Updated: March 09, 2004
Affected
Please see http://www.debian.org/security/2004/dsa-455
The vendor has not provided us with any further information regarding this vulnerability.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Debian Security Advisory DSA 455-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
March 3rd, 2004 http://www.debian.org/security/faq Package : libxml, libxml2
Vulnerability : buffer overflows
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2004-0110 libxml2 is a library for manipulating XML files. Yuuichi Teranishi discovered a flaw in libxml, the GNOME XML library. When fetching a remote resource via FTP or HTTP, the library uses
special parsing routines which can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml1
or libxml2 that parses remote resources and allows the attacker to
craft the URL, then this flaw could be used to execute arbitrary code. For the stable distribution (woody) this problem has been fixed in
version 1.8.17-2woody1 of libxml and version 2.4.19-4woody1 of libxml2. For the unstable distribution (sid) this problem has been fixed in
version 1.8.17-5 of libxml and version 2.6.6-1 of libxml2. We recommend that you upgrade your libxml1 and libxml2 packages. Upgrade Instructions wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file. If you are using the apt-get package manager, use the line for
sources.list as given below: apt-get update
will update the internal database
apt-get upgrade
will install corrected packages You may use an automated update by adding the resources from the
footer to the proper configuration. Debian GNU/Linux 3.0 alias woody Source archives: http://security.debian.org/pool/updates/main/libx/libxml/libxml_1.8.17-2woody1.dsc
Size/MD5 checksum: 651 16512f774479d73b7d82ca4e1db527f5
http://security.debian.org/pool/updates/main/libx/libxml/libxml_1.8.17-2woody1.diff.gz
Size/MD5 checksum: 33976 68afef27edf44d2b81e02fde3431bca8
http://security.debian.org/pool/updates/main/libx/libxml/libxml_1.8.17.orig.tar.gz
Size/MD5 checksum: 1016403 b8f01e43e1e03dec37dfd6b4507a9568 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19-4woody1.dsc
Size/MD5 checksum: 654 6f56380f9bfade2c66f03956e1a65162
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19-4woody1.diff.gz
Size/MD5 checksum: 344358 ba3ea49cc8c465ff1a6377780c35a45d
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19.orig.tar.gz
Size/MD5 checksum: 1925487 22e3c043f57e18baaed86c5fff3eafbc Alpha architecture: http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-2woody1_alpha.deb
Size/MD5 checksum: 381994 dc3ada5391f52bdfd642df1bc5b9a6be
http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-2woody1_alpha.deb
Size/MD5 checksum: 208830 a0698c267c722bf5127ee3709024ecc9 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19-4woody1_alpha.deb
Size/MD5 checksum: 388786 a4ece19b65c46dd0e8f889c26e5938b3
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.4.19-4woody1_alpha.deb
Size/MD5 checksum: 938568 5f3e46bd132c9167db9e93ca3c739952 ARM architecture: http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-2woody1_arm.deb
Size/MD5 checksum: 392536 9e126158928d24a562ae1d2b3d35ae1d
http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-2woody1_arm.deb
Size/MD5 checksum: 184172 0527fd6a14e003139be9b475e689ee41 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19-4woody1_arm.deb
Size/MD5 checksum: 346060 6b9caeac9a0061576f8a1e5b46ed8671
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.4.19-4woody1_arm.deb
Size/MD5 checksum: 902966 688fb8c5ea18b0f9d8e7671dad5426c5 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-2woody1_i386.deb
Size/MD5 checksum: 330042 b1c61849e10edbe597429fcd05d1d2b3
http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-2woody1_i386.deb
Size/MD5 checksum: 183310 3c217f980c138f24eac1a0abd89eba78 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19-4woody1_i386.deb
Size/MD5 checksum: 333034 11cfc7169e549c63dccf28f15300a8eb
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.4.19-4woody1_i386.deb
Size/MD5 checksum: 843084 43a242f53ed8a688e5ed02284a150f52 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-2woody1_ia64.deb
Size/MD5 checksum: 447184 5bfa2835a9d9b43da6d31e1cadce6bc1
http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-2woody1_ia64.deb
Size/MD5 checksum: 285484 a378583eaaaf1248aba8de4fd721c5fc http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19-4woody1_ia64.deb
Size/MD5 checksum: 507452 b447844080f6e0c1d498b34ec849c9b2
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.4.19-4woody1_ia64.deb
Size/MD5 checksum: 1032662 ddd7aae0835fe1edb04aee7cdf2e41c0 HP Precision architecture: http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-2woody1_hppa.deb
Size/MD5 checksum: 439372 d5f629dc7f885dd858671ab639d954f8
http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-2woody1_hppa.deb
Size/MD5 checksum: 248212 837ec145aac757ce053075a4736ddb55 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19-4woody1_hppa.deb
Size/MD5 checksum: 425454 0719d6e0835b6dae714b1ce1a0bd9d77
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.4.19-4woody1_hppa.deb
Size/MD5 checksum: 979152 41e110f4c9805a5afb94fff79d1f3d22 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-2woody1_m68k.deb
Size/MD5 checksum: 318176 d0dcb654f8083e0873396d38aaa1a7a2
http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-2woody1_m68k.deb
Size/MD5 checksum: 178226 c18c0c7bb3c0884c62f36922e5843e83 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19-4woody1_m68k.deb
Size/MD5 checksum: 336902 2990a52db32dc3fd3108be4e677e59bf
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.4.19-4woody1_m68k.deb
Size/MD5 checksum: 828820 6378b37494b667bce472f934f50c3cb8 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-2woody1_mips.deb
Size/MD5 checksum: 376266 1c226409e23047ec521224697a82f76c
http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-2woody1_mips.deb
Size/MD5 checksum: 183628 0fa6098bdbfeadb50dfb7e5f4f2c967c http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19-4woody1_mips.deb
Size/MD5 checksum: 348902 474e9b8bc026ca199218727203422c12
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.4.19-4woody1_mips.deb
Size/MD5 checksum: 921098 b8aa537054fc482ab042647ac0551f94 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-2woody1_mipsel.deb
Size/MD5 checksum: 373696 603708cf407ea49748c987bea0ddaade
http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-2woody1_mipsel.deb
Size/MD5 checksum: 182958 5397950eb709142774a2aa70f5faa9db http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19-4woody1_mipsel.deb
Size/MD5 checksum: 343660 985465f428571c774bb3b44699768c15
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.4.19-4woody1_mipsel.deb
Size/MD5 checksum: 915010 0553eb273d500c82b93cac55b7c52ad4 PowerPC architecture: http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-2woody1_powerpc.deb
Size/MD5 checksum: 356590 f97bc218912092bae051188dd9c157d5
http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-2woody1_powerpc.deb
Size/MD5 checksum: 194062 b37b9d75744323dafdc4a76293c3456d http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19-4woody1_powerpc.deb
Size/MD5 checksum: 376486 bdfb8d5a839f65286e57e34857fd14f1
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.4.19-4woody1_powerpc.deb
Size/MD5 checksum: 916952 90f7f069508d26431cc61f967886b159 IBM S/390 architecture: http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-2woody1_s390.deb
Size/MD5 checksum: 329398 2b6046a2aeb468a00abc8556676d10d1
http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-2woody1_s390.deb
Size/MD5 checksum: 184216 78803336930258db2d7b115c4b708fad http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19-4woody1_s390.deb
Size/MD5 checksum: 360282 a7bb4f832d6a4d86753b3d046f4e8fa1
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.4.19-4woody1_s390.deb
Size/MD5 checksum: 857396 e7efd1f4a92ba1f6a1a3c96e5c5a851b Sun Sparc architecture: http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-2woody1_sparc.deb
Size/MD5 checksum: 347058 88ec785a5184e9ff44e617638b661be4
http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-2woody1_sparc.deb
Size/MD5 checksum: 196108 da3f13d8c4e4ffd8604cd01cf26c781f http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19-4woody1_sparc.deb
Size/MD5 checksum: 363670 ab415cd91562622e7ab2dde1df98a09b
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.4.19-4woody1_sparc.deb
Size/MD5 checksum: 886976 ba693e42209a963c26f325d89ecbe989 These files will probably be moved into the stable distribution on
its next revision. For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show
Updated: March 09, 2004
Affected
Please see http://www.redhat.com/archives/fedora-announce-list/2004-February/msg00029.html
The vendor has not provided us with any further information regarding this vulnerability.
SECURITY: Update of libxml2 2.6.6 available From: Daniel Veillard
Updated: March 09, 2004
Affected
Please see http://bugs.gentoo.org/show_bug.cgi?id=42735 or http://secunia.com/advisories/11051/
The vendor has not provided us with any further information regarding this vulnerability.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gentoo Linux Security Advisory GLSA 200403-01 ~ http://security.gentoo.org ~ Severity: Normal ~ Title: Libxml2 URI Parsing Buffer Overflow Vulnerabilities ~ Date: March 06, 2004 ~ Bugs: #42735 ~ ID: 200403-01 Synopsis A buffer overflow has been discovered in libxml2 versions prior to 2.6.6 which may be exploited by an attacker allowing the execution of arbitrary code. Description Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When the libxml2 library fetches a remote resource via FTP or HTTP, libxml2 uses parsing routines that can overflow a buffer caused by improper bounds checking if they are passed a URL longer than 4096 bytes. Impact If an attacker is able to exploit an application using libxml2 that parses remote resources, then this flaw could be used to execute arbitrary code. Workaround No workaround is available; users are urged to upgrade libxml2 to 2.6.6. Resolution All users are recommended to upgrade their libxml2 installation: ~ # emerge sync ~ # emerge -pv ">=dev-libs/libxml2-2.6.6" ~ # emerge ">=dev-libs/libxml2-2.6.6" References ~ [ 1 ] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0110 Concerns? Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFASl4EMMXbAy2b2EIRAv+yAJ9NbGSqlVb4KzZ2IC4c2DBt3aaV1ACgxlhB 1c1NaJh9ByyfACBlmAU0Yz4= =scAU -----END PGP SIGNATURE-----
Updated: March 09, 2004
Affected
Please see http://lists.gnome.org/archives/gnome-announce-list/2004-February/msg00051.html
The vendor has not provided us with any further information regarding this vulnerability.
ANNOUNCE: The GNOME XML toolkit 2.6.6 From: Daniel Veillard
Updated: March 09, 2004
Affected
Please see http://www.netwosix.org/adv04.html
The vendor has not provided us with any further information regarding this vulnerability.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Netwosix Linux Security Advisory #2004-0004
Updated: March 09, 2004
Affected
Please see http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:018
The vendor has not provided us with any further information regarding this vulnerability.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Mandrakelinux Security Update Advisory Package name: libxml2
Advisory ID: MDKSA-2004:018
Date: March 3rd, 2004 Affected versions: 9.1, 9.2, Corporate Server 2.1 Problem Description: A flaw in libxml2 versions prior to 2.6.6 was found by Yuuichi
Teranishi. When fetching a remote source via FTP or HTTP, libxml2
uses special parsing routines that can overflow a buffer if passed a
very long URL. In the event that the attacker can find a program that
uses libxml2 which parses remote resources and allows them to
influence the URL, this flaw could be used to execute arbitrary code. The updated packages provide a backported fix to correct the problem. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0110 Updated Packages: Corporate Server 2.1: 51af35991ac6ceef5cd6ddc4330e1995 corporate/2.1/RPMS/libxml2-2.4.23-4.2.C21mdk.i586.rpm
34e6aa4c010e14199767c97d5fe0b706 corporate/2.1/RPMS/libxml2-devel-2.4.23-4.2.C21mdk.i586.rpm
9b551a5dfa4129f88fa90062ed684725 corporate/2.1/RPMS/libxml2-python-2.4.23-4.2.C21mdk.i586.rpm
7c2efde8dde2fabc15d0c59fd867d156 corporate/2.1/RPMS/libxml2-utils-2.4.23-4.2.C21mdk.i586.rpm
153ca0fed634a7485046181baf06ea94 corporate/2.1/SRPMS/libxml2-2.4.23-4.2.C21mdk.src.rpm Corporate Server 2.1/x86_64: 2bfb3a34f15d5484119f94ea0d8c9d69 x86_64/corporate/2.1/RPMS/libxml2-2.4.23-4.2.C21mdk.x86_64.rpm
251108957d5ba90a9082d1f1976e5fb7 x86_64/corporate/2.1/RPMS/libxml2-devel-2.4.23-4.2.C21mdk.x86_64.rpm
7f4d9e5052d9ca41cd0ed8dba78d2416 x86_64/corporate/2.1/RPMS/libxml2-python-2.4.23-4.2.C21mdk.x86_64.rpm
63e3b6910f6e42b775cb936ce581b16e x86_64/corporate/2.1/RPMS/libxml2-utils-2.4.23-4.2.C21mdk.x86_64.rpm
153ca0fed634a7485046181baf06ea94 x86_64/corporate/2.1/SRPMS/libxml2-2.4.23-4.2.C21mdk.src.rpm Mandrakelinux 9.1: 9b91d9a62e88829d180335e93005d706 9.1/RPMS/libxml2-2.5.4-1.2.91mdk.i586.rpm
42ea5fe9ee7733bab3e726cb0005a9e8 9.1/RPMS/libxml2-devel-2.5.4-1.2.91mdk.i586.rpm
98642ae61a8884d25878bc91f1d06622 9.1/RPMS/libxml2-python-2.5.4-1.2.91mdk.i586.rpm
3a7b2acf410ed9d6dc7d34d7e7fc319a 9.1/RPMS/libxml2-utils-2.5.4-1.2.91mdk.i586.rpm
bbb88662f90ff49f28a2e3e6905106f3 9.1/SRPMS/libxml2-2.5.4-1.2.91mdk.src.rpm Mandrakelinux 9.1/PPC: bcf80b555579701ed2ba8925bc1a9634 ppc/9.1/RPMS/libxml2-2.5.4-1.2.91mdk.ppc.rpm
3f6a1d38b9aaefd39a2ad116ec65643d ppc/9.1/RPMS/libxml2-devel-2.5.4-1.2.91mdk.ppc.rpm
cdb9ee131ca5bd58564259d6917a9c56 ppc/9.1/RPMS/libxml2-python-2.5.4-1.2.91mdk.ppc.rpm
3c96adac2eb332f1e535b80e626a2c80 ppc/9.1/RPMS/libxml2-utils-2.5.4-1.2.91mdk.ppc.rpm
bbb88662f90ff49f28a2e3e6905106f3 ppc/9.1/SRPMS/libxml2-2.5.4-1.2.91mdk.src.rpm Mandrakelinux 9.2: 6566203ab3c4fb904ae0126196aaf400 9.2/RPMS/libxml2-2.5.11-1.2.92mdk.i586.rpm
5552925b636b9926059c5c27ca37a588 9.2/RPMS/libxml2-devel-2.5.11-1.2.92mdk.i586.rpm
377f7250ee689d7ee7453b852e651d02 9.2/RPMS/libxml2-python-2.5.11-1.2.92mdk.i586.rpm
7e04e506249fbb224690ce3cc6434776 9.2/RPMS/libxml2-utils-2.5.11-1.2.92mdk.i586.rpm
34048480a99f5f04d02902ab918cf5c8 9.2/SRPMS/libxml2-2.5.11-1.2.92mdk.src.rpm Mandrakelinux 9.2/AMD64: 12bfba14856691201fb44eeecd2e0760 amd64/9.2/RPMS/lib64xml2-2.5.11-1.2.92mdk.amd64.rpm
0267276afa32b153be2ab27821f2a45c amd64/9.2/RPMS/lib64xml2-devel-2.5.11-1.2.92mdk.amd64.rpm
545cdb232a403bb77dbd7ae5881dfe01 amd64/9.2/RPMS/lib64xml2-python-2.5.11-1.2.92mdk.amd64.rpm
32012969ba7f58a67f8569d86ca90246 amd64/9.2/RPMS/libxml2-utils-2.5.11-1.2.92mdk.amd64.rpm
34048480a99f5f04d02902ab918cf5c8 amd64/9.2/SRPMS/libxml2-2.5.11-1.2.92mdk.src.rpm To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you. A list of FTP mirrors can be obtained from: http://www.mandrakesecure.net/en/ftp.php All packages are signed by Mandrakesoft for security. You can obtain
the GPG public key of the Mandrakelinux Security Team by executing: gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98 Please be aware that sometimes it takes the mirrors a few hours to
update. You can view other update advisories for Mandrakelinux at: http://www.mandrakesecure.net/en/advisories/ Mandrakesoft has several security-related mailing list services that
anyone can subscribe to. Information on these lists can be obtained by
visiting: http://www.mandrakesecure.net/en/mlist.php If you want to report vulnerabilities, please contact security_linux-mandrake.com Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
Updated: March 09, 2004
Affected
Please see http://www.openpkg.org/security/OpenPKG-SA-2004.003-libxml.html
The vendor has not provided us with any further information regarding this vulnerability.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 OpenPKG Security Advisory The OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
openpkg-security@openpkg.org openpkg@openpkg.org
OpenPKG-SA-2004.003 05-Mar-2004 Package: libxml
Vulnerability: arbitrary code execution
OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= libxml-2.6.5-20040126 >= libxml-2.6.6-20040212
OpenPKG 2.0 none N.A. OpenPKG 1.3 <= libxml-2.5.8-1.3.0 >= libxml-2.5.8-1.3.1 Affected Releases: Dependent Packages: OpenPKG CURRENT apache::with_mod_php_dom perl-xml::with_libxml
php::with_dom php5::with_xml php5::with_dom cadaver
dia kde-libs libgdome libglade libwmf libxslt
neon pan ripe-dbase roadrunner scli scrollkeeper
sitecopy subversion wv xmlsec xmlstarlet xmlto xmms
OpenPKG 1.3 apache::with_mod_php_dom perl-xml::with_libxml
php::with_dom libgdome libwmf libxslt neon sitecopy
xmlsec Description: A flaw in the HTTP and FTP client sub-library of libxml2 [0]
found by Yuuichi Teranishi can be exploited to cause a buffer
overflow if passed a very long URL [1]. This could be used by
an attacker to execute arbitrary code on the host computer. The
Common Vulnerabilities and Exposures (CVE) project assigned the id
CAN-2004-0110 [2] to the problem. Please check whether you are affected by running "
Updated: March 09, 2004
Affected
Please see https://rhn.redhat.com/errata/RHSA-2004-090.html
The vendor has not provided us with any further information regarding this vulnerability.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Red Hat Security Advisory Synopsis: Updated libxml2 packages fix security vulnerability
Advisory ID: RHSA-2004:091-02
Issue date: 2004-03-03
Updated on: 2004-03-03
Product: Red Hat Linux
Keywords: Cross references: Obsoletes: CVE Names: CAN-2004-0110 1. Topic: Updated libxml2 packages that fix an overflow when parsing remote resources
are now available. [Updated 3 March 2004] Revised libxml2 packages are now available as the original packages did not
contain a complete patch. 2. Relevant releases/architectures: Red Hat Linux 9 - i386 3. Problem description: libxml2 is a library for manipulating XML files. Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. The Common Vulnerabilities
and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0110
to this issue. All users are advised to upgrade to these updated packages, which contain a
backported fix and are not vulnerable to this issue. 4. Solution: Before applying this update, make sure all previously released errata
relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs. Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system. If up2date fails to connect to Red Hat Network due to SSL
Certificate Errors, you need to install a version of the
up2date client with an updated certificate. The latest version of
up2date is available from the Red Hat FTP site and may also be
downloaded directly from the RHN website: https://rhn.redhat.com/help/latest-up2date.pxt 5. RPMs required: Red Hat Linux 9: SRPMS: ftp://updates.redhat.com/9/en/os/SRPMS/libxml2-2.5.4-3.rh9.src.rpm i386: ftp://updates.redhat.com/9/en/os/i386/libxml2-2.5.4-3.rh9.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/libxml2-devel-2.5.4-3.rh9.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/libxml2-python-2.5.4-3.rh9.i386.rpm 6. Verification: MD5 sum Package Name cb550a537cbc60b95dcc4396ab419466 9/en/os/SRPMS/libxml2-2.5.4-3.rh9.src.rpm
b063360d9efb8f4de082f1324fdcd421 9/en/os/i386/libxml2-2.5.4-3.rh9.i386.rpm
8590c8fcd8268d3b682531a4428f14f8 9/en/os/i386/libxml2-devel-2.5.4-3.rh9.i386.rpm
d34886934ad6c00607e0117815bc1e0a 9/en/os/i386/libxml2-python-2.5.4-3.rh9.i386.rpm These packages are GPG signed by Red Hat for security. Our key is
available from https://www.redhat.com/security/keys.html You can verify each package with the following command: rpm --checksig -v
Updated: March 09, 2004
Affected
Please see ftp://patches.sgi.com/support/free/security/advisories/20040301-01-U.asc
The vendor has not provided us with any further information regarding this vulnerability.
-----BEGIN PGP SIGNED MESSAGE----- SGI Security Advisory Title : SGI Advanced Linux Environment security update #13
Number : 20040301-01-U
Date : March 3, 2004
Reference : Redhat Advisory RHSA-2004:090-06, CAN-2004-0110
Reference : Redhat Advisory RHSA-2004:058-08, CAN-2003-0973
Fixed in : Patch 10056 for SGI ProPack v2.4 and SGI ProPack v2.3 SGI provides this information freely to the SGI user community for its
consideration, interpretation, implementation and use. SGI recommends that
this information be acted upon as soon as possible. SGI provides the information in this Security Advisory on an "AS-IS" basis
only, and disclaims all warranties with respect thereto, express, implied
or otherwise, including, without limitation, any warranty of merchantability
or fitness for a particular purpose. In no event shall SGI be liable for
any loss of profits, loss of business, loss of data or for any indirect,
special, exemplary, incidental or consequential damages of any kind arising
from your use of, failure to use or improper use of any of the instructions
or information in this Security Advisory. - --- Update --- SGI has released Patch 10056: SGI Advanced Linux Environment security
update #13, which includes updated RPMs for SGI ProPack v2.4 and SGI
ProPack v2.3 for the SGI Altix family of systems, in response to the
following security issues: Updated mod_python packages fix denial of service vulnerability
http://rhn.redhat.com/errata/RHSA-2004-058.html Updated libxml2 packages fix security vulnerability
http://rhn.redhat.com/errata/RHSA-2004-090.html Patch 10056 is available from http://support.sgi.com/ and
ftp://patches.sgi.com/support/free/security/patches/ProPack/2.3/
ftp://patches.sgi.com/support/free/security/patches/ProPack/2.4/ The individual RPMs from Patch 10056 are available from: ftp://oss.sgi.com/projects/sgi_propack/download/2.3/updates/RPMS
ftp://oss.sgi.com/projects/sgi_propack/download/2.3/updates/SRPMS
ftp://oss.sgi.com/projects/sgi_propack/download/2.4/updates/RPMS
ftp://oss.sgi.com/projects/sgi_propack/download/2.4/updates/SRPMS Note: Four weeks after the release of SGI ProPack v2.4,
weekly security updates for SGI ProPack v2.3 will discontinue. Please upgrade to SGI ProPack v2.4 as soon as possible. See the SGI ProPack Support Policy on http://support.sgi.com/
for additional information. - --- Links --- SGI Security Advisories can be found at: http://www.sgi.com/support/security/ and
ftp://patches.sgi.com/support/free/security/advisories/ Red Hat Errata: Security Alerts, Bugfixes, and Enhancements
http://www.redhat.com/apps/support/errata/ SGI Advanced Linux Environment security updates can found on: ftp://oss.sgi.com/projects/sgi_propack/download/ SGI patches can be found at the following patch servers: http://support.sgi.com/ The primary SGI anonymous FTP site for security advisories and
security patches is ftp://patches.sgi.com/support/free/security/ - --- SGI Security Information/Contacts --- If there are questions about this document, email can be sent to
security-info@sgi.com. ------oOo------ SGI provides security information and patches for use by the entire SGI
community. This information is freely available to any person needing the
information and is available via anonymous FTP and the Web. The primary SGI anonymous FTP site for security advisories and patches is
patches.sgi.com. Security advisories and patches are located under the URL
ftp://patches.sgi.com/support/free/security/ The SGI Security Headquarters Web page is accessible at the URL: http://www.sgi.com/support/security/ For issues with the patches on the FTP sites, email can be sent to
security-info@sgi.com. For assistance obtaining or working with security patches, please
contact your SGI support provider. ------oOo------ SGI provides a free security mailing list service called wiretap and
encourages interested parties to self-subscribe to receive (via email) all
SGI Security Advisories when they are released. Subscribing to the mailing
list can be done via the Web
(http://www.sgi.com/support/security/wiretap.html) or by sending email to
SGI as outlined below. % mail wiretap-request@sgi.com
subscribe wiretap < YourEmailAddress such as midwatch@sgi.com >
end
^d In the example above,
Updated: March 09, 2004
Affected
Please see http://www.trustix.org/errata/misc/2004/TSL-2004-0010-libxml2.asc.txt
The vendor has not provided us with any further information regarding this vulnerability.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Trustix Secure Linux Security Advisory #2004-0010 Package name: libxml2
Summary: buffer overrun in nanohttp
Date: 2004-03-05
Affected versions: Trustix 2.0 Package description: This library allows to manipulate XML files. It includes support
to read, modify and write XML and HTML files. Problem description: URLs longer than 4096 bytes would cause an overflow while using nanohttp
in libxml2. Action: We recommend that all systems with this package installed be upgraded. Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system. Location: All Trustix updates are available from