[security-announce] libxml2: Security update

Sona Sarmadi sona.sarmadi at enea.com
Tue Mar 17 14:40:01 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

		Enea Linux Security Advisory

=========================================================
Product/package: libxml2
Severity: Moderate
CVE Name: CVE-2014-3660
=========================================================
A security patch that fixes a denial of service via recursive
entity expansion in libxml2 is now available at
http://linux.enea.com/5.0-beta-m400/patches:

README file: 0009-libxml2-fix-CVE-2014-3660.README
Patch file: 0009-libxml2-fix-CVE-2014-3660.patch

Description
===========
parser.c in libxml2 before 2.9.2 does not properly prevent entity
expansion even when entity substitution has been disabled, which allows
context-dependent attackers to cause a denial of service (CPU
consumption) via a crafted XML document containing a large number of
nested entity references, a variant of the "billion laughs" attack.

References
==========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3660

How to apply the patches
=======================
- - Preparation
Make sure that you have an installation of Enea Linux and have
applied the existing patches in the right order

wget http://linux.enea.com/5.0-beta-m400/Enea-Linux-5.0-beta-m400.tar.gz
tar zxvf Enea-Linux-5.0-beta-m400.tar.gz
<Fetch and apply the existing patches, please refer to
    README file for the individual patch>

 - Fetch and apply the new patch
cd Enea-Linux-5.0-beta-m400/poky
wget
http://linux.enea.com/5.0-beta-m400/patches/0009-libxml2-fix-CVE-2014-3660.patch
patch -p1 < ./0009-libxml2-fix-CVE-2014-3660.patch

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com

This message, including attachments, is CONFIDENTIAL. It may also be
privileged or otherwise protected by law. If you received this email
by mistake please let us know by reply and then delete it from your
system; you should not copy it or disclose its contents to anyone.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJVCC6xAAoJEHc+9u9ocWoUReIP/3H3yCyQ3yZepy/ACEzFLLEl
MKQXfaigGOf2GILPsbguELdxthW/hpqNjDobBDKFxmRneocPGGERltreNECze4Wi
7AZVdg0zsFNhWnHxOv+iPtW7P8iQ94f65sdiVRP8SRGWIQewrMJMr+ZcyrY0Bynx
/Wi8u3e1PTDoBveRMx3z//n6j634iP6S2EJMzNsxo//CI+o43u0ZZLunl4AxsdXE
5P/Ao6B633X1Z0Qt6qPysrJkaZom7cHBOikLCxQT6h19VffSDI1h5sscDnQ3g0d2
yH+cBd5WvjdshtNJ7J9r99b2xjjqHmtdl5OJJv7bBk/mnn/q5uZDJ6KrRZ1KjWpX
y9xakBABG6P+ivb/4LVpX1epBAwxFP+TcjgBo8XryQfvwioE8is3hg7Qpg5aLlv7
Ub8HCk6fm9CopIv3HlAv20d0Vdj1TyvojfJjVb/Bz65ldkH/1X4skGiUCbU3OF6j
rrGPPL8Ggi3M9sxG8vuNDX0+m4UGqt+Q/cBv7NtkNe8Bz/wEjzRYA0+nMjYlcuwQ
ziDAa3I6gpDfsN7Zq3GnkAH7cC9cTRKock1beh91WHJxpKjy72X8Wq6rhse/cFp8
L4DoVSrTbENHKjtx7XjUduBSWcAwmZrEzfNP1k+bI+fVrQPLBLbZi/rGJkR0hSXK
kzaDzWq9C8yuXy8k/TJY
=spug
-----END PGP SIGNATURE-----



More information about the security-announce mailing list