libxml2-2.7.6-20.1.0.1.AXS4

エラータID: AXSA:2016-021:01

Release date: 
Monday, January 11, 2016 - 12:24
Subject: 
libxml2-2.7.6-20.1.0.1.AXS4
Affected Channels: 
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity: 
Moderate
Description: 

Security issues fixed with this release:

CVE-2015-5312
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2015-7497
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2015-7498
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2015-7499
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2015-7500
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2015-7941
libxml2 2.9.2 does not properly stop parsing invalid input, which
allows context-dependent attackers to cause a denial of service
(out-of-bounds read and libxml2 crash) via crafted XML data to the (1)
xmlParseEntityDecl or (2) xmlParseConditionalSections function in
parser.c, as demonstrated by non-terminated entities.
CVE-2015-7942
The xmlParseConditionalSections function in parser.c in libxml2 does
not properly skip intermediary entities when it stops parsing invalid
input, which allows context-dependent attackers to cause a denial of
service (out-of-bounds read and crash) via crafted XML data, a
different vulnerability than CVE-2015-7941.
CVE-2015-8241
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2015-8242
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2015-8317
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.

Solution: 

Update packages.

CVEs: 
CVE-2015-5312
The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660.
CVE-2015-7497
Heap-based buffer overflow in the xmlDictComputeFastQKey function in dict.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors.
CVE-2015-7498
Heap-based buffer overflow in the xmlParseXmlDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors related to extracting errors after an encoding conversion failure.
CVE-2015-7499
Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors.
CVE-2015-7500
The xmlParseMisc function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (out-of-bounds heap read) via unspecified vectors related to incorrect entities boundaries and start tags.
CVE-2015-7941
libxml2 2.9.2 does not properly stop parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and libxml2 crash) via crafted XML data to the (1) xmlParseEntityDecl or (2) xmlParseConditionalSections function in parser.c, as demonstrated by non-terminated entities.
CVE-2015-7942
The xmlParseConditionalSections function in parser.c in libxml2 does not properly skip intermediary entities when it stops parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via crafted XML data, a different vulnerability than CVE-2015-7941.
CVE-2015-8241
The xmlNextChar function in libxml2 2.9.2 does not properly check the state, which allows context-dependent attackers to cause a denial of service (heap-based buffer over-read and application crash) or obtain sensitive information via crafted XML data.
CVE-2015-8242
The xmlSAX2TextNode function in SAX2.c in the push interface in the HTML parser in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (stack-based buffer over-read and application crash) or obtain sensitive information via crafted XML data.
CVE-2015-8317
The xmlParseXMLDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive information via an (1) unterminated encoding value or (2) incomplete XML declaration in XML data, which triggers an out-of-bounds heap read.
Additional Info: 

N/A

Download: 

SRPMS
  1. libxml2-2.7.6-20.1.0.1.AXS4.src.rpm
    MD5: f3da49679e252b38712daf6a0be3b2ae
    SHA-256: 9d6786ac19e183f01f425c6f590fb780a75c6bd1e0852f07cf1b0c7a2ff07ca9
    Size: 4.69 MB

Asianux Server 4 for x86
  1. libxml2-2.7.6-20.1.0.1.AXS4.i686.rpm
    MD5: c1b715f8278532bbecccff89389696cc
    SHA-256: bcfc08193c24a597bb5a6b7efdfac79485c39e16f72b157ccc88cbecbc782a62
    Size: 802.54 kB
  2. libxml2-devel-2.7.6-20.1.0.1.AXS4.i686.rpm
    MD5: 423f455a895cb3e20751c5ae8ef2d374
    SHA-256: 8f568d1a6d65c506d9b0701b1cf9004bcecd635457725fb5307527dd51297fec
    Size: 1.06 MB
  3. libxml2-python-2.7.6-20.1.0.1.AXS4.i686.rpm
    MD5: f3a54a44651f513dfbd4401064b3017c
    SHA-256: e07199e8c2b241207a1869d1a5d778ddbfa2b5650b104fe0121012011583d2c7
    Size: 315.73 kB

Asianux Server 4 for x86_64
  1. libxml2-2.7.6-20.1.0.1.AXS4.x86_64.rpm
    MD5: 7f84bf996f318c7c77d0ceee8e63cd1e
    SHA-256: 6335da44f0a1feed89f11469453cb1299b6bdd5d19fa63f3c31943d2ca31be8c
    Size: 801.91 kB
  2. libxml2-devel-2.7.6-20.1.0.1.AXS4.x86_64.rpm
    MD5: 0d1fc8d84b7a9b7c140a3e883a3cd165
    SHA-256: a70402e2a8297c98264548310f3fc78c305ca01c6429935aa968e42569029fc5
    Size: 1.06 MB
  3. libxml2-python-2.7.6-20.1.0.1.AXS4.x86_64.rpm
    MD5: 29d7c4c905e8cf3bbe29da1e428c8253
    SHA-256: 6d60a436be3f0015be5fe7faec9e2bcdcce29e98d14d8618c42c2624448ebb4a
    Size: 322.19 kB
  4. libxml2-2.7.6-20.1.0.1.AXS4.i686.rpm
    MD5: c1b715f8278532bbecccff89389696cc
    SHA-256: bcfc08193c24a597bb5a6b7efdfac79485c39e16f72b157ccc88cbecbc782a62
    Size: 802.54 kB
  5. libxml2-devel-2.7.6-20.1.0.1.AXS4.i686.rpm
    MD5: 423f455a895cb3e20751c5ae8ef2d374
    SHA-256: 8f568d1a6d65c506d9b0701b1cf9004bcecd635457725fb5307527dd51297fec
    Size: 1.06 MB