Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[SECURITY] [DSA 2394-1] libxml2 security update
From: Luciano Bello <luciano () debian org>
Date: Thu, 26 Jan 2012 23:46:37 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2394-1                   security () debian org
http://www.debian.org/security/                             Luciano Bello
January 27, 2012                       http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libxml2
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2011-0216 CVE-2011-2821 CVE-2011-2834 CVE-2011-3905 
                 CVE-2011-3919 
Debian Bug     : 652352 643648 656377

Many security problems had been fixed in libxml2, a popular library to handle
XML data files.

CVE-2011-3919:
Jüri Aedla discovered a heap-based buffer overflow that allows remote attackers
to cause a denial of service or possibly have unspecified other impact via
unknown vectors.

CVE-2011-0216:
An Off-by-one error have been discoveried that allows remote attackers to 
execute arbitrary code or cause a denial of service. 

CVE-2011-2821:
A memory corruption (double free) bug has been identified in libxml2's XPath
engine. Through it, it is possible to an attacker allows cause a denial of 
service or possibly have unspecified other impact. This vulnerability does not
affect the oldstable distribution (lenny).

CVE-2011-2834:
Yang Dingning discovered a double free vulnerability related to XPath handling.

CVE-2011-3905:
An out-of-bounds read vulnerability had been discovered, which allows remote
attackers to cause a denial of service.

For the oldstable distribution (lenny), this problem has been fixed in
version 2.6.32.dfsg-5+lenny5.

For the stable distribution (squeeze), this problem has been fixed in
version 2.7.8.dfsg-2+squeeze2.

For the testing distribution (wheezy), this problem has been fixed in
version 2.7.8.dfsg-7.

For the unstable distribution (sid), this problem has been fixed in
version 2.7.8.dfsg-7.

We recommend that you upgrade your libxml2 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce () lists debian org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk8h1n8ACgkQQWTRs4lLtHnXgACfV+dXC4Yc/aNb5udhKMYsEryT
mXAAoLetgUJRnDACae5LC9qnegUiNHRt
=j/Is
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • [SECURITY] [DSA 2394-1] libxml2 security update Luciano Bello (Jan 27)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]