copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2014.1156.2 - UPDATE [Debian] libxml2: Denial of service - Remote/unauthenticated

Date: 09 February 2015
References: ESB-2014.0767  ESB-2014.1173  ESB-2014.1316  ESB-2014.2303  ESB-2015.0797  ESB-2015.2114  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2014.1156.2
                          libxml2 security update
                              9 February 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           libxml2
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-3660 CVE-2014-0191 

Reference:         ESB-2014.0767

Original Bulletin: 
   https://lists.debian.org/debian-security-announce/2015/msg00039.html

Revision History:  February  9 2015: It was discovered that the update 
                                     released for libxml2 in DSA 2978 fixing 
                                     CVE-2014-0191 was incomplete.
                   July     14 2014: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2978-2                   security@debian.org
http://www.debian.org/security/                        Alessandro Ghedini
February 06, 2015                      http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : libxml2
CVE ID         : CVE-2014-0191 CVE-2014-3660
Debian Bug     : 768089

It was discovered that the update released for libxml2 in DSA 2978 fixing
CVE-2014-0191 was incomplete. This caused libxml2 to still fetch external
entities regardless of whether entity substitution or validation is
enabled.

In addition, this update addresses a regression introduced in DSA 3057 by
the patch fixing CVE-2014-3660. This caused libxml2 to not parse an
entity when it's used first in another entity referenced from an
attribute value.

For the stable distribution (wheezy), these problems have been fixed in
version 2.8.0+dfsg1-7+wheezy3.

For the upcoming stable distribution (jessie), these problems have been
fixed in version 2.9.1+dfsg1-4.

For the unstable distribution (sid), these problems have been fixed in
version 2.9.1+dfsg1-4.

We recommend that you upgrade your libxml2 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJU1ULwAAoJEG7C3vaP/jd08EIP/0b9Z90bZii4mZgNCRGCDrBV
QC0YspzCilq6U7tEhVpEMhNImemrB6aWGC0LiPWTOzEDiXVS6nXSjSjPNWSlcxZ0
sN/Tkj1gvSFwtXKX1vzDkvlasnS+CFMqFSo+eoNAu88+tgB7RkV5ykWYZ5kexAXL
oZ7BBNNjYkTvyT1Zdv0/OT8pu1iVAGIcRHDB8zI1p1cq+QpWo4vOYxtpmgy1+WRd
4FXcMmBNW3LzCogyssQH3iiwQCsz9jxCWbGxLmxECUHQfQ4O3KDeZb7TqcQg8OMD
PoX9wzPnHYrpcNsNhsfmDcPUMZJvn9GGA8D6vFi8NBzyNmxdVAm2cR66mHzrVK/z
lCzxEwzm5aPUyotmKy6vjW6EqTxSiKz3fEbxKtcJhjbqUYmjKg2Cq9n8t8I2xmhb
vwnUqXUkQv8/mO3NEfi1yutUzdE8DhJwr0BFqiTu0H3zBFQBCI7a+JcGlEWtvuwQ
ePTEDqPW7mOw51ZUzuOBr9wT4amBlbhMKluvZxx5oSAEHWYBBf1VFM5qCclGwpso
XFLGjK5aRKV73rjY7uikr/eAUHxeNMZNS2O8HZJRhYKp98Gti4WiOT6pXldPEMiR
AqpNS+/qIV+fJeibrPOs+yfICDhVwfRWYNlWQ6Aj/Ng+U1ZR7szEmO5iafTsEgAA
Q3xgV4UHPhs0Ct6ttGHJ
=Z++k
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVNgWfRLndAQH1ShLAQISgA/+Kj2tT5EOrJzVO09kgcuswY+dHpC/3Ksc
aTP7WMmFG4kTcZ6UMmKnqqCgVPl9Lx4lRG3MoytqcYT43ea+mumqgH7PbwiHr/77
k4PnocXWWcmFvWkol7HhbyIIvRUDFuAuKkSNtV1gAYE7bhqA3ZN1RiBoL50RyYs5
Ot1aCo6yzcWzYx4aIwdT2ymuxl+2ddITOfXFT0bPhC37Pyp6PY4RDCr/eiEcsVLl
WJTsmbwtAJMNvCeytxdb7z7P8iDkxnV93pD9QQdvXLUjGtIN6ZMcpS3bU+3GhNkv
haj7ZH1dFMF+zgMxGrR4vKGTJi6s+dzAyJpwLc1rDb8tOfxkjeAwh4SrUGus/b93
N2+x6Yib/BZiSY2IwDo03diZbRvD6Vqn8rCqd2juOjzSqy2v6of8IjYRquxyUtHL
xecpSuWwYYpYdmQUH9PJjNjIoE/yVpAQeDXPbo4At5UJf6A8tiad9JR4w/w2knh1
Ha2eZ/r8LuGRaexHBtDnoJXBnMQ0J9gnBCCzoSqSM7C4vCLeb14VsmHrnK3YcB9G
JJ3VEkCre5Ly3KCgK7Kesf1u3R/nInQQGLcsM13NpNNbj0qLUZfX1CYLiTOZaMBY
0l+JjwG0okiz6nzfUxkfRA8ThEfN8HU3P8zyYE3nMikzvTgl4ngQOJWwlfpbX8VH
Y6uQJglNxaY=
=LwAa
-----END PGP SIGNATURE-----