Security update for libxml2 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:0446-1 Final 1 1 2017-02-10T21:24:44Z current 2017-02-10T21:24:44Z 2017-02-10T21:24:44Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libxml2 This update for libxml2 fixes the following issues: * CVE-2016-4658: use-after-free error could lead to crash [bsc#1005544] * Fix NULL dereference in xpointer.c when in recovery mode [bsc#1014873] * CVE-2016-9597: An XML document with many opening tags could have caused a overflow of the stack not detected by the recursion limits, allowing for DoS (bsc#1017497). For CVE-2016-9318 we decided not to ship a fix since it can break existing setups. Please take appropriate actions if you parse untrusted XML files and use the new -noxxe flag if possible (bnc#1010675, bnc#1013930). This update was imported from the SUSE:SLE-12-SP2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2017-02/msg00055.html E-Mail link for openSUSE-SU-2017:0446-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.2 libxml2-2.9.4-3.1 libxml2-2-2.9.4-3.1 libxml2-2-32bit-2.9.4-3.1 libxml2-devel-2.9.4-3.1 libxml2-devel-32bit-2.9.4-3.1 libxml2-doc-2.9.4-3.1 libxml2-tools-2.9.4-3.1 python-libxml2-2.9.4-3.1 libxml2-2.9.4-3.1 as a component of openSUSE Leap 42.2 libxml2-2-2.9.4-3.1 as a component of openSUSE Leap 42.2 libxml2-2-32bit-2.9.4-3.1 as a component of openSUSE Leap 42.2 libxml2-devel-2.9.4-3.1 as a component of openSUSE Leap 42.2 libxml2-devel-32bit-2.9.4-3.1 as a component of openSUSE Leap 42.2 libxml2-doc-2.9.4-3.1 as a component of openSUSE Leap 42.2 libxml2-tools-2.9.4-3.1 as a component of openSUSE Leap 42.2 python-libxml2-2.9.4-3.1 as a component of openSUSE Leap 42.2 xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3, and other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory corruption) via a crafted XML document. CVE-2016-4658 openSUSE Leap 42.2:libxml2-2-2.9.4-3.1 openSUSE Leap 42.2:libxml2-2-32bit-2.9.4-3.1 openSUSE Leap 42.2:libxml2-2.9.4-3.1 openSUSE Leap 42.2:libxml2-devel-2.9.4-3.1 openSUSE Leap 42.2:libxml2-devel-32bit-2.9.4-3.1 openSUSE Leap 42.2:libxml2-doc-2.9.4-3.1 openSUSE Leap 42.2:libxml2-tools-2.9.4-3.1 openSUSE Leap 42.2:python-libxml2-2.9.4-3.1 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-02/msg00055.html https://www.suse.com/security/cve/CVE-2016-4658.html CVE-2016-4658 https://bugzilla.suse.com/1005544 SUSE Bug 1005544 https://bugzilla.suse.com/1014873 SUSE Bug 1014873 https://bugzilla.suse.com/1069433 SUSE Bug 1069433 https://bugzilla.suse.com/1078813 SUSE Bug 1078813 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document. CVE-2016-9318 openSUSE Leap 42.2:libxml2-2-2.9.4-3.1 openSUSE Leap 42.2:libxml2-2-32bit-2.9.4-3.1 openSUSE Leap 42.2:libxml2-2.9.4-3.1 openSUSE Leap 42.2:libxml2-devel-2.9.4-3.1 openSUSE Leap 42.2:libxml2-devel-32bit-2.9.4-3.1 openSUSE Leap 42.2:libxml2-doc-2.9.4-3.1 openSUSE Leap 42.2:libxml2-tools-2.9.4-3.1 openSUSE Leap 42.2:python-libxml2-2.9.4-3.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-02/msg00055.html https://www.suse.com/security/cve/CVE-2016-9318.html CVE-2016-9318 https://bugzilla.suse.com/1010675 SUSE Bug 1010675 https://bugzilla.suse.com/1013930 SUSE Bug 1013930 https://bugzilla.suse.com/1014873 SUSE Bug 1014873 https://bugzilla.suse.com/1019074 SUSE Bug 1019074 https://bugzilla.suse.com/1118959 SUSE Bug 1118959 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/1126613 SUSE Bug 1126613 https://bugzilla.suse.com/1148896 SUSE Bug 1148896 It was found that Red Hat JBoss Core Services erratum RHSA-2016:2957 for CVE-2016-3705 did not actually include the fix for the issue found in libxml2, making it vulnerable to a Denial of Service attack due to a Stack Overflow. This is a regression CVE for the same issue as CVE-2016-3705. CVE-2016-9597 openSUSE Leap 42.2:libxml2-2-2.9.4-3.1 openSUSE Leap 42.2:libxml2-2-32bit-2.9.4-3.1 openSUSE Leap 42.2:libxml2-2.9.4-3.1 openSUSE Leap 42.2:libxml2-devel-2.9.4-3.1 openSUSE Leap 42.2:libxml2-devel-32bit-2.9.4-3.1 openSUSE Leap 42.2:libxml2-doc-2.9.4-3.1 openSUSE Leap 42.2:libxml2-tools-2.9.4-3.1 openSUSE Leap 42.2:python-libxml2-2.9.4-3.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-02/msg00055.html https://www.suse.com/security/cve/CVE-2016-9597.html CVE-2016-9597 https://bugzilla.suse.com/1014873 SUSE Bug 1014873 https://bugzilla.suse.com/1017497 SUSE Bug 1017497 https://bugzilla.suse.com/1123919 SUSE Bug 1123919