Linux Security
    Linux Security
    Linux Security

    Debian LTS: DLA-2369-1: libxml2 security update

    Date 09 Sep 2020
    Posted By LinuxSecurity Advisories
    Several security vulnerabilities were corrected in libxml2, the GNOME XML library. CVE-2017-8872
    - -------------------------------------------------------------------------
    Debian LTS Advisory DLA-2369-1               [email protected]                     Markus Koschany
    September 09, 2020                 
    - -------------------------------------------------------------------------
    Package        : libxml2
    Version        : 2.9.4+dfsg1-2.2+deb9u3
    CVE ID         : CVE-2017-8872 CVE-2017-18258 CVE-2018-14404
                     CVE-2018-14567 CVE-2019-19956 CVE-2019-20388
                     CVE-2020-7595 CVE-2020-24977
    Debian Bug     : 895245 862450 949583 969529 949582
    Several security vulnerabilities were corrected in libxml2, the GNOME
    XML library.
        Global buffer-overflow in the htmlParseTryOrFinish function.
        The xz_head function in libxml2 allows remote attackers to cause a
        denial of service (memory consumption) via a crafted LZMA file,
        because the decoder functionality does not restrict memory usage to
        what is required for a legitimate file.
        A NULL pointer dereference vulnerability exists in the
        xpath.c:xmlXPathCompOpEval() function of libxml2 when parsing an
        invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case.
        Applications processing untrusted XSL format inputs may be
        vulnerable to a denial of service attack.
        If the option --with-lzma is used, allows remote attackers to cause
        a denial of service (infinite loop) via a crafted XML file.
        The xmlParseBalancedChunkMemoryRecover function has a memory leak
        related to newDoc->oldNs.
        A memory leak was found in the xmlSchemaValidateStream function of
        libxml2. Applications that use this library may be vulnerable to
        memory not being freed leading to a denial of service.
        Infinite loop in xmlStringLenDecodeEntities can cause a denial of
        Out-of-bounds read restricted to xmllint --htmlout.
    For Debian 9 stretch, these problems have been fixed in version
    We recommend that you upgrade your libxml2 packages.
    For the detailed security status of libxml2 please refer to
    its security tracker page at:
    Further information about Debian LTS security advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at:

    LinuxSecurity Poll

    'Tis the season of giving! How have you given back to the open-source community?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    [{"id":"171","title":"I've contributed to the development of an open-source project.","votes":"12","type":"x","order":"1","pct":36.36,"resources":[]},{"id":"172","title":"I've reviewed open-source code for security bugs.","votes":"6","type":"x","order":"2","pct":18.18,"resources":[]},{"id":"173","title":"I've made a donation to an open-source project.","votes":"15","type":"x","order":"3","pct":45.45,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350

    Please vote first in order to view vote results.


    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.