Operating System:

[Debian]

Published:

23 May 2022

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ESB-2022.2499 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.2499
                          libxml2 security update
                                23 May 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           libxml2
Publisher:         Debian
Operating System:  Debian GNU/Linux
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-29824  

Original Bulletin: 
   https://lists.debian.org/debian-security-announce/2022/msg00110.html

Comment: CVSS (Max):  6.5 CVE-2022-29824 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
         CVSS Source: NVD
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-5142-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
May 22, 2022                          https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : libxml2
CVE ID         : CVE-2022-29824
Debian Bug     : 1010526

Felix Wilhelm reported that several buffer handling functions in
libxml2, a library providing support to read, modify and write XML and
HTML files, don't check for integer overflows, resulting in
out-of-bounds memory writes if specially crafted, multi-gigabyte XML
files are processed. An attacker can take advantage of this flaw for
denial of service or execution of arbitrary code.

For the oldstable distribution (buster), this problem has been fixed
in version 2.9.4+dfsg1-7+deb10u4.

For the stable distribution (bullseye), this problem has been fixed in
version 2.9.10+dfsg-6.7+deb11u2.

We recommend that you upgrade your libxml2 packages.

For the detailed security status of libxml2 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/libxml2

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmKJ919fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0QYbw/+Km1VrO2214d+etzZ31VeHn5R/UtGDeCRUN51qf4x82JChUXaoi8c/pI4
MChbevhE29HFilYqTkFo2N7nArgT1WwRGzsjs4lXQ8j8YXsJYLJmR87Ley57z4lA
S06I/3i4Su7az79XHA33tKWrFeAjwtjIhZ/in7OR2Dzm19quag9frdeWSHccAjwY
zvE4mbrMItHhiTcTRS2kg29R2NcWxE0VOK1k5fyiJ+IBtdqTsJmeJ68gmWjJOvet
uM9IYcmMHQay2ROVnO+e11aG1UB9E6j/k8BKSCV9cobkDByNfpKk4hD0oNtoKaHp
VgQr0XXXemFKUSXCJISOkCDiWPvKHZeuu935H+dIMrFQ+9xP3z0Ct1EK+HHLmqzb
2E1E/4yYZltxXWZC7oVZttvdOMBotDMQ0K4QwJYc4gHnan6lZgrxpaXtxgbkqvEZ
DMeBZC7GVqjhSC8dggHfJbpONQI8u9EjiAPq/cJUnFEdlyc63J7Ti4oFAQ5BuZSn
cEcPJlMo+3TKIsyPBsxwQAIOGup6pXoBdJLZVYd2umuhhyEdBP35S1OhQ4o5bjfR
9x9NOJex6AubUdGGUe3fZgwrAIYcGHTNzTEqlKKmFmyHx1X0+1UcECmJ9zye0cPU
ILXofOp+VUeLSm0JeqvhAYD8C47ZaYX9mSo2VPjtM0L1Kz4Pto0=
=lDgh
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBYoq2fMkNZI30y1K9AQgXWQ/9G/Kgvlmu2mMDTGUUkN5bg/p5B7h28chz
EXW6l8yN27A5cFhi6c/7DK91h+Hig1G3jWLBPfZ1VOMG8e6Uzogg0QwNkpasfK7l
lhHlDLDfpv2X0xP9RLA3Z0HdlqPAcqSWgJpd3GgDFp13lpmuW6rm06gL+DHKNi5G
/+NVxacBTWW6SK2Y7Ebc4iqA0zOQrzLIrESmypFW7Ve9esIVEHkuqZpvjxYRfU8V
ZAwXSfB43gBS8HswZLDFW1uDji5Jya1Rs9t5yiqJ1Uw6LlozGHTC4bJdNTGt66uJ
pCLX3nBn4b/eq3PG8W070yOZRTQ+4YCOk3f+Jb4MLMSaKmnry364zu7PCXj3ZbEO
jXXKrprS1KBHry2eH2ETKm+ORufDFVjS7ZQB2WFHxbUlkVqRhVgkmwU5kk5Pm2qK
cmum/V/6U9Jww5Nw3J8Y4H/jKCV2umoVto7DD4242zwBXGGkw2gWt8K7pU8QP39T
e+FkRQCWX+AlPjkm/sXEvuQ8+KfTBjV6Q12LgpEeiVim4rFE+CGz/RfOSO0RTX4Q
dJJocfSndV0ikbeNAoqrVvKpBavfdn4gdeBN1nOpGhJfsq3/q1RIFTk4GhOGmq59
Q/VroQmtJ30TwcIb5WvYGAXvB0EEtQxhSs3cp0mcXs71wTRqpJtY69Rbtf788pDx
1nz6jskoCKE=
=yYtt
-----END PGP SIGNATURE-----