Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2015.0871
libxml2 regression update
8 April 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: libxml2
Publisher: Debian
Operating System: Debian GNU/Linux 7
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2014-3660
Reference: ESB-2015.0137
ESB-2014.2299
ESB-2014.2195
ESB-2014.2190
ESB-2014.1955
ESB-2014.1874
ESB-2015.0233.2
ESB-2015.0196.2
Original Bulletin:
http://www.debian.org/security/2015/dsa-3057
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3057-2 security@debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
April 07, 2015 http://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : libxml2
Debian Bug : 774358
The update for libxml2 issued as DSA-3057-1 caused regressions due to an
incomplete patch to address CVE-2014-3660. Updated packages are
available to address this problem. For reference the original advisory
text follows.
Sogeti found a denial of service flaw in libxml2, a library providing
support to read, modify and write XML and HTML files. A remote attacker
could provide a specially crafted XML file that, when processed by an
application using libxml2, would lead to excessive CPU consumption
(denial of service) based on excessive entity substitutions, even if
entity substitution was disabled, which is the parser default behavior.
(CVE-2014-3660)
For the stable distribution (wheezy), this problem has been fixed in
version 2.8.0+dfsg1-7+wheezy4.
We recommend that you upgrade your libxml2 packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVJCi+AAoJEAVMuPMTQ89EwvoQAJ3XjEknlEmqjvr6N+W45k4A
R1F/51r1M17GpqFmhrnqcHTa0nTFgrQhcNgkKfF68GFrjr/jKyoC0HKjbwFl6j6a
Zx0KrcWn39e/oM9DFYV9fcfkQKwsVQPqYsvp4PKVxMKRGLE7Ke21OYQdHxtUxYDy
HHL2mlgMWe/k5+T9qvJZVFe6HZrleIkGP8SSWkzQbFKOVBIJk2RyVrbUrxHmUi+j
KjhJBf+6VgT62+YprJGLtgPN/nitqoF9Zfk3qT2sgDyPAkdHV26S1vAPrlPK5KTN
CwxcfZQShcQiQOsV3If6InSG97evAsMV3TbxAwaPBUTxNCLf07Z40Zlbvf7XvXyg
apJ4TmV2cDY1f2g9hfHxgLwt8FWSosrZbrQi4a0QMFIb8Idf4YTOobDjy2kNio9l
IrFumsvX1+tSdPYOOq37qKhfkRT4L0+aPsHOAn/6lfOz5DSGATvJ17yHvjYUnq2w
2gWE0VzOYG+iz8DtuJb79GvHUZGgbKjOMOCSbTa8udSQ+Ez6YjdgsGTw+PxIsF4h
CxgFlQUOhozoGwZ5ryodBLWLPk38SDD/DAeGicSz87ZxIr2T6JLV+vFBEh0xTiJ4
Q4qPcxDCJrzUKmUkTSyCuBill4S9yz2NmbSIou9qdxF2r186S5YJqCUhlXAoTNF+
6PqavMqfFYzb1VtDBjZ/
=b9Wb
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVSRnYRLndAQH1ShLAQIwsBAAoJCpdd/v6d+PBWCx3VlzbGvFvZCrsRTw
m166rHlDJyOkofNfQSzzqONbDvGk4/8hjVeP5n1gtLTZprgACMuI0/Pu84IP+DJ9
QAjuFYqe0ZyqQ0agWeCEhNTknL+RVfrqOgyr3+TvmvimkqAA/0qdQkerYd4/xozr
NAMKU805etPCN8XdNWtoyX88rHNXgs+qYLfiCCM9zPjjVWknrjG99ayoTFbMbLFx
cVlPmDybpnimO8k4ev01ri2I1NPRapZ3LEZsWKpwlnWdqg6HJaRwYnnEPXtUWq1e
TrBkMvS5mvi8sstJh+4hMzzORTicblPQGgLCCorhj+hB1Ii4DejLVXgkg4/GxT/m
2gozzpMw2FcfzBgi1IV+XeLUq9NTdXYHHSZdOFQ2y1TqXCeJvW/CJt75VsnSiLQW
mOyJuSc+kdILxSZ5nkjO/+Mo4SWHJyYetGQGXvyV5qiYfm+Om8tu1ghEnMCTcchP
FY94fat73wO7ao//Jcp0WjoKE2dTzxh0sfd3nSWEKdsTZYAoGOgBDuxg/jqZaIvs
ebl/CUV/jGQY5W2zpUWPJpx2bFgfnS5cM0h+XNMq6oxensoT1G2+kmG2dxaWVphO
eZzE8p9p/ggRYA0BcErpMoE3DIamENdtE73uB517qlIClvKlaCjPAvVKkUYtkPtX
nRDBRP/dgY8=
=TQuM
-----END PGP SIGNATURE-----