copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » Security Bul... » AusCERT Exte... » ESB-2012.0088 - [Debian] libxml2: Multiple vulnerabi...
 

ESB-2012.0088 - [Debian] libxml2: Multiple vulnerabilities
Date: 27 January 2012
References: ASB-2011.0068  ASB-2011.0079  ASB-2011.0114.2  ASB-2012.0004  ESB-2013.0136  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2012.0088
                          libxml2 security update
                              27 January 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           libxml2
Publisher:         Debian
Operating System:  Debian GNU/Linux 6
                   Debian GNU/Linux 5
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2011-3919 CVE-2011-3905 CVE-2011-2834
                   CVE-2011-2821 CVE-2011-0216 

Reference:         ASB-2012.0004
                   ASB-2011.0114.2
                   ASB-2011.0079
                   ASB-2011.0068

Original Bulletin: 
   http://www.debian.org/security/2012/dsa-2394

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2394-1                   security@debian.org
http://www.debian.org/security/                             Luciano Bello
January 27, 2012                       http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : libxml2
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2011-0216 CVE-2011-2821 CVE-2011-2834 CVE-2011-3905 
                 CVE-2011-3919 
Debian Bug     : 652352 643648 656377

Many security problems had been fixed in libxml2, a popular library to handle
XML data files.

CVE-2011-3919:
Jüri Aedla discovered a heap-based buffer overflow that allows remote attackers
to cause a denial of service or possibly have unspecified other impact via
unknown vectors.

CVE-2011-0216:
An Off-by-one error have been discoveried that allows remote attackers to 
execute arbitrary code or cause a denial of service. 

CVE-2011-2821:
A memory corruption (double free) bug has been identified in libxml2's XPath
engine. Through it, it is possible to an attacker allows cause a denial of 
service or possibly have unspecified other impact. This vulnerability does not
affect the oldstable distribution (lenny).

CVE-2011-2834:
Yang Dingning discovered a double free vulnerability related to XPath handling.

CVE-2011-3905:
An out-of-bounds read vulnerability had been discovered, which allows remote
attackers to cause a denial of service.

For the oldstable distribution (lenny), this problem has been fixed in
version 2.6.32.dfsg-5+lenny5.

For the stable distribution (squeeze), this problem has been fixed in
version 2.7.8.dfsg-2+squeeze2.

For the testing distribution (wheezy), this problem has been fixed in
version 2.7.8.dfsg-7.

For the unstable distribution (sid), this problem has been fixed in
version 2.7.8.dfsg-7.

We recommend that you upgrade your libxml2 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk8h1n8ACgkQQWTRs4lLtHnXgACfV+dXC4Yc/aNb5udhKMYsEryT
mXAAoLetgUJRnDACae5LC9qnegUiNHRt
=j/Is
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTyHvTO4yVqjM2NGpAQKXxg//a/ORvSfzHbzciqX/TMRZs8c0MLApXZRA
aFlEvll+qKBMmh/LrT/KK4FXzx18fWCCRINjxWrpUTXeWZHB21xWAQci3t+/Wq/G
rLMvJA9KokgCUiWdGKGaw5JdXBtsll/vvnWqlhlWkz69/MxgyE3yKJj+wfdA2fvO
KNbZsTftx3gFziMSy+NZTY+x7OaaCnGiUCYTcOCuTS8p3V5Yj0MWKLkwgxn4Os0d
fgHDQ9/sHdosRQimvItY/ZHJCG7uLNp0tYQzhSDGkV8WJVQ3cAmIj7nBUUa0IYPN
a3Lr2ZvvYc87EAEYmG6R9VnLxi7KKXXvVbKcWUND7tRvRfceLCQqdQsHzfgdXCj1
0oM0m9kuLQEan+M0dNmpq1qtlA25QEFMcLMZAFpvTvFu8PSTIOHlcWt9PfsKlr6f
c3/RBzBKA8T3RLv0kg0lWU2t0JqctDlxKWVkLtb+lEinLFAQvu3ExQ6NuUsuTQfj
F9r9EtbKKkMSrm9IS0Va4ESrbXQzLffEnIYdofm4uYSjU82XHKqiEGa/RH9Y7WB2
PEdgm8COyyIuE8QtP6xIA9jUdLuZRc+FIJQLOlxVa269Isi0S3cCHzsvAJVJw8dA
PoFn+51CuKejJR9TRW4KNZxe7GGyF5XK9RNrEdLqL+BoDT8a6AH6x5xEIr652ty5
inJ1A63fIM4=
=Nv0P
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=1980&it=15371