[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] [SECURITY] [DSA 1861-1] New libxml packages fix several issues



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA-1861-1                    security@xxxxxxxxxx
http://www.debian.org/security/                                 Nico Golde
August 13th, 2009                       http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : libxml
Vulnerability  : several
Problem type   : local (remote)
Debian-specific: no
CVE IDs        : CVE-2009-2416 CVE-2009-2414

Rauli Kaksonen, Tero Rontti and Jukka Taimisto discovered several
vulnerabilities in libxml, a library for parsing and handling XML data
files, which can lead to denial of service conditions or possibly arbitrary
code execution in the application using the library.  The Common
Vulnerabilities and Exposures project identifies the following problems:

An XML document with specially-crafted Notation or Enumeration attribute
types in a DTD definition leads to the use of a pointers to memory areas
which have already been freed (CVE-2009-2416).

Missing checks for the depth of ELEMENT DTD definitions when parsing
child content can lead to extensive stack-growth due to a function
recursion which can be triggered via a crafted XML document (CVE-2009-2414).


For the oldstable distribution (etch), this problem has been fixed in
version 1.8.17-14+etch1.

The stable (lenny), testing (squeeze) and unstable (sid) distribution
do not contain libxml anymore but libxml2 for which DSA-1859-1 has been
released.


We recommend that you upgrade your libxml packages.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Debian (oldstable)
- ------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, 
mipsel, powerpc, s390 and sparc.

Source archives:

  
http://security.debian.org/pool/updates/main/libx/libxml/libxml_1.8.17-14+etch1.diff.gz
    Size/MD5 checksum:   366268 512cbc5adce12b54741cadd80e62eb7d
  
http://security.debian.org/pool/updates/main/libx/libxml/libxml_1.8.17.orig.tar.gz
    Size/MD5 checksum:  1016403 b8f01e43e1e03dec37dfd6b4507a9568
  
http://security.debian.org/pool/updates/main/libx/libxml/libxml_1.8.17-14+etch1.dsc
    Size/MD5 checksum:      716 26bf8a9d037f583d4a9dc1dab5aa4792

alpha architecture (DEC Alpha)

  
http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-14+etch1_alpha.deb
    Size/MD5 checksum:   429312 749dda70c33689b70d13469f6c3357ac
  
http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-14+etch1_alpha.deb
    Size/MD5 checksum:   233288 02b88e80b91681e956cb4ab19acfeca6

amd64 architecture (AMD x86_64 (AMD64))

  
http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-14+etch1_amd64.deb
    Size/MD5 checksum:   223558 ceb0d44c5a6a50373af43359e83667e7
  
http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-14+etch1_amd64.deb
    Size/MD5 checksum:   383872 fc52303783696d53c20999a82e962bd7

arm architecture (ARM)

  
http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-14+etch1_arm.deb
    Size/MD5 checksum:   356830 43860080fa42274a3d7ad649a6dea3fd
  
http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-14+etch1_arm.deb
    Size/MD5 checksum:   197970 63134af5530d4ab6f1a41046136ea62d

hppa architecture (HP PA RISC)

  
http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-14+etch1_hppa.deb
    Size/MD5 checksum:   429646 938ea12262d6fe02426a8d59f5242794
  
http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-14+etch1_hppa.deb
    Size/MD5 checksum:   240036 52f8f7e7c277f0b37fdba7e4b1609f19

i386 architecture (Intel ia32)

  
http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-14+etch1_i386.deb
    Size/MD5 checksum:   212762 b25bde43ee075fa743b1f037a43919b8
  
http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-14+etch1_i386.deb
    Size/MD5 checksum:   364460 0d3f3229b87c1b2d2ff614679d805600

ia64 architecture (Intel ia64)

  
http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-14+etch1_ia64.deb
    Size/MD5 checksum:   498736 7fa5b542dcd264d899ea0b49cdf4ffdc
  
http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-14+etch1_ia64.deb
    Size/MD5 checksum:   315918 7e2351fbb88e55dcabcd4bbca3bb26c0

mips architecture (MIPS (Big Endian))

  
http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-14+etch1_mips.deb
    Size/MD5 checksum:   411816 f32a3c2d678a256691a7a6b300467eeb
  
http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-14+etch1_mips.deb
    Size/MD5 checksum:   209842 603a443d76deb3bafea7e288f102d2bb

mipsel architecture (MIPS (Little Endian))

  
http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-14+etch1_mipsel.deb
    Size/MD5 checksum:   408602 36e9600b0be7e846b4788cd475413858
  
http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-14+etch1_mipsel.deb
    Size/MD5 checksum:   210312 e78866fce8cdc8fd0854203a73f50a6e

powerpc architecture (PowerPC)

  
http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-14+etch1_powerpc.deb
    Size/MD5 checksum:   213862 5a6fde00e79c0ab8a873f0f0d2bfc028
  
http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-14+etch1_powerpc.deb
    Size/MD5 checksum:   388622 c93294decb6b25bb4c3fe43dc0fa25e2

s390 architecture (IBM S/390)

  
http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-14+etch1_s390.deb
    Size/MD5 checksum:   387402 43844dfcb0401e9fd1ac3d4c80281f83
  
http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-14+etch1_s390.deb
    Size/MD5 checksum:   226562 c9da4865e04f157ceacde8f59b040f28


  These files will probably be moved into the stable distribution on
  its next update.

- 
---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security 
dists/stable/updates/main
Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqEekUACgkQHYflSXNkfP8mZgCggjl7lV6LNPSO+b5xCdhx2/o2
k+0AoK7VaXyZJpBP48ZMPpyXSFXFKWoA
=r2rS
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/