Jump to content
Compatible Support Forums
Sign in to follow this  
news

[RHSA-2015:2549-01] Moderate: libxml2 security update

Recommended Posts

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

=====================================================================

Red Hat Security Advisory

 

Synopsis: Moderate: libxml2 security update

Advisory ID: RHSA-2015:2549-01

Product: Red Hat Enterprise Linux

Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2549.html

Issue date: 2015-12-07

CVE Names: CVE-2015-5312 CVE-2015-7497 CVE-2015-7498

CVE-2015-7499 CVE-2015-7500 CVE-2015-7941

CVE-2015-7942 CVE-2015-8241 CVE-2015-8242

CVE-2015-8317

=====================================================================

 

1. Summary:

 

Updated libxml2 packages that fix multiple security issues are now

available for Red Hat Enterprise Linux 6.

 

Red Hat Product Security has rated this update as having Moderate security

impact. Common Vulnerability Scoring System (CVSS) base scores, which give

detailed severity ratings, are available for each vulnerability from the

CVE links in the References section.

 

2. Relevant releases/architectures:

 

Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64

Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64

Red Hat Enterprise Linux HPC Node (v. 6) - x86_64

Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64

Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64

Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64

Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64

Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64

 

3. Description:

 

The libxml2 library is a development toolbox providing the implementation

of various XML standards.

 

Several denial of service flaws were found in libxml2, a library providing

support for reading, modifying, and writing XML and HTML files. A remote

attacker could provide a specially crafted XML or HTML file that, when

processed by an application using libxml2, would cause that application to

use an excessive amount of CPU, leak potentially sensitive information, or

in certain cases crash the application. (CVE-2015-5312, CVE-2015-7497,

CVE-2015-7498, CVE-2015-7499, CVE-2015-7500 CVE-2015-7941, CVE-2015-7942,

CVE-2015-8241, CVE-2015-8242, CVE-2015-8317, BZ#1213957, BZ#1281955)

 

Red Hat would like to thank the GNOME project for reporting CVE-2015-7497,

CVE-2015-7498, CVE-2015-7499, CVE-2015-7500, CVE-2015-8241, CVE-2015-8242,

and CVE-2015-8317. Upstream acknowledges Kostya Serebryany of Google as the

original reporter of CVE-2015-7497, CVE-2015-7498, CVE-2015-7499, and

CVE-2015-7500; Hugh Davenport as the original reporter of CVE-2015-8241 and

CVE-2015-8242; and Hanno Boeck as the original reporter of CVE-2015-8317.

 

All libxml2 users are advised to upgrade to these updated packages, which

contain a backported patch to correct these issues. The desktop must be

restarted (log out, then log back in) for this update to take effect.

 

4. Solution:

 

Before applying this update, make sure all previously released errata

relevant to your system have been applied.

 

For details on how to apply this update, refer to:

 

https://access.redhat.com/articles/11258

 

5. Bugs fixed (https://bugzilla.redhat.com/):

 

1213957 - libxml2: out-of-bounds memory access when parsing an unclosed HTML comment

1274222 - CVE-2015-7941 libxml2: Out-of-bounds memory access

1276297 - CVE-2015-7942 libxml2: heap-based buffer overflow in xmlParseConditionalSections()

1276693 - CVE-2015-5312 libxml2: CPU exhaustion when processing specially crafted XML input

1281862 - CVE-2015-7497 libxml2: Heap-based buffer overflow in xmlDictComputeFastQKey

1281879 - CVE-2015-7498 libxml2: Heap-based buffer overflow in xmlPar[censored]mlDecl

1281925 - CVE-2015-7499 libxml2: Heap-based buffer overflow in xmlGROW

1281930 - CVE-2015-8317 libxml2: Out-of-bounds heap read when parsing file with unfinished xml declaration

1281936 - CVE-2015-8241 libxml2: Buffer overread with XML parser in xmlNextChar

1281943 - CVE-2015-7500 libxml2: Heap buffer overflow in xmlParseMisc

1281950 - CVE-2015-8242 libxml2: Buffer overread with HTML parser in push mode in xmlSAX2TextNode

1281955 - libxml2: Multiple out-of-bounds reads in xmlDictComputeFastKey.isra.2 and xmlDictAddString.isra.O

 

6. Package List:

 

Red Hat Enterprise Linux Desktop (v. 6):

 

Source:

libxml2-2.7.6-20.el6_7.1.src.rpm

 

i386:

libxml2-2.7.6-20.el6_7.1.i686.rpm

libxml2-debuginfo-2.7.6-20.el6_7.1.i686.rpm

libxml2-python-2.7.6-20.el6_7.1.i686.rpm

 

x86_64:

libxml2-2.7.6-20.el6_7.1.i686.rpm

libxml2-2.7.6-20.el6_7.1.x86_64.rpm

libxml2-debuginfo-2.7.6-20.el6_7.1.i686.rpm

libxml2-debuginfo-2.7.6-20.el6_7.1.x86_64.rpm

libxml2-python-2.7.6-20.el6_7.1.x86_64.rpm

 

Red Hat Enterprise Linux Desktop Optional (v. 6):

 

i386:

libxml2-debuginfo-2.7.6-20.el6_7.1.i686.rpm

libxml2-devel-2.7.6-20.el6_7.1.i686.rpm

libxml2-static-2.7.6-20.el6_7.1.i686.rpm

 

x86_64:

libxml2-debuginfo-2.7.6-20.el6_7.1.i686.rpm

libxml2-debuginfo-2.7.6-20.el6_7.1.x86_64.rpm

libxml2-devel-2.7.6-20.el6_7.1.i686.rpm

libxml2-devel-2.7.6-20.el6_7.1.x86_64.rpm

libxml2-static-2.7.6-20.el6_7.1.x86_64.rpm

 

Red Hat Enterprise Linux HPC Node (v. 6):

 

Source:

libxml2-2.7.6-20.el6_7.1.src.rpm

 

x86_64:

libxml2-2.7.6-20.el6_7.1.i686.rpm

libxml2-2.7.6-20.el6_7.1.x86_64.rpm

libxml2-debuginfo-2.7.6-20.el6_7.1.i686.rpm

libxml2-debuginfo-2.7.6-20.el6_7.1.x86_64.rpm

libxml2-python-2.7.6-20.el6_7.1.x86_64.rpm

 

Red Hat Enterprise Linux HPC Node Optional (v. 6):

 

x86_64:

libxml2-debuginfo-2.7.6-20.el6_7.1.i686.rpm

libxml2-debuginfo-2.7.6-20.el6_7.1.x86_64.rpm

libxml2-devel-2.7.6-20.el6_7.1.i686.rpm

libxml2-devel-2.7.6-20.el6_7.1.x86_64.rpm

libxml2-static-2.7.6-20.el6_7.1.x86_64.rpm

 

Red Hat Enterprise Linux Server (v. 6):

 

Source:

libxml2-2.7.6-20.el6_7.1.src.rpm

 

i386:

libxml2-2.7.6-20.el6_7.1.i686.rpm

libxml2-debuginfo-2.7.6-20.el6_7.1.i686.rpm

libxml2-devel-2.7.6-20.el6_7.1.i686.rpm

libxml2-python-2.7.6-20.el6_7.1.i686.rpm

 

ppc64:

libxml2-2.7.6-20.el6_7.1.ppc.rpm

libxml2-2.7.6-20.el6_7.1.ppc64.rpm

libxml2-debuginfo-2.7.6-20.el6_7.1.ppc.rpm

libxml2-debuginfo-2.7.6-20.el6_7.1.ppc64.rpm

libxml2-devel-2.7.6-20.el6_7.1.ppc.rpm

libxml2-devel-2.7.6-20.el6_7.1.ppc64.rpm

libxml2-python-2.7.6-20.el6_7.1.ppc64.rpm

 

s390x:

libxml2-2.7.6-20.el6_7.1.s390.rpm

libxml2-2.7.6-20.el6_7.1.s390x.rpm

libxml2-debuginfo-2.7.6-20.el6_7.1.s390.rpm

libxml2-debuginfo-2.7.6-20.el6_7.1.s390x.rpm

libxml2-devel-2.7.6-20.el6_7.1.s390.rpm

libxml2-devel-2.7.6-20.el6_7.1.s390x.rpm

libxml2-python-2.7.6-20.el6_7.1.s390x.rpm

 

x86_64:

libxml2-2.7.6-20.el6_7.1.i686.rpm

libxml2-2.7.6-20.el6_7.1.x86_64.rpm

libxml2-debuginfo-2.7.6-20.el6_7.1.i686.rpm

libxml2-debuginfo-2.7.6-20.el6_7.1.x86_64.rpm

libxml2-devel-2.7.6-20.el6_7.1.i686.rpm

libxml2-devel-2.7.6-20.el6_7.1.x86_64.rpm

libxml2-python-2.7.6-20.el6_7.1.x86_64.rpm

 

Red Hat Enterprise Linux Server Optional (v. 6):

 

i386:

libxml2-debuginfo-2.7.6-20.el6_7.1.i686.rpm

libxml2-static-2.7.6-20.el6_7.1.i686.rpm

 

ppc64:

libxml2-debuginfo-2.7.6-20.el6_7.1.ppc64.rpm

libxml2-static-2.7.6-20.el6_7.1.ppc64.rpm

 

s390x:

libxml2-debuginfo-2.7.6-20.el6_7.1.s390x.rpm

libxml2-static-2.7.6-20.el6_7.1.s390x.rpm

 

x86_64:

libxml2-debuginfo-2.7.6-20.el6_7.1.x86_64.rpm

libxml2-static-2.7.6-20.el6_7.1.x86_64.rpm

 

Red Hat Enterprise Linux Workstation (v. 6):

 

Source:

libxml2-2.7.6-20.el6_7.1.src.rpm

 

i386:

libxml2-2.7.6-20.el6_7.1.i686.rpm

libxml2-debuginfo-2.7.6-20.el6_7.1.i686.rpm

libxml2-devel-2.7.6-20.el6_7.1.i686.rpm

libxml2-python-2.7.6-20.el6_7.1.i686.rpm

 

x86_64:

libxml2-2.7.6-20.el6_7.1.i686.rpm

libxml2-2.7.6-20.el6_7.1.x86_64.rpm

libxml2-debuginfo-2.7.6-20.el6_7.1.i686.rpm

libxml2-debuginfo-2.7.6-20.el6_7.1.x86_64.rpm

libxml2-devel-2.7.6-20.el6_7.1.i686.rpm

libxml2-devel-2.7.6-20.el6_7.1.x86_64.rpm

libxml2-python-2.7.6-20.el6_7.1.x86_64.rpm

 

Red Hat Enterprise Linux Workstation Optional (v. 6):

 

i386:

libxml2-debuginfo-2.7.6-20.el6_7.1.i686.rpm

libxml2-static-2.7.6-20.el6_7.1.i686.rpm

 

x86_64:

libxml2-debuginfo-2.7.6-20.el6_7.1.x86_64.rpm

libxml2-static-2.7.6-20.el6_7.1.x86_64.rpm

 

These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://access.redhat.com/security/team/key/

 

7. References:

 

https://access.redhat.com/security/cve/CVE-2015-5312

https://access.redhat.com/security/cve/CVE-2015-7497

https://access.redhat.com/security/cve/CVE-2015-7498

https://access.redhat.com/security/cve/CVE-2015-7499

https://access.redhat.com/security/cve/CVE-2015-7500

https://access.redhat.com/security/cve/CVE-2015-7941

https://access.redhat.com/security/cve/CVE-2015-7942

https://access.redhat.com/security/cve/CVE-2015-8241

https://access.redhat.com/security/cve/CVE-2015-8242

https://access.redhat.com/security/cve/CVE-2015-8317

https://access.redhat.com/security/updates/classification/#moderate

 

8. Contact:

 

The Red Hat security contact is . More contact

details at https://access.redhat.com/security/team/contact/

 

Copyright 2015 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iD8DBQFWZWCJXlSAg2UNWIIRAolaAJ9ZG2087Dxbs4QgaixZuck7QoZHugCeMTPl

+NnKYuZa9r7CJt9Llu3kJmw=

=rLoh

-----END PGP SIGNATURE-----

 

 

--

 

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×