You are here
Home > Preporuke > Sigurnosni nedostaci programske biblioteke libxml2

Sigurnosni nedostaci programske biblioteke libxml2

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: libxml2 security update
Advisory ID: RHSA-2020:1190-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:1190
Issue date: 2020-03-31
CVE Names: CVE-2015-8035 CVE-2016-5131 CVE-2017-15412
CVE-2017-18258 CVE-2018-14404 CVE-2018-14567
=====================================================================

1. Summary:

An update for libxml2 is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) – x86_64
Red Hat Enterprise Linux Client Optional (v. 7) – x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) – x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) – x86_64
Red Hat Enterprise Linux Server (v. 7) – ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) – ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) – x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) – x86_64

3. Description:

The libxml2 library is a development toolbox providing the implementation
of various XML standards.

Security Fix(es):

* libxml2: Use after free triggered by XPointer paths beginning with
range-to (CVE-2016-5131)

* libxml2: Use after free in xmlXPathCompOpEvalPositionalPredicate()
function in xpath.c (CVE-2017-15412)

* libxml2: DoS caused by incorrect error detection during XZ decompression
(CVE-2015-8035)

* libxml2: NULL pointer dereference in xmlXPathCompOpEval() function in
xpath.c (CVE-2018-14404)

* libxml2: Unrestricted memory usage in xz_head() function in xzlib.c
(CVE-2017-18258)

* libxml2: Infinite loop caused by incorrect error detection during LZMA
decompression (CVE-2018-14567)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 7.8 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The desktop must be restarted (log out, then log back in) for this update
to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1277146 – CVE-2015-8035 libxml2: DoS caused by incorrect error detection during XZ decompression
1358641 – CVE-2016-5131 libxml2: Use after free triggered by XPointer paths beginning with range-to
1523128 – CVE-2017-15412 libxml2: Use after free in xmlXPathCompOpEvalPositionalPredicate() function in xpath.c
1566749 – CVE-2017-18258 libxml2: Unrestricted memory usage in xz_head() function in xzlib.c
1595985 – CVE-2018-14404 libxml2: NULL pointer dereference in xmlXPathCompOpEval() function in xpath.c
1619875 – CVE-2018-14567 libxml2: Infinite loop caused by incorrect error detection during LZMA decompression

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:
libxml2-2.9.1-6.el7.4.src.rpm

x86_64:
libxml2-2.9.1-6.el7.4.i686.rpm
libxml2-2.9.1-6.el7.4.x86_64.rpm
libxml2-debuginfo-2.9.1-6.el7.4.i686.rpm
libxml2-debuginfo-2.9.1-6.el7.4.x86_64.rpm
libxml2-python-2.9.1-6.el7.4.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

x86_64:
libxml2-debuginfo-2.9.1-6.el7.4.i686.rpm
libxml2-debuginfo-2.9.1-6.el7.4.x86_64.rpm
libxml2-devel-2.9.1-6.el7.4.i686.rpm
libxml2-devel-2.9.1-6.el7.4.x86_64.rpm
libxml2-static-2.9.1-6.el7.4.i686.rpm
libxml2-static-2.9.1-6.el7.4.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:
libxml2-2.9.1-6.el7.4.src.rpm

x86_64:
libxml2-2.9.1-6.el7.4.i686.rpm
libxml2-2.9.1-6.el7.4.x86_64.rpm
libxml2-debuginfo-2.9.1-6.el7.4.i686.rpm
libxml2-debuginfo-2.9.1-6.el7.4.x86_64.rpm
libxml2-python-2.9.1-6.el7.4.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

x86_64:
libxml2-debuginfo-2.9.1-6.el7.4.i686.rpm
libxml2-debuginfo-2.9.1-6.el7.4.x86_64.rpm
libxml2-devel-2.9.1-6.el7.4.i686.rpm
libxml2-devel-2.9.1-6.el7.4.x86_64.rpm
libxml2-static-2.9.1-6.el7.4.i686.rpm
libxml2-static-2.9.1-6.el7.4.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
libxml2-2.9.1-6.el7.4.src.rpm

ppc64:
libxml2-2.9.1-6.el7.4.ppc.rpm
libxml2-2.9.1-6.el7.4.ppc64.rpm
libxml2-debuginfo-2.9.1-6.el7.4.ppc.rpm
libxml2-debuginfo-2.9.1-6.el7.4.ppc64.rpm
libxml2-devel-2.9.1-6.el7.4.ppc.rpm
libxml2-devel-2.9.1-6.el7.4.ppc64.rpm
libxml2-python-2.9.1-6.el7.4.ppc64.rpm

ppc64le:
libxml2-2.9.1-6.el7.4.ppc64le.rpm
libxml2-debuginfo-2.9.1-6.el7.4.ppc64le.rpm
libxml2-devel-2.9.1-6.el7.4.ppc64le.rpm
libxml2-python-2.9.1-6.el7.4.ppc64le.rpm

s390x:
libxml2-2.9.1-6.el7.4.s390.rpm
libxml2-2.9.1-6.el7.4.s390x.rpm
libxml2-debuginfo-2.9.1-6.el7.4.s390.rpm
libxml2-debuginfo-2.9.1-6.el7.4.s390x.rpm
libxml2-devel-2.9.1-6.el7.4.s390.rpm
libxml2-devel-2.9.1-6.el7.4.s390x.rpm
libxml2-python-2.9.1-6.el7.4.s390x.rpm

x86_64:
libxml2-2.9.1-6.el7.4.i686.rpm
libxml2-2.9.1-6.el7.4.x86_64.rpm
libxml2-debuginfo-2.9.1-6.el7.4.i686.rpm
libxml2-debuginfo-2.9.1-6.el7.4.x86_64.rpm
libxml2-devel-2.9.1-6.el7.4.i686.rpm
libxml2-devel-2.9.1-6.el7.4.x86_64.rpm
libxml2-python-2.9.1-6.el7.4.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

ppc64:
libxml2-debuginfo-2.9.1-6.el7.4.ppc.rpm
libxml2-debuginfo-2.9.1-6.el7.4.ppc64.rpm
libxml2-static-2.9.1-6.el7.4.ppc.rpm
libxml2-static-2.9.1-6.el7.4.ppc64.rpm

ppc64le:
libxml2-debuginfo-2.9.1-6.el7.4.ppc64le.rpm
libxml2-static-2.9.1-6.el7.4.ppc64le.rpm

s390x:
libxml2-debuginfo-2.9.1-6.el7.4.s390.rpm
libxml2-debuginfo-2.9.1-6.el7.4.s390x.rpm
libxml2-static-2.9.1-6.el7.4.s390.rpm
libxml2-static-2.9.1-6.el7.4.s390x.rpm

x86_64:
libxml2-debuginfo-2.9.1-6.el7.4.i686.rpm
libxml2-debuginfo-2.9.1-6.el7.4.x86_64.rpm
libxml2-static-2.9.1-6.el7.4.i686.rpm
libxml2-static-2.9.1-6.el7.4.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
libxml2-2.9.1-6.el7.4.src.rpm

x86_64:
libxml2-2.9.1-6.el7.4.i686.rpm
libxml2-2.9.1-6.el7.4.x86_64.rpm
libxml2-debuginfo-2.9.1-6.el7.4.i686.rpm
libxml2-debuginfo-2.9.1-6.el7.4.x86_64.rpm
libxml2-devel-2.9.1-6.el7.4.i686.rpm
libxml2-devel-2.9.1-6.el7.4.x86_64.rpm
libxml2-python-2.9.1-6.el7.4.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:
libxml2-debuginfo-2.9.1-6.el7.4.i686.rpm
libxml2-debuginfo-2.9.1-6.el7.4.x86_64.rpm
libxml2-static-2.9.1-6.el7.4.i686.rpm
libxml2-static-2.9.1-6.el7.4.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2015-8035
https://access.redhat.com/security/cve/CVE-2016-5131
https://access.redhat.com/security/cve/CVE-2017-15412
https://access.redhat.com/security/cve/CVE-2017-18258
https://access.redhat.com/security/cve/CVE-2018-14404
https://access.redhat.com/security/cve/CVE-2018-14567
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.8_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIVAwUBXoOdR9zjgjWX9erEAQhgbQ/+JolcknqNffv7HQZNxYOtS/M2Zx/E3IB4
QwmkXhfmgV44ig4prUpghE/+O5eTUPjqSq6rHjih/pjCjG4bVcK6BptxBFi7WQwo
GM0ryvm0p0fib0dy+Ov3NNC6Dhg32NIVwC0pWTIEdYcOGBfDY3mXlLXx5aHefisu
p1C7F6rP4xxMRDOlQhAB4UPMkPSD/MtKIyxIEqiAT5olybSTl0um2AB5XtLlCbkT
h4IXDsAyswvBIS/bxnyZkn6oHEiD3JBwcP+ZU0jgSEy34O92ttV7hRQb1H1+YHOO
li1bX5IcbmFzATwBfCZQmNfrp/XU4Ra28GT/3JGntnhhxFmz1xe/h5YNJTwZ+0TX
yxKZdAz3brm/mt6uvbY4PpGERyA+X/Moz4ToXCEL2jVfSXbOuajRtCV8Cp3X7bCd
Ed2imuXZQPpUXNVdF73RJ7YB6vEhQRIdlKgEXzPPpuHFH1HprvSLoJyrDD1T8bfx
TVrrmvtWKtXq0DYSD7wGw23WZJJeUIgyKiZNTlIxvb0c7r8+aZ+toY07sZlBkTCA
cjWNRnHDNkdYH2ZoNPQlzYzk5rSYGqhoOvF85pNCY4v4fofyMEnyAY7MEZ/Z991X
Ko2ShKSzEtKSMcx2B2wPg+hFcACP8HbKxSbW3SzoCSKCOGEAPLQlJ5eHXwLOAO3Q
IZIK7xZywNw=
=8RZh
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

Top
More in Preporuke
Sigurnosni nedostatak programske biblioteke zziplib

Otkriven je sigurnosni nedostatak programske biblioteke zziplib za operacijski sustav RHEL. Otkriveni nedostatak potencijalnim udaljenim napadačima omogućuje izvođenje 'directory traversal'...

Close