GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Wed Dec 10, 2014 10:26 am Post subject: [ GLSA 201412-06 ] libxml2: Denial of Service |
|
|
Gentoo Linux Security Advisory
Title: libxml2: Denial of Service (GLSA 201412-06)
Severity: normal
Exploitable: local, remote
Date: December 10, 2014
Bug(s): #525656
ID: 201412-06
Synopsis
A vulnerability in libxml2 could result in Denial of Service.
Background
libxml2 is the XML C parser and toolkit developed for the Gnome project.
Affected Packages
Package: dev-libs/libxml2
Vulnerable: < 2.9.2
Unaffected: >= 2.9.2
Architectures: All supported architectures
Description
parser.c in libxml2 before 2.9.2 does not properly prevent entity
expansion even when entity substitution has been disabled.
Impact
A context-dependent attacker could entice a user to a specially crafted
XML file using an application linked against libxml2, possibly resulting
in a Denial of Service condition.
Workaround
There is no known workaround at this time.
Resolution
All libxml2 users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/libxml2-2.9.2"
| Packages which depend on this library may need to be recompiled. Tools
such as revdep-rebuild may assist in identifying these packages.
References
CVE-2014-3660 |
|