Jump to content
Compatible Support Forums
Sign in to follow this  
Followers 0
news

[RHSA-2016:1292-01] Important: libxml2 security update

By news, in Upcoming News

Recommended Posts

news    28

news
Posted

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

=====================================================================

Red Hat Security Advisory

 

Synopsis: Important: libxml2 security update

Advisory ID: RHSA-2016:1292-01

Product: Red Hat Enterprise Linux

Advisory URL: https://access.redhat.com/errata/RHSA-2016:1292

Issue date: 2016-06-23

CVE Names: CVE-2016-1762 CVE-2016-1833 CVE-2016-1834

CVE-2016-1835 CVE-2016-1836 CVE-2016-1837

CVE-2016-1838 CVE-2016-1839 CVE-2016-1840

CVE-2016-3627 CVE-2016-3705 CVE-2016-4447

CVE-2016-4448 CVE-2016-4449

=====================================================================

 

1. Summary:

 

An update for libxml2 is now available for Red Hat Enterprise Linux 6 and

Red Hat Enterprise Linux 7.

 

Red Hat Product Security has rated this update as having a security impact

of Important. A Common Vulnerability Scoring System (CVSS) base score,

which gives a detailed severity rating, is available for each vulnerability

from the CVE link(s) in the References section.

 

2. Relevant releases/architectures:

 

Red Hat Enterprise Linux Client (v. 7) - x86_64

Red Hat Enterprise Linux Client Optional (v. 7) - x86_64

Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64

Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64

Red Hat Enterprise Linux HPC Node (v. 6) - x86_64

Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64

Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64

Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64

Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64

Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64

Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64

Red Hat Enterprise Linux Workstation (v. 7) - x86_64

Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64

Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

 

3. Description:

 

The libxml2 library is a development toolbox providing the implementation

of various XML standards.

 

Security Fix(es):

 

A heap-based buffer overflow flaw was found in the way libxml2 parsed

certain crafted XML input. A remote attacker could provide a specially

crafted XML file that, when opened in an application linked against

libxml2, would cause the application to crash or execute arbitrary code

with the permissions of the user running the application. (CVE-2016-1834,

CVE-2016-1840)

 

Multiple denial of service flaws were found in libxml2. A remote attacker

could provide a specially crafted XML file that, when processed by an

application using libxml2, could cause that application to crash.

(CVE-2016-1762, CVE-2016-1833, CVE-2016-1835, CVE-2016-1836, CVE-2016-1837,

CVE-2016-1838, CVE-2016-1839, CVE-2016-3627, CVE-2016-3705, CVE-2016-4447,

CVE-2016-4448, CVE-2016-4449)

 

4. Solution:

 

For details on how to apply this update, which includes the changes

described in this advisory, refer to:

 

https://access.redhat.com/articles/11258

 

For the update to take effect, all applications linked to the libxml2

library must be restarted, or the system rebooted.

 

5. Bugs fixed (https://bugzilla.redhat.com/):

 

1319829 - CVE-2016-3627 libxml2: stack exhaustion while parsing xml files in recovery mode

1332443 - CVE-2016-3705 libxml2: stack overflow before detecting invalid XML file

1338682 - CVE-2016-1833 libxml2: Heap-based buffer overread in htmlCurrentChar

1338686 - CVE-2016-4447 libxml2: Heap-based buffer underreads due to xmlParseName

1338691 - CVE-2016-1835 libxml2: Heap use-after-free in xmlSAX2AttributeNs

1338696 - CVE-2016-1837 libxml2: Heap use-after-free in htmlPArsePubidLiteral and htmlParseSystemiteral

1338700 - CVE-2016-4448 libxml2: Format string vulnerability

1338701 - CVE-2016-4449 libxml2: Inappropriate fetch of entities content

1338702 - CVE-2016-1836 libxml2: Heap use-after-free in xmlDictComputeFastKey

1338703 - CVE-2016-1839 libxml2: Heap-based buffer overread in xmlDictAddString

1338705 - CVE-2016-1838 libxml2: Heap-based buffer overread in xmlPArserPrintFileContextInternal

1338706 - CVE-2016-1840 libxml2: Heap-buffer-overflow in xmlFAParserPosCharGroup

1338708 - CVE-2016-1834 libxml2: Heap-buffer-overflow in xmlStrncat

1338711 - CVE-2016-1762 libxml2: Heap-based buffer-overread in xmlNextChar

 

6. Package List:

 

Red Hat Enterprise Linux HPC Node (v. 6):

 

Source:

libxml2-2.7.6-21.el6_8.1.src.rpm

 

x86_64:

libxml2-2.7.6-21.el6_8.1.i686.rpm

libxml2-2.7.6-21.el6_8.1.x86_64.rpm

libxml2-debuginfo-2.7.6-21.el6_8.1.i686.rpm

libxml2-debuginfo-2.7.6-21.el6_8.1.x86_64.rpm

libxml2-python-2.7.6-21.el6_8.1.x86_64.rpm

 

Red Hat Enterprise Linux HPC Node Optional (v. 6):

 

x86_64:

libxml2-debuginfo-2.7.6-21.el6_8.1.i686.rpm

libxml2-debuginfo-2.7.6-21.el6_8.1.x86_64.rpm

libxml2-devel-2.7.6-21.el6_8.1.i686.rpm

libxml2-devel-2.7.6-21.el6_8.1.x86_64.rpm

libxml2-static-2.7.6-21.el6_8.1.x86_64.rpm

 

Red Hat Enterprise Linux Server (v. 6):

 

Source:

libxml2-2.7.6-21.el6_8.1.src.rpm

 

i386:

libxml2-2.7.6-21.el6_8.1.i686.rpm

libxml2-debuginfo-2.7.6-21.el6_8.1.i686.rpm

libxml2-devel-2.7.6-21.el6_8.1.i686.rpm

libxml2-python-2.7.6-21.el6_8.1.i686.rpm

 

ppc64:

libxml2-2.7.6-21.el6_8.1.ppc.rpm

libxml2-2.7.6-21.el6_8.1.ppc64.rpm

libxml2-debuginfo-2.7.6-21.el6_8.1.ppc.rpm

libxml2-debuginfo-2.7.6-21.el6_8.1.ppc64.rpm

libxml2-devel-2.7.6-21.el6_8.1.ppc.rpm

libxml2-devel-2.7.6-21.el6_8.1.ppc64.rpm

libxml2-python-2.7.6-21.el6_8.1.ppc64.rpm

 

s390x:

libxml2-2.7.6-21.el6_8.1.s390.rpm

libxml2-2.7.6-21.el6_8.1.s390x.rpm

libxml2-debuginfo-2.7.6-21.el6_8.1.s390.rpm

libxml2-debuginfo-2.7.6-21.el6_8.1.s390x.rpm

libxml2-devel-2.7.6-21.el6_8.1.s390.rpm

libxml2-devel-2.7.6-21.el6_8.1.s390x.rpm

libxml2-python-2.7.6-21.el6_8.1.s390x.rpm

 

x86_64:

libxml2-2.7.6-21.el6_8.1.i686.rpm

libxml2-2.7.6-21.el6_8.1.x86_64.rpm

libxml2-debuginfo-2.7.6-21.el6_8.1.i686.rpm

libxml2-debuginfo-2.7.6-21.el6_8.1.x86_64.rpm

libxml2-devel-2.7.6-21.el6_8.1.i686.rpm

libxml2-devel-2.7.6-21.el6_8.1.x86_64.rpm

libxml2-python-2.7.6-21.el6_8.1.x86_64.rpm

 

Red Hat Enterprise Linux Server Optional (v. 6):

 

i386:

libxml2-debuginfo-2.7.6-21.el6_8.1.i686.rpm

libxml2-static-2.7.6-21.el6_8.1.i686.rpm

 

ppc64:

libxml2-debuginfo-2.7.6-21.el6_8.1.ppc64.rpm

libxml2-static-2.7.6-21.el6_8.1.ppc64.rpm

 

s390x:

libxml2-debuginfo-2.7.6-21.el6_8.1.s390x.rpm

libxml2-static-2.7.6-21.el6_8.1.s390x.rpm

 

x86_64:

libxml2-debuginfo-2.7.6-21.el6_8.1.x86_64.rpm

libxml2-static-2.7.6-21.el6_8.1.x86_64.rpm

 

Red Hat Enterprise Linux Workstation (v. 6):

 

Source:

libxml2-2.7.6-21.el6_8.1.src.rpm

 

i386:

libxml2-2.7.6-21.el6_8.1.i686.rpm

libxml2-debuginfo-2.7.6-21.el6_8.1.i686.rpm

libxml2-devel-2.7.6-21.el6_8.1.i686.rpm

libxml2-python-2.7.6-21.el6_8.1.i686.rpm

 

x86_64:

libxml2-2.7.6-21.el6_8.1.i686.rpm

libxml2-2.7.6-21.el6_8.1.x86_64.rpm

libxml2-debuginfo-2.7.6-21.el6_8.1.i686.rpm

libxml2-debuginfo-2.7.6-21.el6_8.1.x86_64.rpm

libxml2-devel-2.7.6-21.el6_8.1.i686.rpm

libxml2-devel-2.7.6-21.el6_8.1.x86_64.rpm

libxml2-python-2.7.6-21.el6_8.1.x86_64.rpm

 

Red Hat Enterprise Linux Workstation Optional (v. 6):

 

i386:

libxml2-debuginfo-2.7.6-21.el6_8.1.i686.rpm

libxml2-static-2.7.6-21.el6_8.1.i686.rpm

 

x86_64:

libxml2-debuginfo-2.7.6-21.el6_8.1.x86_64.rpm

libxml2-static-2.7.6-21.el6_8.1.x86_64.rpm

 

Red Hat Enterprise Linux Client (v. 7):

 

Source:

libxml2-2.9.1-6.el7_2.3.src.rpm

 

x86_64:

libxml2-2.9.1-6.el7_2.3.i686.rpm

libxml2-2.9.1-6.el7_2.3.x86_64.rpm

libxml2-debuginfo-2.9.1-6.el7_2.3.i686.rpm

libxml2-debuginfo-2.9.1-6.el7_2.3.x86_64.rpm

libxml2-python-2.9.1-6.el7_2.3.x86_64.rpm

 

Red Hat Enterprise Linux Client Optional (v. 7):

 

x86_64:

libxml2-debuginfo-2.9.1-6.el7_2.3.i686.rpm

libxml2-debuginfo-2.9.1-6.el7_2.3.x86_64.rpm

libxml2-devel-2.9.1-6.el7_2.3.i686.rpm

libxml2-devel-2.9.1-6.el7_2.3.x86_64.rpm

libxml2-static-2.9.1-6.el7_2.3.i686.rpm

libxml2-static-2.9.1-6.el7_2.3.x86_64.rpm

 

Red Hat Enterprise Linux ComputeNode (v. 7):

 

Source:

libxml2-2.9.1-6.el7_2.3.src.rpm

 

x86_64:

libxml2-2.9.1-6.el7_2.3.i686.rpm

libxml2-2.9.1-6.el7_2.3.x86_64.rpm

libxml2-debuginfo-2.9.1-6.el7_2.3.i686.rpm

libxml2-debuginfo-2.9.1-6.el7_2.3.x86_64.rpm

libxml2-python-2.9.1-6.el7_2.3.x86_64.rpm

 

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

 

x86_64:

libxml2-debuginfo-2.9.1-6.el7_2.3.i686.rpm

libxml2-debuginfo-2.9.1-6.el7_2.3.x86_64.rpm

libxml2-devel-2.9.1-6.el7_2.3.i686.rpm

libxml2-devel-2.9.1-6.el7_2.3.x86_64.rpm

libxml2-static-2.9.1-6.el7_2.3.i686.rpm

libxml2-static-2.9.1-6.el7_2.3.x86_64.rpm

 

Red Hat Enterprise Linux Server (v. 7):

 

Source:

libxml2-2.9.1-6.el7_2.3.src.rpm

 

ppc64:

libxml2-2.9.1-6.el7_2.3.ppc.rpm

libxml2-2.9.1-6.el7_2.3.ppc64.rpm

libxml2-debuginfo-2.9.1-6.el7_2.3.ppc.rpm

libxml2-debuginfo-2.9.1-6.el7_2.3.ppc64.rpm

libxml2-devel-2.9.1-6.el7_2.3.ppc.rpm

libxml2-devel-2.9.1-6.el7_2.3.ppc64.rpm

libxml2-python-2.9.1-6.el7_2.3.ppc64.rpm

 

ppc64le:

libxml2-2.9.1-6.el7_2.3.ppc64le.rpm

libxml2-debuginfo-2.9.1-6.el7_2.3.ppc64le.rpm

libxml2-devel-2.9.1-6.el7_2.3.ppc64le.rpm

libxml2-python-2.9.1-6.el7_2.3.ppc64le.rpm

 

s390x:

libxml2-2.9.1-6.el7_2.3.s390.rpm

libxml2-2.9.1-6.el7_2.3.s390x.rpm

libxml2-debuginfo-2.9.1-6.el7_2.3.s390.rpm

libxml2-debuginfo-2.9.1-6.el7_2.3.s390x.rpm

libxml2-devel-2.9.1-6.el7_2.3.s390.rpm

libxml2-devel-2.9.1-6.el7_2.3.s390x.rpm

libxml2-python-2.9.1-6.el7_2.3.s390x.rpm

 

x86_64:

libxml2-2.9.1-6.el7_2.3.i686.rpm

libxml2-2.9.1-6.el7_2.3.x86_64.rpm

libxml2-debuginfo-2.9.1-6.el7_2.3.i686.rpm

libxml2-debuginfo-2.9.1-6.el7_2.3.x86_64.rpm

libxml2-devel-2.9.1-6.el7_2.3.i686.rpm

libxml2-devel-2.9.1-6.el7_2.3.x86_64.rpm

libxml2-python-2.9.1-6.el7_2.3.x86_64.rpm

 

Red Hat Enterprise Linux Server Optional (v. 7):

 

ppc64:

libxml2-debuginfo-2.9.1-6.el7_2.3.ppc.rpm

libxml2-debuginfo-2.9.1-6.el7_2.3.ppc64.rpm

libxml2-static-2.9.1-6.el7_2.3.ppc.rpm

libxml2-static-2.9.1-6.el7_2.3.ppc64.rpm

 

ppc64le:

libxml2-debuginfo-2.9.1-6.el7_2.3.ppc64le.rpm

libxml2-static-2.9.1-6.el7_2.3.ppc64le.rpm

 

s390x:

libxml2-debuginfo-2.9.1-6.el7_2.3.s390.rpm

libxml2-debuginfo-2.9.1-6.el7_2.3.s390x.rpm

libxml2-static-2.9.1-6.el7_2.3.s390.rpm

libxml2-static-2.9.1-6.el7_2.3.s390x.rpm

 

x86_64:

libxml2-debuginfo-2.9.1-6.el7_2.3.i686.rpm

libxml2-debuginfo-2.9.1-6.el7_2.3.x86_64.rpm

libxml2-static-2.9.1-6.el7_2.3.i686.rpm

libxml2-static-2.9.1-6.el7_2.3.x86_64.rpm

 

Red Hat Enterprise Linux Workstation (v. 7):

 

Source:

libxml2-2.9.1-6.el7_2.3.src.rpm

 

x86_64:

libxml2-2.9.1-6.el7_2.3.i686.rpm

libxml2-2.9.1-6.el7_2.3.x86_64.rpm

libxml2-debuginfo-2.9.1-6.el7_2.3.i686.rpm

libxml2-debuginfo-2.9.1-6.el7_2.3.x86_64.rpm

libxml2-devel-2.9.1-6.el7_2.3.i686.rpm

libxml2-devel-2.9.1-6.el7_2.3.x86_64.rpm

libxml2-python-2.9.1-6.el7_2.3.x86_64.rpm

 

Red Hat Enterprise Linux Workstation Optional (v. 7):

 

x86_64:

libxml2-debuginfo-2.9.1-6.el7_2.3.i686.rpm

libxml2-debuginfo-2.9.1-6.el7_2.3.x86_64.rpm

libxml2-static-2.9.1-6.el7_2.3.i686.rpm

libxml2-static-2.9.1-6.el7_2.3.x86_64.rpm

 

These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://access.redhat.com/security/team/key/

 

7. References:

 

https://access.redhat.com/security/cve/CVE-2016-1762

https://access.redhat.com/security/cve/CVE-2016-1833

https://access.redhat.com/security/cve/CVE-2016-1834

https://access.redhat.com/security/cve/CVE-2016-1835

https://access.redhat.com/security/cve/CVE-2016-1836

https://access.redhat.com/security/cve/CVE-2016-1837

https://access.redhat.com/security/cve/CVE-2016-1838

https://access.redhat.com/security/cve/CVE-2016-1839

https://access.redhat.com/security/cve/CVE-2016-1840

https://access.redhat.com/security/cve/CVE-2016-3627

https://access.redhat.com/security/cve/CVE-2016-3705

https://access.redhat.com/security/cve/CVE-2016-4447

https://access.redhat.com/security/cve/CVE-2016-4448

https://access.redhat.com/security/cve/CVE-2016-4449

https://access.redhat.com/security/updates/classification/#important

 

8. Contact:

 

The Red Hat security contact is . More contact

details at https://access.redhat.com/security/team/contact/

 

Copyright 2016 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iD8DBQFXa8B8XlSAg2UNWIIRAh9ZAJ99xgPhOaIopIxmynm+vlDcmw4jFACeLvTm

ZsVLEgJAF0Zt6xZVzqvVW7U=

=fREV

-----END PGP SIGNATURE-----

 

 

--

 

Share this post

Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
Followers 0
Go To Topic Listing Upcoming News
×