Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2004.0182 -- Debian Security Advisory DSA 455-1 New libxml packages fix arbitrary code execution 05 March 2004 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libxml libxml2 Publisher: Debian Operating System: Debian GNU/Linux 3.0 Linux Impact: Execute Arbitrary Code/Commands Access Required: Remote CVE Names: CAN-2004-0110 Ref: ESB-2004.0178 ESB-2004.0166 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - -------------------------------------------------------------------------- Debian Security Advisory DSA 455-1 security@debian.org http://www.debian.org/security/ Martin Schulze March 3rd, 2004 http://www.debian.org/security/faq - - -------------------------------------------------------------------------- Package : libxml, libxml2 Vulnerability : buffer overflows Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0110 libxml2 is a library for manipulating XML files. Yuuichi Teranishi discovered a flaw in libxml, the GNOME XML library. When fetching a remote resource via FTP or HTTP, the library uses special parsing routines which can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml1 or libxml2 that parses remote resources and allows the attacker to craft the URL, then this flaw could be used to execute arbitrary code. For the stable distribution (woody) this problem has been fixed in version 1.8.17-2woody1 of libxml and version 2.4.19-4woody1 of libxml2. For the unstable distribution (sid) this problem has been fixed in version 1.8.17-5 of libxml and version 2.6.6-1 of libxml2. We recommend that you upgrade your libxml1 and libxml2 packages. Upgrade Instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/libx/libxml/libxml_1.8.17-2woody1.dsc Size/MD5 checksum: 651 16512f774479d73b7d82ca4e1db527f5 http://security.debian.org/pool/updates/main/libx/libxml/libxml_1.8.17-2woody1.diff.gz Size/MD5 checksum: 33976 68afef27edf44d2b81e02fde3431bca8 http://security.debian.org/pool/updates/main/libx/libxml/libxml_1.8.17.orig.tar.gz Size/MD5 checksum: 1016403 b8f01e43e1e03dec37dfd6b4507a9568 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19-4woody1.dsc Size/MD5 checksum: 654 6f56380f9bfade2c66f03956e1a65162 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19-4woody1.diff.gz Size/MD5 checksum: 344358 ba3ea49cc8c465ff1a6377780c35a45d http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19.orig.tar.gz Size/MD5 checksum: 1925487 22e3c043f57e18baaed86c5fff3eafbc Alpha architecture: http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-2woody1_alpha.deb Size/MD5 checksum: 381994 dc3ada5391f52bdfd642df1bc5b9a6be http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-2woody1_alpha.deb Size/MD5 checksum: 208830 a0698c267c722bf5127ee3709024ecc9 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19-4woody1_alpha.deb Size/MD5 checksum: 388786 a4ece19b65c46dd0e8f889c26e5938b3 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.4.19-4woody1_alpha.deb Size/MD5 checksum: 938568 5f3e46bd132c9167db9e93ca3c739952 ARM architecture: http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-2woody1_arm.deb Size/MD5 checksum: 392536 9e126158928d24a562ae1d2b3d35ae1d http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-2woody1_arm.deb Size/MD5 checksum: 184172 0527fd6a14e003139be9b475e689ee41 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19-4woody1_arm.deb Size/MD5 checksum: 346060 6b9caeac9a0061576f8a1e5b46ed8671 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.4.19-4woody1_arm.deb Size/MD5 checksum: 902966 688fb8c5ea18b0f9d8e7671dad5426c5 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-2woody1_i386.deb Size/MD5 checksum: 330042 b1c61849e10edbe597429fcd05d1d2b3 http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-2woody1_i386.deb Size/MD5 checksum: 183310 3c217f980c138f24eac1a0abd89eba78 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19-4woody1_i386.deb Size/MD5 checksum: 333034 11cfc7169e549c63dccf28f15300a8eb http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.4.19-4woody1_i386.deb Size/MD5 checksum: 843084 43a242f53ed8a688e5ed02284a150f52 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-2woody1_ia64.deb Size/MD5 checksum: 447184 5bfa2835a9d9b43da6d31e1cadce6bc1 http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-2woody1_ia64.deb Size/MD5 checksum: 285484 a378583eaaaf1248aba8de4fd721c5fc http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19-4woody1_ia64.deb Size/MD5 checksum: 507452 b447844080f6e0c1d498b34ec849c9b2 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.4.19-4woody1_ia64.deb Size/MD5 checksum: 1032662 ddd7aae0835fe1edb04aee7cdf2e41c0 HP Precision architecture: http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-2woody1_hppa.deb Size/MD5 checksum: 439372 d5f629dc7f885dd858671ab639d954f8 http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-2woody1_hppa.deb Size/MD5 checksum: 248212 837ec145aac757ce053075a4736ddb55 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19-4woody1_hppa.deb Size/MD5 checksum: 425454 0719d6e0835b6dae714b1ce1a0bd9d77 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.4.19-4woody1_hppa.deb Size/MD5 checksum: 979152 41e110f4c9805a5afb94fff79d1f3d22 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-2woody1_m68k.deb Size/MD5 checksum: 318176 d0dcb654f8083e0873396d38aaa1a7a2 http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-2woody1_m68k.deb Size/MD5 checksum: 178226 c18c0c7bb3c0884c62f36922e5843e83 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19-4woody1_m68k.deb Size/MD5 checksum: 336902 2990a52db32dc3fd3108be4e677e59bf http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.4.19-4woody1_m68k.deb Size/MD5 checksum: 828820 6378b37494b667bce472f934f50c3cb8 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-2woody1_mips.deb Size/MD5 checksum: 376266 1c226409e23047ec521224697a82f76c http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-2woody1_mips.deb Size/MD5 checksum: 183628 0fa6098bdbfeadb50dfb7e5f4f2c967c http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19-4woody1_mips.deb Size/MD5 checksum: 348902 474e9b8bc026ca199218727203422c12 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.4.19-4woody1_mips.deb Size/MD5 checksum: 921098 b8aa537054fc482ab042647ac0551f94 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-2woody1_mipsel.deb Size/MD5 checksum: 373696 603708cf407ea49748c987bea0ddaade http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-2woody1_mipsel.deb Size/MD5 checksum: 182958 5397950eb709142774a2aa70f5faa9db http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19-4woody1_mipsel.deb Size/MD5 checksum: 343660 985465f428571c774bb3b44699768c15 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.4.19-4woody1_mipsel.deb Size/MD5 checksum: 915010 0553eb273d500c82b93cac55b7c52ad4 PowerPC architecture: http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-2woody1_powerpc.deb Size/MD5 checksum: 356590 f97bc218912092bae051188dd9c157d5 http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-2woody1_powerpc.deb Size/MD5 checksum: 194062 b37b9d75744323dafdc4a76293c3456d http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19-4woody1_powerpc.deb Size/MD5 checksum: 376486 bdfb8d5a839f65286e57e34857fd14f1 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.4.19-4woody1_powerpc.deb Size/MD5 checksum: 916952 90f7f069508d26431cc61f967886b159 IBM S/390 architecture: http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-2woody1_s390.deb Size/MD5 checksum: 329398 2b6046a2aeb468a00abc8556676d10d1 http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-2woody1_s390.deb Size/MD5 checksum: 184216 78803336930258db2d7b115c4b708fad http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19-4woody1_s390.deb Size/MD5 checksum: 360282 a7bb4f832d6a4d86753b3d046f4e8fa1 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.4.19-4woody1_s390.deb Size/MD5 checksum: 857396 e7efd1f4a92ba1f6a1a3c96e5c5a851b Sun Sparc architecture: http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-2woody1_sparc.deb Size/MD5 checksum: 347058 88ec785a5184e9ff44e617638b661be4 http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-2woody1_sparc.deb Size/MD5 checksum: 196108 da3f13d8c4e4ffd8604cd01cf26c781f http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19-4woody1_sparc.deb Size/MD5 checksum: 363670 ab415cd91562622e7ab2dde1df98a09b http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.4.19-4woody1_sparc.deb Size/MD5 checksum: 886976 ba693e42209a963c26f325d89ecbe989 These files will probably be moved into the stable distribution on its next revision. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFARwN/W5ql+IAeqTIRAi+4AJoD/hPYY6rzbWuQGpwymgMPeDppXwCgsZ5c cfOHbrGF3l7tC0/FaeVfgiU= =QWbs - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBQEfshSh9+71yA2DNAQHoKQQAhrbq+1jFFWcL+63Q/5hq6p/QDE+QuytQ A5bJVP8ibJgvGa1cLq37ep6pTWJ/HD+AN1yPj5mkBSY7ZV6HrZzbfgpjBcrmGqAh 0ZLR5IDYCN80E43K1G6J0r0E0wi1wjQLP3nx4x4cYBu7KzS0eubv96yP/FddntrM iVrwiUeVZuk= =j/ku -----END PGP SIGNATURE-----