[gentoo-announce] [ GLSA 201701-37 ] libxml2: Multiple vulnerabilities - gentoo-announce

From:	Thomas Deutschmann <whissi@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 201701-37 ] libxml2: Multiple vulnerabilities
Date:	Mon, 16 Jan 2017 21:22:34
Message-Id:	`f43e61b2-ab26-5715-355a-b0edfd8947ea@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201701-37

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: libxml2: Multiple vulnerabilities

9

     Date: January 16, 2017

10

     Bugs: #564776, #566374, #572878, #573820, #577998, #582538,

11

           #582540, #583888, #589816, #597112, #597114, #597116

12

       ID: 201701-37

13

14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

15

16

Synopsis

17

========

18

19

Multiple vulnerabilities have been found in libxml2, the worst of which

20

could lead to the execution of arbitrary code.

21

22

Background

23

==========

24

25

libxml2 is the XML (eXtended Markup Language) C parser and toolkit

26

initially developed for the Gnome project.

27

28

Affected packages

29

=================

30

31

    -------------------------------------------------------------------

32

     Package              /     Vulnerable     /            Unaffected

33

    -------------------------------------------------------------------

34

  1  dev-libs/libxml2            < 2.9.4-r1               >= 2.9.4-r1

35

36

Description

37

===========

38

39

Multiple vulnerabilities have been discovered in libxml2. Please review

40

the CVE identifiers referenced below for details.

41

42

Impact

43

======

44

45

A remote attacker could entice a user or automated system to process a

46

specially crafted XML document, possibly resulting in execution of

47

arbitrary code with the privileges of the process or a Denial of

48

Service condition.

49

50

Workaround

51

==========

52

53

There is no known workaround at this time.

54

55

Resolution

56

==========

57

58

All libxml2 users should upgrade to the latest version:

59

60

  # emerge --sync

61

  # emerge --ask --oneshot --verbose ">=dev-libs/libxml2-2.9.4-r1"

62

63

References

64

==========

65

66

[  1 ] CVE-2015-1819

67

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1819

68

[  2 ] CVE-2015-5312

69

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5312

70

[  3 ] CVE-2015-7497

71

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7497

72

[  4 ] CVE-2015-7498

73

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7498

74

[  5 ] CVE-2015-7499

75

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7499

76

[  6 ] CVE-2015-7500

77

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7500

78

[  7 ] CVE-2015-7941

79

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7941

80

[  8 ] CVE-2015-7942

81

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7942

82

[  9 ] CVE-2015-8035

83

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8035

84

[ 10 ] CVE-2015-8242

85

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8242

86

[ 11 ] CVE-2015-8806

87

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8806

88

[ 12 ] CVE-2016-1836

89

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1836

90

[ 13 ] CVE-2016-1838

91

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1838

92

[ 14 ] CVE-2016-1839

93

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1839

94

[ 15 ] CVE-2016-1840

95

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1840

96

[ 16 ] CVE-2016-2073

97

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2073

98

[ 17 ] CVE-2016-3627

99

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3627

100

[ 18 ] CVE-2016-3705

101

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3705

102

[ 19 ] CVE-2016-4483

103

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4483

104

[ 20 ] CVE-2016-4658

105

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4658

106

[ 21 ] CVE-2016-5131

107

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5131

108

109

Availability

110

============

111

112

This GLSA and any updates to it are available for viewing at

113

the Gentoo Security Website:

114

115

 https://security.gentoo.org/glsa/201701-37

116

117

Concerns?

118

=========

119

120

Security is a primary focus of Gentoo Linux and ensuring the

121

confidentiality and security of our users' machines is of utmost

122

importance to us. Any security concerns should be addressed to

123

security@g.o or alternatively, you may file a bug at

124

https://bugs.gentoo.org.

125

126

License

127

=======

128

129

Copyright 2017 Gentoo Foundation, Inc; referenced text

130

belongs to its owner(s).

131

132

The contents of this document are licensed under the

133

Creative Commons - Attribution / Share Alike license.

134

135

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201701-37
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: libxml2: Multiple vulnerabilities
9	Date: January 16, 2017
10	Bugs: #564776, #566374, #572878, #573820, #577998, #582538,
11	#582540, #583888, #589816, #597112, #597114, #597116
12	ID: 201701-37
13
14	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15
16	Synopsis
17	========
18
19	Multiple vulnerabilities have been found in libxml2, the worst of which
20	could lead to the execution of arbitrary code.
21
22	Background
23	==========
24
25	libxml2 is the XML (eXtended Markup Language) C parser and toolkit
26	initially developed for the Gnome project.
27
28	Affected packages
29	=================
30
31	-------------------------------------------------------------------
32	Package / Vulnerable / Unaffected
33	-------------------------------------------------------------------
34	1 dev-libs/libxml2 < 2.9.4-r1 >= 2.9.4-r1
35
36	Description
37	===========
38
39	Multiple vulnerabilities have been discovered in libxml2. Please review
40	the CVE identifiers referenced below for details.
41
42	Impact
43	======
44
45	A remote attacker could entice a user or automated system to process a
46	specially crafted XML document, possibly resulting in execution of
47	arbitrary code with the privileges of the process or a Denial of
48	Service condition.
49
50	Workaround
51	==========
52
53	There is no known workaround at this time.
54
55	Resolution
56	==========
57
58	All libxml2 users should upgrade to the latest version:
59
60	# emerge --sync
61	# emerge --ask --oneshot --verbose ">=dev-libs/libxml2-2.9.4-r1"
62
63	References
64	==========
65
66	[ 1 ] CVE-2015-1819
67	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1819
68	[ 2 ] CVE-2015-5312
69	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5312
70	[ 3 ] CVE-2015-7497
71	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7497
72	[ 4 ] CVE-2015-7498
73	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7498
74	[ 5 ] CVE-2015-7499
75	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7499
76	[ 6 ] CVE-2015-7500
77	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7500
78	[ 7 ] CVE-2015-7941
79	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7941
80	[ 8 ] CVE-2015-7942
81	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7942
82	[ 9 ] CVE-2015-8035
83	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8035
84	[ 10 ] CVE-2015-8242
85	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8242
86	[ 11 ] CVE-2015-8806
87	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8806
88	[ 12 ] CVE-2016-1836
89	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1836
90	[ 13 ] CVE-2016-1838
91	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1838
92	[ 14 ] CVE-2016-1839
93	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1839
94	[ 15 ] CVE-2016-1840
95	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1840
96	[ 16 ] CVE-2016-2073
97	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2073
98	[ 17 ] CVE-2016-3627
99	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3627
100	[ 18 ] CVE-2016-3705
101	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3705
102	[ 19 ] CVE-2016-4483
103	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4483
104	[ 20 ] CVE-2016-4658
105	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4658
106	[ 21 ] CVE-2016-5131
107	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5131
108
109	Availability
110	============
111
112	This GLSA and any updates to it are available for viewing at
113	the Gentoo Security Website:
114
115	https://security.gentoo.org/glsa/201701-37
116
117	Concerns?
118	=========
119
120	Security is a primary focus of Gentoo Linux and ensuring the
121	confidentiality and security of our users' machines is of utmost
122	importance to us. Any security concerns should be addressed to
123	security@g.o or alternatively, you may file a bug at
124	https://bugs.gentoo.org.
125
126	License
127	=======
128
129	Copyright 2017 Gentoo Foundation, Inc; referenced text
130	belongs to its owner(s).
131
132	The contents of this document are licensed under the
133	Creative Commons - Attribution / Share Alike license.
134
135	http://creativecommons.org/licenses/by-sa/2.5