expat-1.95.8-8.3AXS3.2

エラータID: AXSA:2009-431:01

Release date: 
Thursday, December 10, 2009 - 19:49
Subject: 
expat-1.95.8-8.3AXS3.2
Affected Channels: 
Asianux Server 3 for x86_64
Asianux Server 3 for x86
Severity: 
High
Description: 

This is expat, the C library for parsing XML, written by James Clark. Expat is a stream oriented XML parser. This means that you register handlers with the parser prior to starting the parse. These handlers are called when the parser discovers the associated structures in the document being parsed. A start tag is an example of the kind of structures for which you may register handlers.
Security bugs fixed with this release:
CVE-2009-3560
The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read, related to the doProlog function in lib/xmlparse.c, a different vulnerability than CVE-2009-2625 and CVE-2009-3720.
CVE-2009-3720
The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that trigger a buffer over-read, a different vulnerability than CVE-2009-2625.

Solution: 

Update packages.

CVEs: 
CVE-2009-3560
The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read, related to the doProlog function in lib/xmlparse.c, a different vulnerability than CVE-2009-2625 and CVE-2009-3720.
CVE-2009-3720
The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that trigger a buffer over-read, a different vulnerability than CVE-2009-2625.
Additional Info: 

N/A

Download: 

SRPMS
  1. expat-1.95.8-8.3AXS3.2.src.rpm
    MD5: dd6312a37e0a2b4774bc337f0798e84e
    SHA-256: d639aa682ebb71c621f677412546dfa30d323adcaa2a41e294764b6449a8f70a
    Size: 318.05 kB

Asianux Server 3 for x86
  1. expat-1.95.8-8.3AXS3.2.i386.rpm
    MD5: 585587762c2da6b1ec05ca6b48cec668
    SHA-256: 9a1af05fdce4e09b8e2a5c97200bc710a7f75389057f92dcd547efac47464a88
    Size: 77.23 kB
  2. expat-devel-1.95.8-8.3AXS3.2.i386.rpm
    MD5: 9ee087750c65d5e81466c92586e9c24e
    SHA-256: 99fa4c4b6e12b58e7aa3f69aa5fb84a7659f5de4df5b5f73180cd4b2c5e17d3f
    Size: 132.35 kB

Asianux Server 3 for x86_64
  1. expat-1.95.8-8.3AXS3.2.x86_64.rpm
    MD5: 58948eb2b190fbfd88999dc8e38304d6
    SHA-256: 8e63966404a390c9fcfe9fd3637a6b8e7a567c374984eeae87f20c1940a0dae7
    Size: 76.42 kB
  2. expat-devel-1.95.8-8.3AXS3.2.x86_64.rpm
    MD5: 7abb426631935d0f7a34cf9fe8cbef05
    SHA-256: 19ef14a4e003336f6141b02baa8e266a400af5cc60b3663a0c3f9fb3642b0d80
    Size: 129.08 kB