Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.2264 libxml2 security update 30 June 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libxml2 Publisher: Red Hat Operating System: Red Hat Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-3541 CVE-2021-3537 CVE-2021-3518 CVE-2021-3517 CVE-2021-3516 Reference: ESB-2021.2190 ESB-2021.2175 ESB-2021.1849 ESB-2021.1578 Original Bulletin: https://access.redhat.com/errata/RHSA-2021:2569 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: libxml2 security update Advisory ID: RHSA-2021:2569-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:2569 Issue date: 2021-06-29 CVE Names: CVE-2021-3516 CVE-2021-3517 CVE-2021-3518 CVE-2021-3537 CVE-2021-3541 ===================================================================== 1. Summary: An update for libxml2 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: The libxml2 library is a development toolbox providing the implementation of various XML standards. Security Fix(es): * libxml2: Use-after-free in xmlEncodeEntitiesInternal() in entities.c (CVE-2021-3516) * libxml2: Heap-based buffer overflow in xmlEncodeEntitiesInternal() in entities.c (CVE-2021-3517) * libxml2: Use-after-free in xmlXIncludeDoProcess() in xinclude.c (CVE-2021-3518) * libxml2: NULL pointer dereference when post-validating mixed content parsed in recovery mode (CVE-2021-3537) * libxml2: Exponential entity expansion attack bypasses all existing protection mechanisms (CVE-2021-3541) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 The desktop must be restarted (log out, then log back in) for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1950515 - CVE-2021-3541 libxml2: Exponential entity expansion attack bypasses all existing protection mechanisms 1954225 - CVE-2021-3516 libxml2: Use-after-free in xmlEncodeEntitiesInternal() in entities.c 1954232 - CVE-2021-3517 libxml2: Heap-based buffer overflow in xmlEncodeEntitiesInternal() in entities.c 1954242 - CVE-2021-3518 libxml2: Use-after-free in xmlXIncludeDoProcess() in xinclude.c 1956522 - CVE-2021-3537 libxml2: NULL pointer dereference when post-validating mixed content parsed in recovery mode 6. Package List: Red Hat Enterprise Linux AppStream (v. 8): aarch64: libxml2-debuginfo-2.9.7-9.el8_4.2.aarch64.rpm libxml2-debugsource-2.9.7-9.el8_4.2.aarch64.rpm libxml2-devel-2.9.7-9.el8_4.2.aarch64.rpm python3-libxml2-debuginfo-2.9.7-9.el8_4.2.aarch64.rpm ppc64le: libxml2-debuginfo-2.9.7-9.el8_4.2.ppc64le.rpm libxml2-debugsource-2.9.7-9.el8_4.2.ppc64le.rpm libxml2-devel-2.9.7-9.el8_4.2.ppc64le.rpm python3-libxml2-debuginfo-2.9.7-9.el8_4.2.ppc64le.rpm s390x: libxml2-debuginfo-2.9.7-9.el8_4.2.s390x.rpm libxml2-debugsource-2.9.7-9.el8_4.2.s390x.rpm libxml2-devel-2.9.7-9.el8_4.2.s390x.rpm python3-libxml2-debuginfo-2.9.7-9.el8_4.2.s390x.rpm x86_64: libxml2-debuginfo-2.9.7-9.el8_4.2.i686.rpm libxml2-debuginfo-2.9.7-9.el8_4.2.x86_64.rpm libxml2-debugsource-2.9.7-9.el8_4.2.i686.rpm libxml2-debugsource-2.9.7-9.el8_4.2.x86_64.rpm libxml2-devel-2.9.7-9.el8_4.2.i686.rpm libxml2-devel-2.9.7-9.el8_4.2.x86_64.rpm python3-libxml2-debuginfo-2.9.7-9.el8_4.2.i686.rpm python3-libxml2-debuginfo-2.9.7-9.el8_4.2.x86_64.rpm Red Hat Enterprise Linux BaseOS (v. 8): Source: libxml2-2.9.7-9.el8_4.2.src.rpm aarch64: libxml2-2.9.7-9.el8_4.2.aarch64.rpm libxml2-debuginfo-2.9.7-9.el8_4.2.aarch64.rpm libxml2-debugsource-2.9.7-9.el8_4.2.aarch64.rpm python3-libxml2-2.9.7-9.el8_4.2.aarch64.rpm python3-libxml2-debuginfo-2.9.7-9.el8_4.2.aarch64.rpm ppc64le: libxml2-2.9.7-9.el8_4.2.ppc64le.rpm libxml2-debuginfo-2.9.7-9.el8_4.2.ppc64le.rpm libxml2-debugsource-2.9.7-9.el8_4.2.ppc64le.rpm python3-libxml2-2.9.7-9.el8_4.2.ppc64le.rpm python3-libxml2-debuginfo-2.9.7-9.el8_4.2.ppc64le.rpm s390x: libxml2-2.9.7-9.el8_4.2.s390x.rpm libxml2-debuginfo-2.9.7-9.el8_4.2.s390x.rpm libxml2-debugsource-2.9.7-9.el8_4.2.s390x.rpm python3-libxml2-2.9.7-9.el8_4.2.s390x.rpm python3-libxml2-debuginfo-2.9.7-9.el8_4.2.s390x.rpm x86_64: libxml2-2.9.7-9.el8_4.2.i686.rpm libxml2-2.9.7-9.el8_4.2.x86_64.rpm libxml2-debuginfo-2.9.7-9.el8_4.2.i686.rpm libxml2-debuginfo-2.9.7-9.el8_4.2.x86_64.rpm libxml2-debugsource-2.9.7-9.el8_4.2.i686.rpm libxml2-debugsource-2.9.7-9.el8_4.2.x86_64.rpm python3-libxml2-2.9.7-9.el8_4.2.x86_64.rpm python3-libxml2-debuginfo-2.9.7-9.el8_4.2.i686.rpm python3-libxml2-debuginfo-2.9.7-9.el8_4.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-3516 https://access.redhat.com/security/cve/CVE-2021-3517 https://access.redhat.com/security/cve/CVE-2021-3518 https://access.redhat.com/security/cve/CVE-2021-3537 https://access.redhat.com/security/cve/CVE-2021-3541 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYNtL/tzjgjWX9erEAQjxLQ//duZKcJ7TaO142GBhdCisTgMiWdghVM2n 93ZhsbPte2fkXeQW+j1G2YEz8qnh4vaxRq6xmn3pQvZJzRXw57QeFDyqQzLhrQd6 evpeV+47zit/N0dzpAyf1aeAf9UJVE9wsTrTJjdxF5NO3t5/qT58X12Zq6Hm8zH5 GKlPCsvfRwpwOGPLv+pYPthmzZ6H3SGf0gJ3ey1qpXwzb8WAMYVQPQDJYkx4L/DE oXreSceOUzKp3o1enIHVdgY/9DQ7JyRfEfDL6YjBYuevzU7mTPzP1HJYQx1nXchA umxej3cJepMKSMJoClehfK4lhx3ydthR/o63f5sXIucNDXwmdloWxsICb+xEh79+ WoaMO3ahn0clLidnOqawNkyJJyLYEb5EespRXbUbD6vQV2eShUfLlaad4MhEDn5m RAultWI5tFGfmaF4qbhF+mXayX8Tff7+BM0xXj03+93s5mTxMeMCiVHmAxMAyUME XmLEU+0wE/QP4yQisS6qhav+3I3GdB5r+OH4zbs6W4YrXLCeVm01wbLuusDDi+DC nBrzZiHnWf/QO1A6BG/Lb84vPQ9brLwuA0xgbuWnqrt8ecLVVN9PKYJ9iyGrrALB 8v6vfHy9kb6THRAfv0CLwEOCIZ1i/BfYkrWOqRK0sKyWiu/uQ8l04sspWrtgbADk M8gXu8nL798= =QACc - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYNu/5eNLKJtyKPYoAQiX8g/9ErPAKAo+JiVe+tCUVsXJ1XiY5Qyhn6CD Z0pVnoH/QFeZgh2LvqxyfzlI3nBB01lIoLYwxVbLq6Dc3Dkwc995YEHHr/lBOUjt 0/0/Fn68zp4ohIdLbXUF6Bl5haz6hQXHktast65cfHP9ItETnbxwBN2d+pwf7gJh D1uJEtvU0crt/0yuZiSSku76PQg4sanJXmzPNBb+AXQtZyC6IuGBYrWz8enHXgQX AvlPEOFh6SmZtApxuAkfoChuXMwSLcSbYjs5ctl0r13TSoyxVJ/Fbq/kG4+eoXh5 ngZ2o4zZOCCKZMPksaAq5nRn8HW0hAyrZ8Tp/3fA58U0B3E112ZwcLT7KExDmCcY 9cd0r48Od2slZbFFGevLTUO2z4yAm6WHXVKSwhFzhbUGffdXZEjlqMYyYr/EljnM xobVt2Kg2nHBRZ/+QXBEqq0Hb7tYIKJKwonU42BujzLc+Z1W7UitW8WCnw8pK7DU 6xCzaDvFgNXLxb6S1sEpjXGH5mNWRAbfyz4019Vvxo1d4qzkMvhoY+CwyjX3iCFO X2Zeot2cC+jqP9DTFUovLZKLc89y9TV2c7Fqc2UxjZjdmPivgA0PM8AOEHYa8TJe Z/8xVliGKuq+jfFU9omiuRO2SevSRCWdXitref1d09Re2B0hz1FqgvvVuZ2P3C8s /L8b1jcgoHc= =LzPs -----END PGP SIGNATURE-----