news 28 Posted December 7, 2015 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: libxml2 security update Advisory ID: RHSA-2015:2549-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2549.html Issue date: 2015-12-07 CVE Names: CVE-2015-5312 CVE-2015-7497 CVE-2015-7498 CVE-2015-7499 CVE-2015-7500 CVE-2015-7941 CVE-2015-7942 CVE-2015-8241 CVE-2015-8242 CVE-2015-8317 ===================================================================== 1. Summary: Updated libxml2 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: The libxml2 library is a development toolbox providing the implementation of various XML standards. Several denial of service flaws were found in libxml2, a library providing support for reading, modifying, and writing XML and HTML files. A remote attacker could provide a specially crafted XML or HTML file that, when processed by an application using libxml2, would cause that application to use an excessive amount of CPU, leak potentially sensitive information, or in certain cases crash the application. (CVE-2015-5312, CVE-2015-7497, CVE-2015-7498, CVE-2015-7499, CVE-2015-7500 CVE-2015-7941, CVE-2015-7942, CVE-2015-8241, CVE-2015-8242, CVE-2015-8317, BZ#1213957, BZ#1281955) Red Hat would like to thank the GNOME project for reporting CVE-2015-7497, CVE-2015-7498, CVE-2015-7499, CVE-2015-7500, CVE-2015-8241, CVE-2015-8242, and CVE-2015-8317. Upstream acknowledges Kostya Serebryany of Google as the original reporter of CVE-2015-7497, CVE-2015-7498, CVE-2015-7499, and CVE-2015-7500; Hugh Davenport as the original reporter of CVE-2015-8241 and CVE-2015-8242; and Hanno Boeck as the original reporter of CVE-2015-8317. All libxml2 users are advised to upgrade to these updated packages, which contain a backported patch to correct these issues. The desktop must be restarted (log out, then log back in) for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1213957 - libxml2: out-of-bounds memory access when parsing an unclosed HTML comment 1274222 - CVE-2015-7941 libxml2: Out-of-bounds memory access 1276297 - CVE-2015-7942 libxml2: heap-based buffer overflow in xmlParseConditionalSections() 1276693 - CVE-2015-5312 libxml2: CPU exhaustion when processing specially crafted XML input 1281862 - CVE-2015-7497 libxml2: Heap-based buffer overflow in xmlDictComputeFastQKey 1281879 - CVE-2015-7498 libxml2: Heap-based buffer overflow in xmlPar[censored]mlDecl 1281925 - CVE-2015-7499 libxml2: Heap-based buffer overflow in xmlGROW 1281930 - CVE-2015-8317 libxml2: Out-of-bounds heap read when parsing file with unfinished xml declaration 1281936 - CVE-2015-8241 libxml2: Buffer overread with XML parser in xmlNextChar 1281943 - CVE-2015-7500 libxml2: Heap buffer overflow in xmlParseMisc 1281950 - CVE-2015-8242 libxml2: Buffer overread with HTML parser in push mode in xmlSAX2TextNode 1281955 - libxml2: Multiple out-of-bounds reads in xmlDictComputeFastKey.isra.2 and xmlDictAddString.isra.O 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: libxml2-2.7.6-20.el6_7.1.src.rpm i386: libxml2-2.7.6-20.el6_7.1.i686.rpm libxml2-debuginfo-2.7.6-20.el6_7.1.i686.rpm libxml2-python-2.7.6-20.el6_7.1.i686.rpm x86_64: libxml2-2.7.6-20.el6_7.1.i686.rpm libxml2-2.7.6-20.el6_7.1.x86_64.rpm libxml2-debuginfo-2.7.6-20.el6_7.1.i686.rpm libxml2-debuginfo-2.7.6-20.el6_7.1.x86_64.rpm libxml2-python-2.7.6-20.el6_7.1.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): i386: libxml2-debuginfo-2.7.6-20.el6_7.1.i686.rpm libxml2-devel-2.7.6-20.el6_7.1.i686.rpm libxml2-static-2.7.6-20.el6_7.1.i686.rpm x86_64: libxml2-debuginfo-2.7.6-20.el6_7.1.i686.rpm libxml2-debuginfo-2.7.6-20.el6_7.1.x86_64.rpm libxml2-devel-2.7.6-20.el6_7.1.i686.rpm libxml2-devel-2.7.6-20.el6_7.1.x86_64.rpm libxml2-static-2.7.6-20.el6_7.1.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: libxml2-2.7.6-20.el6_7.1.src.rpm x86_64: libxml2-2.7.6-20.el6_7.1.i686.rpm libxml2-2.7.6-20.el6_7.1.x86_64.rpm libxml2-debuginfo-2.7.6-20.el6_7.1.i686.rpm libxml2-debuginfo-2.7.6-20.el6_7.1.x86_64.rpm libxml2-python-2.7.6-20.el6_7.1.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): x86_64: libxml2-debuginfo-2.7.6-20.el6_7.1.i686.rpm libxml2-debuginfo-2.7.6-20.el6_7.1.x86_64.rpm libxml2-devel-2.7.6-20.el6_7.1.i686.rpm libxml2-devel-2.7.6-20.el6_7.1.x86_64.rpm libxml2-static-2.7.6-20.el6_7.1.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: libxml2-2.7.6-20.el6_7.1.src.rpm i386: libxml2-2.7.6-20.el6_7.1.i686.rpm libxml2-debuginfo-2.7.6-20.el6_7.1.i686.rpm libxml2-devel-2.7.6-20.el6_7.1.i686.rpm libxml2-python-2.7.6-20.el6_7.1.i686.rpm ppc64: libxml2-2.7.6-20.el6_7.1.ppc.rpm libxml2-2.7.6-20.el6_7.1.ppc64.rpm libxml2-debuginfo-2.7.6-20.el6_7.1.ppc.rpm libxml2-debuginfo-2.7.6-20.el6_7.1.ppc64.rpm libxml2-devel-2.7.6-20.el6_7.1.ppc.rpm libxml2-devel-2.7.6-20.el6_7.1.ppc64.rpm libxml2-python-2.7.6-20.el6_7.1.ppc64.rpm s390x: libxml2-2.7.6-20.el6_7.1.s390.rpm libxml2-2.7.6-20.el6_7.1.s390x.rpm libxml2-debuginfo-2.7.6-20.el6_7.1.s390.rpm libxml2-debuginfo-2.7.6-20.el6_7.1.s390x.rpm libxml2-devel-2.7.6-20.el6_7.1.s390.rpm libxml2-devel-2.7.6-20.el6_7.1.s390x.rpm libxml2-python-2.7.6-20.el6_7.1.s390x.rpm x86_64: libxml2-2.7.6-20.el6_7.1.i686.rpm libxml2-2.7.6-20.el6_7.1.x86_64.rpm libxml2-debuginfo-2.7.6-20.el6_7.1.i686.rpm libxml2-debuginfo-2.7.6-20.el6_7.1.x86_64.rpm libxml2-devel-2.7.6-20.el6_7.1.i686.rpm libxml2-devel-2.7.6-20.el6_7.1.x86_64.rpm libxml2-python-2.7.6-20.el6_7.1.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): i386: libxml2-debuginfo-2.7.6-20.el6_7.1.i686.rpm libxml2-static-2.7.6-20.el6_7.1.i686.rpm ppc64: libxml2-debuginfo-2.7.6-20.el6_7.1.ppc64.rpm libxml2-static-2.7.6-20.el6_7.1.ppc64.rpm s390x: libxml2-debuginfo-2.7.6-20.el6_7.1.s390x.rpm libxml2-static-2.7.6-20.el6_7.1.s390x.rpm x86_64: libxml2-debuginfo-2.7.6-20.el6_7.1.x86_64.rpm libxml2-static-2.7.6-20.el6_7.1.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: libxml2-2.7.6-20.el6_7.1.src.rpm i386: libxml2-2.7.6-20.el6_7.1.i686.rpm libxml2-debuginfo-2.7.6-20.el6_7.1.i686.rpm libxml2-devel-2.7.6-20.el6_7.1.i686.rpm libxml2-python-2.7.6-20.el6_7.1.i686.rpm x86_64: libxml2-2.7.6-20.el6_7.1.i686.rpm libxml2-2.7.6-20.el6_7.1.x86_64.rpm libxml2-debuginfo-2.7.6-20.el6_7.1.i686.rpm libxml2-debuginfo-2.7.6-20.el6_7.1.x86_64.rpm libxml2-devel-2.7.6-20.el6_7.1.i686.rpm libxml2-devel-2.7.6-20.el6_7.1.x86_64.rpm libxml2-python-2.7.6-20.el6_7.1.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): i386: libxml2-debuginfo-2.7.6-20.el6_7.1.i686.rpm libxml2-static-2.7.6-20.el6_7.1.i686.rpm x86_64: libxml2-debuginfo-2.7.6-20.el6_7.1.x86_64.rpm libxml2-static-2.7.6-20.el6_7.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-5312 https://access.redhat.com/security/cve/CVE-2015-7497 https://access.redhat.com/security/cve/CVE-2015-7498 https://access.redhat.com/security/cve/CVE-2015-7499 https://access.redhat.com/security/cve/CVE-2015-7500 https://access.redhat.com/security/cve/CVE-2015-7941 https://access.redhat.com/security/cve/CVE-2015-7942 https://access.redhat.com/security/cve/CVE-2015-8241 https://access.redhat.com/security/cve/CVE-2015-8242 https://access.redhat.com/security/cve/CVE-2015-8317 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWZWCJXlSAg2UNWIIRAolaAJ9ZG2087Dxbs4QgaixZuck7QoZHugCeMTPl +NnKYuZa9r7CJt9Llu3kJmw= =rLoh -----END PGP SIGNATURE----- -- Share this post Link to post