmes5.x86_64.rpm 
 7787fe800e5725bce292f823d0c8ab73  mes5/SRPMS/expat-2.0.1-7.2mdvmes5.src.rpm

 Multi Network Firewall 2.0:
 f8db54d55d92f95a176440a7a6978dae  mnf/2.0/i586/expat-1.95.6-4.2.C30mdk.i586.rpm
 c83ec9ece46500bcc652fb0a8c574fcf  mnf/2.0/i586/libexpat0-1.95.6-4.2.C30mdk.i586.rpm
 02a342d1777e7bc726a3e294050a3c20  mnf/2.0/i586/libexpat0-devel-1.95.6-4.2.C30mdk.i586.rpm 
 4ec71f97401c195d2401225eac653560  mnf/2.0/SRPMS/expat-1.95.6-4.2.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLGktEmqjQ0CJFipgRArfUAKDUGfL7722MRKbLGCcBOvvAj8frfQCgxfyF
iTjKX+OouJ0dDURPsS6vJ24=
=NJfZ
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ