ArchLinux: 201606-13: expat: multiple issues
Summary
- CVE-2012-6702 (predictable random numbers)
It was found that when calling XML_Parse ahead of rand(), it causes the
pseudo random generator to generate non-random predictable numbers.
- CVE-2016-5300 (denial of service)
It was found that original fix for CVE-2012-0876 used too little
entropy for the hash initialization. This issue can be used to perform
a hash collision based denial of service attack.
Resolution
Upgrade to 2.1.1-3.
# pacman -Syu "expat>=2.1.1-3"
The problems have been fixed upstream but no release is available yet.
References
https://access.redhat.com/security/cve/CVE-2012-6702 https://access.redhat.com/security/cve/CVE-2016-5300
Workaround
None.