Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2010.1090
New libxml2 packages fix potential code execution
2 December 2010
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: libxml2
Publisher: Debian
Operating System: Debian GNU/Linux 5
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2010-4008
Reference: ASB-2010.0237.3
ESB-2010.1066
Original Bulletin:
http://www.debian.org/security/2010/dsa-2128
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - ------------------------------------------------------------------------
Debian Security Advisory DSA-2128-1 security@debian.org
http://www.debian.org/security/ Giuseppe Iuculano
December 01, 2010 http://www.debian.org/security/faq
- - ------------------------------------------------------------------------
Package : libxml2
Vulnerability : invalid memory access
Problem type : local (remote)
Debian-specific: no
CVE ID : CVE-2010-4008
Bui Quang Minh discovered that libxml2, a library for parsing and
handling XML data files, does not well process a malformed XPATH,
causing crash and allowing arbitrary code execution.
For the stable distribution (lenny), this problem has been fixed in
version 2.6.32.dfsg-5+lenny2.
For the testing (squeeze) and unstable (sid) distribution, this problem
has been fixed in version 2.7.8.dfsg-1.
We recommend that you upgrade your libxml2 package.
Upgrade instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 5.0 alias lenny
- - --------------------------------
Debian (stable)
- - ---------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg.orig.tar.gz
Size/MD5 checksum: 3425843 bb11c95674e775b791dab2d15e630fa4
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny2.dsc
Size/MD5 checksum: 1985 e1a498ed2e38225c5d10aaf834d9e0b9
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny2.diff.gz
Size/MD5 checksum: 83947 7af1ff46c9cacd57e7f977b295b39084
Architecture independent packages:
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-doc_2.6.32.dfsg-5+lenny2_all.deb
Size/MD5 checksum: 1307172 ceec72214783bdfc9d7643ea31a61d50
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5+lenny2_alpha.deb
Size/MD5 checksum: 920664 429d086d4861511c6d9130bd7a165698
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny2_alpha.deb
Size/MD5 checksum: 856680 fccba5f6884b74e873730e3140e0bad5
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5+lenny2_alpha.deb
Size/MD5 checksum: 920616 33f850cafef51a45ef04714c9900e737
http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5+lenny2_alpha.deb
Size/MD5 checksum: 292784 2f2ad873f9f50a0400960264ba823aec
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5+lenny2_alpha.deb
Size/MD5 checksum: 38026 e3f0bf3fe0f804bcd39df854e420cee6
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5+lenny2_amd64.deb
Size/MD5 checksum: 988474 ea406c325fe1d3cf8e80eed39ff61f7e
http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5+lenny2_amd64.deb
Size/MD5 checksum: 295940 2a1754d35048a827dfeac4ee25f238d5
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5+lenny2_amd64.deb
Size/MD5 checksum: 37328 0b6af9c052e005c439658215027eeead
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5+lenny2_amd64.deb
Size/MD5 checksum: 774114 0c714b77c96e4d840048edbce00d959f
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny2_amd64.deb
Size/MD5 checksum: 860726 cf7d9638a12709f527898f9c91ec389d
arm architecture (ARM)
http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5+lenny2_arm.deb
Size/MD5 checksum: 246210 484d790396e82318e4eb5e38903497d9
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5+lenny2_arm.deb
Size/MD5 checksum: 898986 5cbab6f3b7fa8df4a406d03eaa5762a2
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5+lenny2_arm.deb
Size/MD5 checksum: 685530 9b9ea967472806e4f4b0d713d7198706
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny2_arm.deb
Size/MD5 checksum: 782546 1dec5ad219c1f69439936f172323b4d3
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5+lenny2_arm.deb
Size/MD5 checksum: 35174 f15d1f05b68e8299b2084315feea6078
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5+lenny2_armel.deb
Size/MD5 checksum: 247756 4809a4f17729bfec952e25aeff5f612b
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5+lenny2_armel.deb
Size/MD5 checksum: 906754 ee3e37855a6699771d3612180632a1df
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny2_armel.deb
Size/MD5 checksum: 790732 0df793cc442fd5aff099c60852cfd031
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5+lenny2_armel.deb
Size/MD5 checksum: 34258 95bb668363b085e6fea0848444ff0a42
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5+lenny2_armel.deb
Size/MD5 checksum: 692210 acb1820adf968e8011d16b94cdc6d18c
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5+lenny2_hppa.deb
Size/MD5 checksum: 867348 656a379b6cd2f3bc167c4c580f4f9588
http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5+lenny2_hppa.deb
Size/MD5 checksum: 300124 646af54075ce65b1f318773e55f3b8ae
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5+lenny2_hppa.deb
Size/MD5 checksum: 36974 6595d5ef74d9710d4498159da8fe8879
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5+lenny2_hppa.deb
Size/MD5 checksum: 931526 94752ea0ec5e56c0ce2bfa6fd8ffc7c2
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny2_hppa.deb
Size/MD5 checksum: 889446 3342e94f7cb0f5c89f4a95969750d6fe
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5+lenny2_i386.deb
Size/MD5 checksum: 264698 ce75352a38803aa7d94111c44ccc7a30
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5+lenny2_i386.deb
Size/MD5 checksum: 945316 95cf7cbbb06087b7f18c52f897b4ba78
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny2_i386.deb
Size/MD5 checksum: 814750 df1f647ba1306ce5138b50f06089d3db
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5+lenny2_i386.deb
Size/MD5 checksum: 698690 4e54bd82a4b679478806da0e14212268
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5+lenny2_i386.deb
Size/MD5 checksum: 33754 92c4c50e1a3f6160ab72316d1cf678ba
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5+lenny2_ia64.deb
Size/MD5 checksum: 48096 df26f8dc1b4e78de97d22fb6f328844d
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5+lenny2_ia64.deb
Size/MD5 checksum: 1144394 8a3e9d36f7bcebc74fe83f2f602197c6
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny2_ia64.deb
Size/MD5 checksum: 1150678 6efac0dc67e48b20922bc321ad14b1ed
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5+lenny2_ia64.deb
Size/MD5 checksum: 926300 8381127e0f7f55f23a5a798ec6a043b5
http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5+lenny2_ia64.deb
Size/MD5 checksum: 320066 c18be638d183a965bcff61cbef015b44
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5+lenny2_mipsel.deb
Size/MD5 checksum: 975846 27602acbf39c6086b0ccccc2a075888c
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny2_mipsel.deb
Size/MD5 checksum: 809424 62a1a3153b1f2898bd36914b9d953a59
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5+lenny2_mipsel.deb
Size/MD5 checksum: 821888 df10f6c3fa7dd05d6aeba73b8a82fe7a
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5+lenny2_mipsel.deb
Size/MD5 checksum: 34188 489be157e2061a3e958a1c9693f6fb07
http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5+lenny2_mipsel.deb
Size/MD5 checksum: 252622 ffe51c47bcaa9883addae4da42850e8a
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5+lenny2_powerpc.deb
Size/MD5 checksum: 950566 3ad6dc272c21e8f849fb06cca054dcd6
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5+lenny2_powerpc.deb
Size/MD5 checksum: 42054 1b29e288243c30441833b359a36cd09f
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny2_powerpc.deb
Size/MD5 checksum: 834730 e79241dec4e3e7328e305a8fb0505d18
http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5+lenny2_powerpc.deb
Size/MD5 checksum: 285718 df9b1705a6faea8bd1a3f0db9464f4c1
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5+lenny2_powerpc.deb
Size/MD5 checksum: 789938 1831f4e506ea36d5d6dbf4af3864835e
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5+lenny2_s390.deb
Size/MD5 checksum: 38078 b238d71479ae8c7dfdce22b7b96e96f6
http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5+lenny2_s390.deb
Size/MD5 checksum: 297668 87fc74097472950250bdef49cfc1401d
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny2_s390.deb
Size/MD5 checksum: 854128 bba7607e556f4d03578a6fd7b206c542
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5+lenny2_s390.deb
Size/MD5 checksum: 762632 aaf2e13c002c2128fd8f06b49e8b0079
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5+lenny2_s390.deb
Size/MD5 checksum: 968000 20682a3eddbc11161cabe014eb67cc2f
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5+lenny2_sparc.deb
Size/MD5 checksum: 36538 c94d075d63dfa8c35cdca960d12e1ba7
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5+lenny2_sparc.deb
Size/MD5 checksum: 845248 9b9da876e13164f4346e7efcf9b94a96
http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5+lenny2_sparc.deb
Size/MD5 checksum: 279186 1f5a7299a4c7fbf27d73d017909679e9
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5+lenny2_sparc.deb
Size/MD5 checksum: 727602 b1b0633a4bdb40f1e0a341a1b86c812c
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny2_sparc.deb
Size/MD5 checksum: 803608 8a339109db809222dd0dd9e795062fa2
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkz2rOwACgkQNxpp46476ao/rACeMFfLExUoEqbbizNJEiwhpVHy
GvsAn3l6L9nveGxhDXGoL4qEGuo68XgG
=x+6A
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFM9v2n/iFOrG6YcBERAl5TAKCF8HNK/Jic994u83w+3DCBxbGawgCfYy/8
m/JR9HZJsYilqjjnwUg9T20=
=Hahl
-----END PGP SIGNATURE-----