SUSE-SU-2013:1625-1: important: Security update for libxml2

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Mon Nov 4 09:04:09 MST 2013


   SUSE Security Update: Security update for libxml2
______________________________________________________________________________

Announcement ID:    SUSE-SU-2013:1625-1
Rating:             important
References:         #739894 #748561 #764538 #769184 #793334 #805233 
                    #829077 
Cross-References:   CVE-2011-3102 CVE-2011-3919 CVE-2012-0841
                    CVE-2012-2807 CVE-2012-5134 CVE-2013-0338
                    CVE-2013-0339 CVE-2013-2877
Affected Products:
                    SUSE Linux Enterprise Server 10 SP3 LTSS
______________________________________________________________________________

   An update that fixes 8 vulnerabilities is now available.

Description:


   This is a LTSS rollup update for the libxml2 library that
   fixes various  security issues.

   *

   CVE-2013-2877: parser.c in libxml2 allowed remote
   attackers to cause a denial of service (out-of-bounds read)
   via a document that ends abruptly, related to the lack of
   certain checks for the XML_PARSER_EOF state.

   *

   CVE-2013-0338: libxml2 allowed context-dependent
   attackers to cause a denial of service (CPU and memory
   consumption) via an XML file containing an entity
   declaration with long replacement text and many references
   to this entity, aka "internal entity expansion" with linear
   complexity.

   *

   CVE-2012-5134: Heap-based buffer underflow in the
   xmlParseAttValueComplex function in parser.c in libxml2
   allowed remote attackers to cause a denial of service or
   possibly execute arbitrary code via crafted entities in an
   XML document.

   *

   CVE-2012-2807: Multiple integer overflows in libxml2
   on 64-bit Linux platforms allowed remote attackers to cause
   a denial of service or possibly have unspecified other
   impact via unknown vectors.

   *

   CVE-2011-3102: Off-by-one error in libxml2 allowed
   remote attackers to cause a denial of service
   (out-of-bounds write) or possibly have unspecified other
   impact via unknown vectors.

   *

   CVE-2012-0841: libxml2 computed hash values without
   restricting the ability to trigger hash collisions
   predictably, which allows context-dependent attackers to
   cause a denial of service (CPU consumption) via crafted XML
   data.

   *

   CVE-2011-3919: A heap-based buffer overflow during
   decoding of entity references with overly long names has
   been fixed.

   Security Issue references:

   * CVE-2013-0338
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0338
   >
   * CVE-2013-0339
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0339
   >
   * CVE-2012-5134
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5134
   >
   * CVE-2012-2807
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2807
   >
   * CVE-2011-3102
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3102
   >
   * CVE-2012-0841
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0841
   >
   * CVE-2011-3919
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3919
   >
   * CVE-2013-2877
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2877
   >



Package List:

   - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64):

      libxml2-2.6.23-15.39.1
      libxml2-devel-2.6.23-15.39.1
      libxml2-python-2.6.23-15.39.1

   - SUSE Linux Enterprise Server 10 SP3 LTSS (s390x x86_64):

      libxml2-32bit-2.6.23-15.39.1
      libxml2-devel-32bit-2.6.23-15.39.1


References:

   http://support.novell.com/security/cve/CVE-2011-3102.html
   http://support.novell.com/security/cve/CVE-2011-3919.html
   http://support.novell.com/security/cve/CVE-2012-0841.html
   http://support.novell.com/security/cve/CVE-2012-2807.html
   http://support.novell.com/security/cve/CVE-2012-5134.html
   http://support.novell.com/security/cve/CVE-2013-0338.html
   http://support.novell.com/security/cve/CVE-2013-0339.html
   http://support.novell.com/security/cve/CVE-2013-2877.html
   https://bugzilla.novell.com/739894
   https://bugzilla.novell.com/748561
   https://bugzilla.novell.com/764538
   https://bugzilla.novell.com/769184
   https://bugzilla.novell.com/793334
   https://bugzilla.novell.com/805233
   https://bugzilla.novell.com/829077
   http://download.novell.com/patch/finder/?keywords=a3fdb1e2e30b1877238605841d41d573



More information about the sle-security-updates mailing list