Debian: DSA-1861-1: New libxml packages fix several issues

    Date13 Aug 2009
    CategoryDebian
    78
    Posted ByLinuxSecurity Advisories
    Rauli Kaksonen, Tero Rontti and Jukka Taimisto discovered several vulnerabilities in libxml, a library for parsing and handling XML data files, which can lead to denial of service conditions or possibly arbitrary code execution in the application using the library. The Common
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    - --------------------------------------------------------------------------
    Debian Security Advisory DSA-1861-1                    This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                                 Nico Golde
    August 13th, 2009                       http://www.debian.org/security/faq
    - --------------------------------------------------------------------------
    
    Package        : libxml
    Vulnerability  : several
    Problem type   : local (remote)
    Debian-specific: no
    CVE IDs        : CVE-2009-2416 CVE-2009-2414
    
    Rauli Kaksonen, Tero Rontti and Jukka Taimisto discovered several
    vulnerabilities in libxml, a library for parsing and handling XML data
    files, which can lead to denial of service conditions or possibly arbitrary
    code execution in the application using the library.  The Common
    Vulnerabilities and Exposures project identifies the following problems:
    
    An XML document with specially-crafted Notation or Enumeration attribute
    types in a DTD definition leads to the use of a pointers to memory areas
    which have already been freed (CVE-2009-2416).
    
    Missing checks for the depth of ELEMENT DTD definitions when parsing
    child content can lead to extensive stack-growth due to a function
    recursion which can be triggered via a crafted XML document (CVE-2009-2414).
    
    
    For the oldstable distribution (etch), this problem has been fixed in
    version 1.8.17-14+etch1.
    
    The stable (lenny), testing (squeeze) and unstable (sid) distribution
    do not contain libxml anymore but libxml2 for which DSA-1859-1 has been
    released.
    
    
    We recommend that you upgrade your libxml packages.
    
    Upgrade instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 4.0 alias etch
    - -------------------------------
    
    Debian (oldstable)
    - ------------------
    
    Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/libx/libxml/libxml_1.8.17-14+etch1.diff.gz
        Size/MD5 checksum:   366268 512cbc5adce12b54741cadd80e62eb7d
      http://security.debian.org/pool/updates/main/libx/libxml/libxml_1.8.17.orig.tar.gz
        Size/MD5 checksum:  1016403 b8f01e43e1e03dec37dfd6b4507a9568
      http://security.debian.org/pool/updates/main/libx/libxml/libxml_1.8.17-14+etch1.dsc
        Size/MD5 checksum:      716 26bf8a9d037f583d4a9dc1dab5aa4792
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-14+etch1_alpha.deb
        Size/MD5 checksum:   429312 749dda70c33689b70d13469f6c3357ac
      http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-14+etch1_alpha.deb
        Size/MD5 checksum:   233288 02b88e80b91681e956cb4ab19acfeca6
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-14+etch1_amd64.deb
        Size/MD5 checksum:   223558 ceb0d44c5a6a50373af43359e83667e7
      http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-14+etch1_amd64.deb
        Size/MD5 checksum:   383872 fc52303783696d53c20999a82e962bd7
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-14+etch1_arm.deb
        Size/MD5 checksum:   356830 43860080fa42274a3d7ad649a6dea3fd
      http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-14+etch1_arm.deb
        Size/MD5 checksum:   197970 63134af5530d4ab6f1a41046136ea62d
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-14+etch1_hppa.deb
        Size/MD5 checksum:   429646 938ea12262d6fe02426a8d59f5242794
      http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-14+etch1_hppa.deb
        Size/MD5 checksum:   240036 52f8f7e7c277f0b37fdba7e4b1609f19
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-14+etch1_i386.deb
        Size/MD5 checksum:   212762 b25bde43ee075fa743b1f037a43919b8
      http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-14+etch1_i386.deb
        Size/MD5 checksum:   364460 0d3f3229b87c1b2d2ff614679d805600
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-14+etch1_ia64.deb
        Size/MD5 checksum:   498736 7fa5b542dcd264d899ea0b49cdf4ffdc
      http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-14+etch1_ia64.deb
        Size/MD5 checksum:   315918 7e2351fbb88e55dcabcd4bbca3bb26c0
    
    mips architecture (MIPS (Big Endian))
    
      http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-14+etch1_mips.deb
        Size/MD5 checksum:   411816 f32a3c2d678a256691a7a6b300467eeb
      http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-14+etch1_mips.deb
        Size/MD5 checksum:   209842 603a443d76deb3bafea7e288f102d2bb
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-14+etch1_mipsel.deb
        Size/MD5 checksum:   408602 36e9600b0be7e846b4788cd475413858
      http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-14+etch1_mipsel.deb
        Size/MD5 checksum:   210312 e78866fce8cdc8fd0854203a73f50a6e
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-14+etch1_powerpc.deb
        Size/MD5 checksum:   213862 5a6fde00e79c0ab8a873f0f0d2bfc028
      http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-14+etch1_powerpc.deb
        Size/MD5 checksum:   388622 c93294decb6b25bb4c3fe43dc0fa25e2
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-14+etch1_s390.deb
        Size/MD5 checksum:   387402 43844dfcb0401e9fd1ac3d4c80281f83
      http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-14+etch1_s390.deb
        Size/MD5 checksum:   226562 c9da4865e04f157ceacde8f59b040f28
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Package info: `apt-cache show ' and http://packages.debian.org/
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"39","type":"x","order":"1","pct":51.32,"resources":[]},{"id":"88","title":"Should be more technical","votes":"11","type":"x","order":"2","pct":14.47,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"26","type":"x","order":"3","pct":34.21,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.