Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2008.0979 -- [Debian]
New libxml2 packages fix execution of arbitrary code
15 October 2008
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: libxml2
Publisher: Debian
Operating System: Debian GNU/Linux 4.0
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
CVE Names: CVE-2008-3529
Ref: ESB-2008.0869
Original Bulletin: http://www.debian.org/security/2008/dsa-1654
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1654-1 security@debian.org
http://www.debian.org/security/ Steve Kemp
October 14, 2008 http://www.debian.org/security/faq
- - ------------------------------------------------------------------------
Package : libxml2
Vulnerability : buffer overflow
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2008-3529
Debian Bug : 498768
It was discovered that libxml2, the GNOME XML library, didn't correctly
handle long entity names. This could allow the execution of arbitrary
code via a malicious XML file.
For the stable distribution (etch), this problem has been fixed in version
2.6.27.dfsg-5.
For the unstable distribution (sid), this problem has been fixed in
version 2.6.32.dfsg-4.
We recommend that you upgrade your libxml2 package.
Upgrade instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- - -------------------------------
Source archives:
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5.diff.gz
Size/MD5 checksum: 220443 48cafbb8d1bd2c6093339fea3f14e4a0
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg.orig.tar.gz
Size/MD5 checksum: 3416175 5ff71b22f6253a6dd9afc1c34778dec3
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5.dsc
Size/MD5 checksum: 893 0dc1f183dd20741e5b4e26a7f8e1c652
Architecture independent packages:
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-doc_2.6.27.dfsg-5_all.deb
Size/MD5 checksum: 1328144 c1c5f0ceb391893a94e61c074b677ee9
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5_alpha.deb
Size/MD5 checksum: 820850 fac5556241bb0fde20913f25fb9c73ac
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_alpha.deb
Size/MD5 checksum: 37980 725b1c6925e610b5843ba0ad554dc7bc
http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_alpha.deb
Size/MD5 checksum: 184754 5ccbaf07b44dcfe528167074050bf270
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_alpha.deb
Size/MD5 checksum: 916830 17d71480b7e2a447dabde99c11d752fa
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_alpha.deb
Size/MD5 checksum: 881834 cac19a28b37f7afb9e07966f44ddd5b2
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_amd64.deb
Size/MD5 checksum: 184130 a13372752d162d0fb2ccd58da6b73e20
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_amd64.deb
Size/MD5 checksum: 36684 8a0265229bebf9245dc7bb7cc6f41d36
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5_amd64.deb
Size/MD5 checksum: 796194 6019e59020269cca8fa8fea40f83c118
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_amd64.deb
Size/MD5 checksum: 891922 606fc28448bead2709c39a1d3e529a25
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_amd64.deb
Size/MD5 checksum: 745758 95bd39eb2818772c43c3351b22326fcd
arm architecture (ARM)
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5_arm.deb
Size/MD5 checksum: 741876 1b670c6bac3aa9f7df28f7ea3f1e5725
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_arm.deb
Size/MD5 checksum: 34678 9a992dc251b137a919a813eed2af8489
http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_arm.deb
Size/MD5 checksum: 165290 732b4e94b91a086c6b950d187af160bc
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_arm.deb
Size/MD5 checksum: 817514 299c93a812ac02a8aa9da88f4cb5aedf
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_arm.deb
Size/MD5 checksum: 673192 d2ff2c26ee8dae05f81c24aa6dfce9b5
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_hppa.deb
Size/MD5 checksum: 191876 4d2e33090237b47bc10e9526329f0bc5
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_hppa.deb
Size/MD5 checksum: 36708 0ebf8554c5a0e873b128d52ceafccdfd
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5_hppa.deb
Size/MD5 checksum: 850210 bde343770ac9a7bd458e68a60c2b8434
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_hppa.deb
Size/MD5 checksum: 858660 88f67d0d2aff41333ca2f4d4b2d6b5b2
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_hppa.deb
Size/MD5 checksum: 864474 489dbd9d677c274c07abb88d0f23b969
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5_i386.deb
Size/MD5 checksum: 755986 9fdf341ede17d7790202229db9cc1353
http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_i386.deb
Size/MD5 checksum: 169032 272c6be290817bf9cb8b401425fd83d5
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_i386.deb
Size/MD5 checksum: 681472 d8a0611d638e0553da64a218fbcf291a
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_i386.deb
Size/MD5 checksum: 857318 6946048170dd7d142c03c13794c30d6f
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_i386.deb
Size/MD5 checksum: 34496 3e3674a714f780024630ad1a2ca46eab
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_ia64.deb
Size/MD5 checksum: 1106480 03e08564e2bf843905daecdd7c5cc4c4
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_ia64.deb
Size/MD5 checksum: 874222 ed9ab6fa068a5b07c22ec1c10db8e0ab
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5_ia64.deb
Size/MD5 checksum: 1080186 defc5f4f9eb80872a793cc025e33a111
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_ia64.deb
Size/MD5 checksum: 48492 5a567323dc0bf8159a6eae87957266d5
http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_ia64.deb
Size/MD5 checksum: 196536 cdbb137c8bb31cf29114673c4cb28e67
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_mips.deb
Size/MD5 checksum: 34418 4a05346cb2fc6c314e7e8aef21662469
http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_mips.deb
Size/MD5 checksum: 171678 c94bfffc6bde639623ce9a91028960e5
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_mips.deb
Size/MD5 checksum: 926922 ddc8ff03120dd78869830d38a5e8708d
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_mips.deb
Size/MD5 checksum: 840642 57f2ea24a31904c4b07531f6292a4a8e
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5_mips.deb
Size/MD5 checksum: 770246 20ba2586e1406d66bd34642f13265dcf
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_mipsel.deb
Size/MD5 checksum: 34398 9f0ebfb1dc37496e6b7a4e9963ffaeff
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_mipsel.deb
Size/MD5 checksum: 898346 29680d5d5baa66e251e71f55aa128e3c
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5_mipsel.deb
Size/MD5 checksum: 768976 8f6464a0ef61b3ddcd271652a01c7469
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_mipsel.deb
Size/MD5 checksum: 833252 5c83c05d44526479e7c550fd0d8cbdbe
http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_mipsel.deb
Size/MD5 checksum: 168690 eb56cb1ea49795d0a5a18af468625941
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_powerpc.deb
Size/MD5 checksum: 898010 c3d61392afcb383d0f27d5f91fda721d
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_powerpc.deb
Size/MD5 checksum: 770994 94ef895f8942b880e8823e10420120e6
http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_powerpc.deb
Size/MD5 checksum: 172726 5d097f0290be2bab9b93287bad07e83f
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_powerpc.deb
Size/MD5 checksum: 37660 e977bc38e837077de7a006ef923b98bd
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5_powerpc.deb
Size/MD5 checksum: 779958 ad7245f8a9980d7f40234aefaf12a31b
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_s390.deb
Size/MD5 checksum: 185726 91661276ed6cf371373b4e61805c81b8
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_s390.deb
Size/MD5 checksum: 885618 218f2603ab94bf92ba45cd330fe15782
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5_s390.deb
Size/MD5 checksum: 806024 3abe21a0d756e5a0a2ca646f0ba32729
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_s390.deb
Size/MD5 checksum: 36378 cbc5eb7e2f81adafeba8e857aee8c918
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_s390.deb
Size/MD5 checksum: 750190 4172cb95d7aea2f9ee9331220cd5274c
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_sparc.deb
Size/MD5 checksum: 781522 c20ea9c8ab0ec798488e68c845650036
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_sparc.deb
Size/MD5 checksum: 713144 e0139b86fbf9644678c2c6de6462bff1
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5_sparc.deb
Size/MD5 checksum: 759568 7d46f7ceb214711851cc1f27edef2c48
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_sparc.deb
Size/MD5 checksum: 34580 fceb65808b2c98f621d79352eea9d2d5
http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_sparc.deb
Size/MD5 checksum: 176874 f27821fe07861f2e71658bc3eb0a595e
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD4DBQFI9N2RwM/Gs81MDZ0RAqP7AJYxbWnJqF4zauFOietE80FTYW02AKDCOBt2
wvZ3MJ4FZeRn990jpLrh1A==
=FZQi
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBSPVuOCh9+71yA2DNAQKE1wP/Yde2T/iwYJq0KhQbpWdfo2ldaJeKL2Lc
Nua+giioPU2eGNNz+ile3APUGARxF4CFHWRjNP5rVRH531jk/xoEe3P6ExRWgOK9
qPru5l1s2dhAWe7R8dsCHdhsU8Dp42k7tDnNHL2IH0mthz4zaX8FgEgYLgOQTinx
DC1UT5MaDQs=
=VOsQ
-----END PGP SIGNATURE-----