Lucene search
This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.DEBIAN_DLA-373.NASLHistoryDec 29, 2015 - 12:00 a.m.
Debian DLA-373-1 : libxml2 security update
2015-12-2900:00:00
This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.
www.tenable.com
11
Several vulnerabilities were discovered in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML or HTML file that, when processed by an application using libxml2, would cause that application to use an excessive amount of CPU, leak potentially sensitive information, or crash the application.
CVE-2015-5312: CPU exhaustion when processing specially crafted XML input. CVE-2015-7497: Heap-based buffer overflow in xmlDictComputeFastQKey. CVE-2015-7498: Heap-based buffer overflow in xmlParseXmlDecl. CVE-2015-7499: Heap-based buffer overflow in xmlGROW.
CVE-2015-7500: Heap buffer overflow in xmlParseMisc.
NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory DLA-373-1. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(87605);
script_version("2.7");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/11");
script_cve_id("CVE-2015-5312", "CVE-2015-7497", "CVE-2015-7498", "CVE-2015-7499", "CVE-2015-7500");
script_name(english:"Debian DLA-373-1 : libxml2 security update");
script_summary(english:"Checks dpkg output for the updated packages.");
script_set_attribute(
attribute:"synopsis",
value:"The remote Debian host is missing a security update."
);
script_set_attribute(
attribute:"description",
value:
"Several vulnerabilities were discovered in libxml2, a library
providing support to read, modify and write XML and HTML files. A
remote attacker could provide a specially crafted XML or HTML file
that, when processed by an application using libxml2, would cause that
application to use an excessive amount of CPU, leak potentially
sensitive information, or crash the application.
CVE-2015-5312: CPU exhaustion when processing specially crafted XML
input. CVE-2015-7497: Heap-based buffer overflow in
xmlDictComputeFastQKey. CVE-2015-7498: Heap-based buffer overflow in
xmlParseXmlDecl. CVE-2015-7499: Heap-based buffer overflow in xmlGROW.
CVE-2015-7500: Heap buffer overflow in xmlParseMisc.
NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues."
);
script_set_attribute(
attribute:"see_also",
value:"https://lists.debian.org/debian-lts-announce/2015/12/msg00015.html"
);
script_set_attribute(
attribute:"see_also",
value:"https://packages.debian.org/source/squeeze-lts/libxml2"
);
script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libxml2");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libxml2-dbg");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libxml2-dev");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libxml2-doc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libxml2-utils");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:python-libxml2");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:python-libxml2-dbg");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0");
script_set_attribute(attribute:"patch_publication_date", value:"2015/12/26");
script_set_attribute(attribute:"plugin_publication_date", value:"2015/12/29");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.");
script_family(english:"Debian Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
exit(0);
}
include("audit.inc");
include("debian_package.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
flag = 0;
if (deb_check(release:"6.0", prefix:"libxml2", reference:"2.7.8.dfsg-2+squeeze16")) flag++;
if (deb_check(release:"6.0", prefix:"libxml2-dbg", reference:"2.7.8.dfsg-2+squeeze16")) flag++;
if (deb_check(release:"6.0", prefix:"libxml2-dev", reference:"2.7.8.dfsg-2+squeeze16")) flag++;
if (deb_check(release:"6.0", prefix:"libxml2-doc", reference:"2.7.8.dfsg-2+squeeze16")) flag++;
if (deb_check(release:"6.0", prefix:"libxml2-utils", reference:"2.7.8.dfsg-2+squeeze16")) flag++;
if (deb_check(release:"6.0", prefix:"python-libxml2", reference:"2.7.8.dfsg-2+squeeze16")) flag++;
if (deb_check(release:"6.0", prefix:"python-libxml2-dbg", reference:"2.7.8.dfsg-2+squeeze16")) flag++;
if (flag)
{
if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
else security_hole(0);
exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
| Vendor | Product | Version | CPE |
|---|---|---|---|
| debian | debian_linux | libxml2 | p-cpe:/a:debian:debian_linux:libxml2 |
| debian | debian_linux | libxml2-dbg | p-cpe:/a:debian:debian_linux:libxml2-dbg |
| debian | debian_linux | libxml2-dev | p-cpe:/a:debian:debian_linux:libxml2-dev |
| debian | debian_linux | libxml2-doc | p-cpe:/a:debian:debian_linux:libxml2-doc |
| debian | debian_linux | libxml2-utils | p-cpe:/a:debian:debian_linux:libxml2-utils |
| debian | debian_linux | python-libxml2 | p-cpe:/a:debian:debian_linux:python-libxml2 |
| debian | debian_linux | python-libxml2-dbg | p-cpe:/a:debian:debian_linux:python-libxml2-dbg |
| debian | debian_linux | 6.0 | cpe:/o:debian:debian_linux:6.0 |
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5312
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7497
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7498
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7499
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7500
lists.debian.org/debian-lts-announce/2015/12/msg00015.html
packages.debian.org/source/squeeze-lts/libxml2
Related
openvas
openvas
Debian: Security Advisory (DLA-373-1)
2023-03-08 00:00:00
Ubuntu: Security Advisory (USN-2834-1)
2015-12-15 00:00:00
Mageia: Security Advisory (MGASA-2015-0457)
2015-11-27 00:00:00
osv
osv
libxml2 - security update
2015-12-26 00:00:00
CVE-2016-9597
2018-07-30 14:29:02
Heap-based buffer overflow in nokogiri
2018-09-17 21:57:38
debian
debian
[SECURITY] [DLA 373-1] libxml2 security update
2015-12-26 13:08:39
[SECURITY] [DSA 3430-1] libxml2 security update
2015-12-23 13:19:18
[SECURITY] [DSA 3430-1] libxml2 security update
2015-12-23 13:19:18
nessus
nessus
Ubuntu 14.04 LTS : libxml2 vulnerabilities (USN-2834-1)
2015-12-15 00:00:00
OracleVM 3.3 : libxml2 (OVMSA-2015-0152)
2015-12-08 00:00:00
RHEL 6 : libxml2 (RHSA-2015:2549)
2015-12-08 00:00:00
ubuntu
ubuntu
libxml2 vulnerabilities
2015-12-14 00:00:00
libxml2 vulnerabilities
2016-01-19 00:00:00
cloudfoundry
cloudfoundry
USN-2834-1 libxml2 vulnerability | Cloud Foundry
2016-01-07 00:00:00
mageia
mageia
Updated libxml2 packages fix security vulnerabilities
2015-11-26 23:47:39
rubygems
rubygems
Nokogiri gem contains several vulnerabilities in libxml2
2015-12-14 21:00:00
Nokogiri gem contains a heap-based buffer overflow vulnerability in libxml2
2016-01-18 21:00:00
archlinux
archlinux
libxml2: multiple issues
2015-12-09 00:00:00
veracode
veracode
Denial Of Service (DoS)
2019-05-02 05:51:46
Information Disclosure
2019-05-02 05:51:46
Denial Of Service (DoS)
2019-05-02 05:51:46
freebsd
freebsd
libxml2 -- multiple vulnerabilities
2015-11-20 00:00:00
oraclelinux
oraclelinux
libxml2 security update
2015-12-07 00:00:00
libxml2 security update
2015-12-07 00:00:00
centos
centos
libxml2 security update
2015-12-07 13:26:33
libxml2 security update
2015-12-07 20:38:05
ibm
ibm
redhat
redhat
(RHSA-2015:2549) Moderate: libxml2 security update
2015-12-07 00:00:00
(RHSA-2015:2550) Moderate: libxml2 security update
2015-12-07 10:04:33
f5
f5
K61570943 : Multiple libXML2 vulnerabilities
2016-02-15 00:00:00
amazon
amazon
Medium: libxml2
2015-12-14 10:00:00
Medium: libxml2
2019-05-29 19:14:00
fedora
fedora
[SECURITY] Fedora 22 Update: libxml2-2.9.3-1.fc22
2015-11-30 23:26:43
[SECURITY] Fedora 23 Update: libxml2-2.9.3-1.fc23
2015-11-26 21:01:32
cve
cve
prion
prion
debiancve
debiancve
ubuntucve
ubuntucve
github
github
Heap-based buffer overflow in nokogiri
2018-09-17 21:57:38
Nokogiri subject to DoS via libxml2 vulnerability
2018-08-21 19:03:04
gentoo
gentoo
libxml2: Multiple vulnerabilities
2017-01-16 00:00:00
suse
suse
Security update for sles12-docker-image (important)
2016-03-16 15:28:52
apple
apple
About the security content of tvOS 9.2
2016-03-21 00:00:00
About the security content of tvOS 9.2 - Apple Support
2017-01-23 03:54:34
About the security content of watchOS 2.2 - Apple Support
2017-01-23 03:54:34
tenable
tenable
[R1] Nessus Network Monitor 6.2.2 Fixes Multiple Vulnerabilities
2023-06-29 10:45:47
Related for DEBIAN_DLA-373.NASL