Alerts This Week
Warning Icon 1 714
Alerts This Week
Warning Icon 1 714

Gentoo: GLSA-201009-08 Normal: libcurl Vulnerability Exploit

gentoo
Calendar Grey September 21, 2010
Dist Gentoo Esm H88
Explore Gentoo GLSA 201009-07 on libxml2 Denial of Service vulnerabilities and get recommendations for action.
Multiple Denial of Services vulnerabilities were found in libxml2.

Summary

The following vulnerabilities were reported after a test with the Codenomicon XML fuzzing framework: * Two use-after-free vulnerabilities are possible when parsing a XML file with Notation or Enumeration attribute types (CVE-2009-2416).
* A stack consumption vulnerability can be triggered via a large depth of element declarations in a DTD, related to a function recursion (CVE-2009-2414).

Topics%20covered

Topics Covered

security advisory denial of service Gentoo remote execution libxml2

Resolution

All libxml2 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/libxml2-2.7.3-r2"
NOTE: This is a legacy GLSA. Updates for all affected architectures are available since August 30, 2009. It is likely that your system is already no longer affected by this issue.

References

[ 1 ] CVE-2009-2414 https://www.cve.org/CVERecord?id=CVE-2009-2414 [ 2 ] CVE-2009-2416 https://www.cve.org/CVERecord?id=CVE-2009-2416

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201009-07
style>.gentoo_availability{display:block;}

Concerns

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

Severity: Normal
Title: libxml2: Denial of Service
Date: September 21, 2010
Bugs: #280617
ID: 201009-07

Topics%20covered

Topics Covered

security advisory denial of service Gentoo remote execution libxml2

Synopsis

Multiple Denial of Services vulnerabilities were found in libxml2.

Background

libxml2 is a library to manipulate XML files.

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Affected Packages

------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-libs/libxml2 < 2.7.3-r2 >= 2.7.3-r2

Impact

===== A remote attacker could entice a user or automated system to open a specially crafted XML document with an application using libxml2 resulting in a Denial of Service condition.

Workaround

There is no known workaround at this time.

Your message here