Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.0871 libxml2 regression update 8 April 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libxml2 Publisher: Debian Operating System: Debian GNU/Linux 7 Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-3660 Reference: ESB-2015.0137 ESB-2014.2299 ESB-2014.2195 ESB-2014.2190 ESB-2014.1955 ESB-2014.1874 ESB-2015.0233.2 ESB-2015.0196.2 Original Bulletin: http://www.debian.org/security/2015/dsa-3057 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-3057-2 security@debian.org http://www.debian.org/security/ Salvatore Bonaccorso April 07, 2015 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : libxml2 Debian Bug : 774358 The update for libxml2 issued as DSA-3057-1 caused regressions due to an incomplete patch to address CVE-2014-3660. Updated packages are available to address this problem. For reference the original advisory text follows. Sogeti found a denial of service flaw in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, would lead to excessive CPU consumption (denial of service) based on excessive entity substitutions, even if entity substitution was disabled, which is the parser default behavior. (CVE-2014-3660) For the stable distribution (wheezy), this problem has been fixed in version 2.8.0+dfsg1-7+wheezy4. We recommend that you upgrade your libxml2 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVJCi+AAoJEAVMuPMTQ89EwvoQAJ3XjEknlEmqjvr6N+W45k4A R1F/51r1M17GpqFmhrnqcHTa0nTFgrQhcNgkKfF68GFrjr/jKyoC0HKjbwFl6j6a Zx0KrcWn39e/oM9DFYV9fcfkQKwsVQPqYsvp4PKVxMKRGLE7Ke21OYQdHxtUxYDy HHL2mlgMWe/k5+T9qvJZVFe6HZrleIkGP8SSWkzQbFKOVBIJk2RyVrbUrxHmUi+j KjhJBf+6VgT62+YprJGLtgPN/nitqoF9Zfk3qT2sgDyPAkdHV26S1vAPrlPK5KTN CwxcfZQShcQiQOsV3If6InSG97evAsMV3TbxAwaPBUTxNCLf07Z40Zlbvf7XvXyg apJ4TmV2cDY1f2g9hfHxgLwt8FWSosrZbrQi4a0QMFIb8Idf4YTOobDjy2kNio9l IrFumsvX1+tSdPYOOq37qKhfkRT4L0+aPsHOAn/6lfOz5DSGATvJ17yHvjYUnq2w 2gWE0VzOYG+iz8DtuJb79GvHUZGgbKjOMOCSbTa8udSQ+Ez6YjdgsGTw+PxIsF4h CxgFlQUOhozoGwZ5ryodBLWLPk38SDD/DAeGicSz87ZxIr2T6JLV+vFBEh0xTiJ4 Q4qPcxDCJrzUKmUkTSyCuBill4S9yz2NmbSIou9qdxF2r186S5YJqCUhlXAoTNF+ 6PqavMqfFYzb1VtDBjZ/ =b9Wb - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVSRnYRLndAQH1ShLAQIwsBAAoJCpdd/v6d+PBWCx3VlzbGvFvZCrsRTw m166rHlDJyOkofNfQSzzqONbDvGk4/8hjVeP5n1gtLTZprgACMuI0/Pu84IP+DJ9 QAjuFYqe0ZyqQ0agWeCEhNTknL+RVfrqOgyr3+TvmvimkqAA/0qdQkerYd4/xozr NAMKU805etPCN8XdNWtoyX88rHNXgs+qYLfiCCM9zPjjVWknrjG99ayoTFbMbLFx cVlPmDybpnimO8k4ev01ri2I1NPRapZ3LEZsWKpwlnWdqg6HJaRwYnnEPXtUWq1e TrBkMvS5mvi8sstJh+4hMzzORTicblPQGgLCCorhj+hB1Ii4DejLVXgkg4/GxT/m 2gozzpMw2FcfzBgi1IV+XeLUq9NTdXYHHSZdOFQ2y1TqXCeJvW/CJt75VsnSiLQW mOyJuSc+kdILxSZ5nkjO/+Mo4SWHJyYetGQGXvyV5qiYfm+Om8tu1ghEnMCTcchP FY94fat73wO7ao//Jcp0WjoKE2dTzxh0sfd3nSWEKdsTZYAoGOgBDuxg/jqZaIvs ebl/CUV/jGQY5W2zpUWPJpx2bFgfnS5cM0h+XNMq6oxensoT1G2+kmG2dxaWVphO eZzE8p9p/ggRYA0BcErpMoE3DIamENdtE73uB517qlIClvKlaCjPAvVKkUYtkPtX nRDBRP/dgY8= =TQuM -----END PGP SIGNATURE-----