Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -1 articles for you...
100
security advisoryimportantSUSESUSE Linux Micro 6.0: 2025:20116-1 important: libxml2 XML threat
* bsc#1234812 Cross-References: * CVE-2024-40896 . # Security update for libxml2 Announcement ID: SUSE-SU-2025:20116-1 Release Date: 2025-02-03T09:20:59Z Rating: important References: * bsc#1234812 Cross-References: * CVE-2024-40896 CVSS scores: * CVE-2024-40896 ( SUSE ): 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N * CVE-2024-40896 ( SUSE ): 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L * CVE-2024-40896 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H Affected Products: * SUSE Linux Micro 6.0 An update that solves one vulnerability can now be installed. ## Description: This update for libxml2 fixes the following issues: * CVE-2024-40896: Fixed XML external entity vulnerability (bsc#1234812) ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Micro 6.0 zypper in -t patch SUSE-SLE-Micro-6.0-188=1 ## Package List: * SUSE Linux Micro 6.0 (aarch64 s390x x86_64) * libxml2-2-2.11.6-4.1 * libxml2-tools-debuginfo-2.11.6-4.1 * libxml2-debugsource-2.11.6-4.1 * libxml2-tools-2.11.6-4.1 * libxml2-2-debuginfo-2.11.6-4.1 ## References: * https://www.suse.com/security/cve/CVE-2024-40896.html * https://bugzilla.suse.com/show_bug.cgi?id=1234812 . Important revision for libxml2 fixes a vulnerability related to XML external entities in SUSE Linux Micro, boosting overall system security.. SUSE Linux Micro, libxml2 security fix, important security update. . Severity: Important. LinuxSecurity.com Team
Jun 04, 2025
•Important
SuSE
100
security advisorymoderatesecurity updateSUSE: 2021:0243-1 Moderate: jackson-databind External Entity Fix
An update that fixes three vulnerabilities is now available. . SUSE Security Update: Security update for jackson-databind ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0243-1 Rating: moderate References: #1177616 #1180391 #1181118 Cross-References: CVE-2020-25649 CVE-2020-35728 CVE-2021-20190 Affected Products: SUSE Linux Enterprise Module for Development Tools 15-SP2 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for jackson-databind fixes the following issues: jackson-databind was updated to 2.10.5.1: * #2589: `DOMDeserializer`: setExpandEntityReferences(false) may not prevent external entity expansion in all cases (CVE-2020-25649, bsc#1177616) * #2787 (partial fix): NPE after add mixin for enum * #2679: 'ObjectMapper.readValue("123", Void.TYPE)' throws "should never occur" Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2021-243=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15-SP2 (noarch): jackson-databind-2.10.5.1-3.3.2 References: https://www.suse.com/security/cve/CVE-2020-25649.html https://www.suse.com/security/cve/CVE-2020-35728.html https://www.suse.com/security/cve/CVE-2021-20190.html https://bugzilla.suse.com/1177616 https://bugzilla.suse.com/1180391 https://bugzilla.suse.com/1181118 . Resolved vulnerabilities in jackson-databind with SUSE Security Update: SUSE-SU-2021:0244-1, addressing four concerns now implemented.. SUSE Linux,jackson-databind, security update, development tools, external entity fix. . LinuxSecurity.com Team
Jan 29, 2021
SuSE
202
security advisorymoderatesoftware updateopenSUSE: 2020:1204-1 moderate: perl-XML-Twig Security Fix
An update that fixes one vulnerability is now available.. openSUSE Security Update: Security update for perl-XML-Twig ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:1204-1 Rating: moderate References: #1008644 Cross-References: CVE-2016-9180 Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for perl-XML-Twig fixes the following issues: - Security fix [bsc#1008644, CVE-2016-9180] * Setting expand_external_ents to 0 or -1 currently doesn't work as expected; To completely turn off expanding external entities use no_xxe. * Update documentation for XML::Twig to mention problems with expand_external_ents and add information about new no_xxe argument This update was imported from the SUSE:SLE-15:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2020-1204=1 Package List: - openSUSE Leap 15.2 (noarch): perl-XML-Twig-3.52-lp152.4.3.1 References: https://www.suse.com/security/cve/CVE-2016-9180.html https://bugzilla.suse.com/1008644 -- . The latest openSUSE Security Patch for perl-XML-Twig addresses a vulnerability concerning external entity expansion.. perl XML Twig, security update, openSUSE fix, software patch. . LinuxSecurity.com Team
Aug 14, 2020
OpenSUSE
200
security advisorydoSinformation disclosureScientific Linux SL7: SLSA-2017:2492-1 Moderate: xmlsec1 DoS Risk
It was discovered xmlsec1's use of libxml2 inadvertently enabled external entity expansion (XXE) along with validation. An attacker could craft an XML file that would cause xmlsec1 to try and read local files or HTTP/FTP URLs, leading to information disclosure or denial of service. (CVE-2017-1000061) SL7 x86_64 xmlsec1-1.2.20-7.el7_4.i686.rpm xmlsec1-1.2.20-7.el7_4.x86_64.rpm xm [More...]. Synopsis: Moderate: xmlsec1 security update Advisory ID: SLSA-2017:2492-1 Issue Date: 2017-08-21 CVE Numbers: CVE-2017-1000061 -- Security Fix(es): * It was discovered xmlsec1's use of libxml2 inadvertently enabled external entity expansion (XXE) along with validation. An attacker could craft an XML file that would cause xmlsec1 to try and read local files or HTTP/FTP URLs, leading to information disclosure or denial of service. (CVE-2017-1000061) -- SL7 x86_64 xmlsec1-1.2.20-7.el7_4.i686.rpm xmlsec1-1.2.20-7.el7_4.x86_64.rpm xmlsec1-debuginfo-1.2.20-7.el7_4.i686.rpm xmlsec1-debuginfo-1.2.20-7.el7_4.x86_64.rpm xmlsec1-openssl-1.2.20-7.el7_4.i686.rpm xmlsec1-openssl-1.2.20-7.el7_4.x86_64.rpm xmlsec1-devel-1.2.20-7.el7_4.i686.rpm xmlsec1-devel-1.2.20-7.el7_4.x86_64.rpm xmlsec1-gcrypt-1.2.20-7.el7_4.i686.rpm xmlsec1-gcrypt-1.2.20-7.el7_4.x86_64.rpm xmlsec1-gcrypt-devel-1.2.20-7.el7_4.i686.rpm xmlsec1-gcrypt-devel-1.2.20-7.el7_4.x86_64.rpm xmlsec1-gnutls-1.2.20-7.el7_4.i686.rpm xmlsec1-gnutls-1.2.20-7.el7_4.x86_64.rpm xmlsec1-gnutls-devel-1.2.20-7.el7_4.i686.rpm xmlsec1-gnutls-devel-1.2.20-7.el7_4.x86_64.rpm xmlsec1-nss-1.2.20-7.el7_4.i686.rpm xmlsec1-nss-1.2.20-7.el7_4.x86_64.rpm xmlsec1-nss-devel-1.2.20-7.el7_4.i686.rpm xmlsec1-nss-devel-1.2.20-7.el7_4.x86_64.rpm xmlsec1-openssl-devel-1.2.20-7.el7_4.i686.rpm xmlsec1-openssl-devel-1.2.20-7.el7_4.x86_64.rpm - Scientific Linux Development Team . A recent xmlsec1 update for Scientific Linux mitigates vulnerabilities related to external entity expansion thatcould result in data leakage.. xmlsec1, Scientific Linux, libxml2 security, external entity vulnerability, DoS risk. . LinuxSecurity.com Team
Aug 21, 2017
Scientific Linux
197
security advisoryupdatebuffer overflowDebian: DLA-1008-1 Moderate: Libxml2 Heap Over-Read Warning
CVE-2017-7375 Missing validation for external entities in xmlParsePEReference CVE-2017-9047 . Hash: SHA512 Package : libxml2 Version : 2.8.0+dfsg1-7+wheezy8 CVE ID : CVE-2017-7375 CVE-2017-9047 CVE-2017-9048 CVE-2017-9049 CVE-2017-9050 CVE-2017-7375 Missing validation for external entities in xmlParsePEReference CVE-2017-9047 CVE-2017-9048 A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. The variable len is assigned strlen(buf). If the content-> type is XML_ELEMENT_CONTENT_ELEMENT, then (i) the content-> prefix is appended to buf (if it actually fits) whereupon (ii) content-> name is written to the buffer. However, the check for whether the content-> name actually fits also uses 'len' rather than the updated buffer length strlen(buf). This allows us to write about "size" many bytes beyond the allocated memory. This vulnerability causes programs that use libxml2, such as PHP, to crash. CVE-2017-9049 CVE-2017-9050 libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictComputeFastKey function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for libxml2 Bug 759398. For Debian 7 "Wheezy", these problems have been fixed in version 2.8.0+dfsg1-7+wheezy8. We recommend that you upgrade your libxml2 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS . Enhance libxml2 to address critical vulnerabilities impacting Debian Wheezy. Discover additional insights on enhancements and remedies.. libxml2 Update, Debian Security, BufferOverflow, Heap Over-Read. . LinuxSecurity.com Team
Jun 30, 2017
Debian LTS
89
security advisoryFedoracritical fixFedora 22: 2016-250042b8a6 Critical: XStream External Entity Issue
Security fix for CVE-2016-3674. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2016-250042b8a6 2016-04-26 16:44:25.072543 -------------------------------------------------------------------------------- Name : xstream Product : Fedora 22 Version : 1.4.9 Release : 1.fc22 URL : Summary : Java XML serialization library Description : XStream is a simple library to serialize objects to XML and back again. A high level facade is supplied that simplifies common use cases. Custom objects can be serialized without need for specifying mappings. Speed and low memory footprint are a crucial part of the design, making it suitable for large object graphs or systems with high message throughput. No information is duplicated that can be obtained via reflection. This results in XML that is easier to read for humans and more compact than native Java serialization. XStream serializes internal fields, including private and final. Supports non-public and inner classes. Classes are not required to have default constructor. Duplicate references encountered in the object-model will be maintained. Supports circular references. By implementing an interface, XStream can serialize directly to/from any tree structure (not just XML). Strategies can be registered allowing customization of how particular types are represented as XML. When an exception occurs due to malformed XML, detailed diagnostics are provided to help isolate and fix the problem. -------------------------------------------------------------------------------- Update Information: Security fix for CVE-2016-3674 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1321789 - CVE-2016-3674 XStream: enabled processing of external entities https://bugzilla.redhat.com/show_bug.cgi?id=1321789 -------------------------------------------------------------------------------- This update can be installed with the "yum"update program. Use su -c 'yum update xstream' at the command line. For more information, refer to "Managing Software with yum", available at . All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list
Apr 26, 2016
•Critical
Fedora
87
security advisorycriticaldebianDebian Wheezy 2.8.0+: DSA-2978-2 Critical Libxml2 External Entity Issue
It was discovered that the update released for libxml2 in DSA 2978 fixing CVE-2014-0191 was incomplete. This caused libxml2 to still fetch external entities regardless of whether entity substitution or validation is enabled. . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2978-2
Feb 06, 2015
•Critical
Debian
87
security advisorydenial of servicecriticalDebian: DSA-2652-1 Critical: Libxml2 External Entity Security Flaw
Brad Hill of iSEC Partners discovered that many XML implementations are vulnerable to external entity expansion issues, which can be used for various purposes such as firewall circumvention, disguising an IP address, and denial-of-service. libxml2 was susceptible to these . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2652-1
Mar 26, 2013
•Critical
Debian
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!