libxml2-2.9.7-9.el8.2

エラータID: AXSA:2021-2193:02

Release date: 
Monday, July 12, 2021 - 06:57
Subject: 
libxml2-2.9.7-9.el8.2
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

The libxml2 library is a development toolbox providing the implementation of various XML standards.

Security Fix(es):

* libxml2: Use-after-free in xmlEncodeEntitiesInternal() in entities.c (CVE-2021-3516)
* libxml2: Heap-based buffer overflow in xmlEncodeEntitiesInternal() in entities.c (CVE-2021-3517)
* libxml2: Use-after-free in xmlXIncludeDoProcess() in xinclude.c (CVE-2021-3518)
* libxml2: NULL pointer dereference when post-validating mixed content parsed in recovery mode (CVE-2021-3537)
* libxml2: Exponential entity expansion attack bypasses all existing protection mechanisms (CVE-2021-3541)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2021-3516
There's a flaw in libxml2's xmllint in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by xmllint could trigger a use-after-free. The greatest impact of this flaw is to confidentiality, integrity, and availability.
CVE-2021-3517
There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.
CVE-2021-3518
There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.
CVE-2021-3537
A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.
CVE-2021-3541
A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. libxml2-2.9.7-9.el8.2.src.rpm
    MD5: d9bf31c1cbdb491eee8874e5a8559be7
    SHA-256: 5efc5dbfc8c1948ab2ba08cde7e95ed7e43fb68b55ff85f11fb24d31e829d39f
    Size: 5.21 MB

Asianux Server 8 for x86_64
  1. libxml2-2.9.7-9.el8.2.x86_64.rpm
    MD5: 09548491344301475de54d63e5ef6711
    SHA-256: 236b62b3b4ea1c1f1b98cbe6263a2513cec6dcafdf251e124cb31fc5a13282a6
    Size: 694.74 kB
  2. libxml2-devel-2.9.7-9.el8.2.x86_64.rpm
    MD5: 3a22e923090a841746baae96d77a8147
    SHA-256: ced993d23fa28027caf9b4ea0668462a6712e0723737b626f6ffc36980598e04
    Size: 1.04 MB
  3. python3-libxml2-2.9.7-9.el8.2.x86_64.rpm
    MD5: 6fd05c8c4a016d2132213a2541450b43
    SHA-256: 919a338f76cb2505b120d78369466c4a987a29537fa36c63ab7dbdd0ad477761
    Size: 236.03 kB
  4. libxml2-2.9.7-9.el8.2.i686.rpm
    MD5: 71afcb32b1dc04c0c99519dec5bc4173
    SHA-256: 518322c7379d8499b408328154eb3759609140ca4020b0f46a903a9271366c44
    Size: 739.45 kB
  5. libxml2-devel-2.9.7-9.el8.2.i686.rpm
    MD5: 98b408b433005d3cbe0f812bca17aa7b
    SHA-256: d3e7a33bd0ae1b21fca6ecc0fbc0e857dd1420f6bd3881c8a19cb4d36dda4a76
    Size: 1.04 MB