ArchLinux: 201606-14: lib32-expat: multiple issues
Summary
- CVE-2012-6702 (predictable random numbers)
It was found that when calling XML_Parse ahead of rand(), it causes the
pseudo random generator to generate non-random predictable numbers.
- CVE-2016-5300 (denial of service)
It was found that original fix for CVE-2012-0876 used too little
entropy for the hash initialization. This issue can be used to perform
a hash collision based denial of service attack.
Resolution
Upgrade to 2.1.1-3.
# pacman -Syu "lib32-expat>=2.1.1-3"
The problems have been fixed upstream but no release is available yet.
References
https://access.redhat.com/security/cve/CVE-2012-6702 https://access.redhat.com/security/cve/CVE-2016-5300
![Dist Arch](/images/distros/dist-arch.png)
Workaround
None.