ID OPENVAS:1361412562310868769 Type openvas Reporter Copyright (C) 2015 Greenbone Networks GmbH Modified 2017-07-10T00:00:00
Description
Check the version of mingw-libxml2
###############################################################################
# OpenVAS Vulnerability Test
#
# Fedora Update for mingw-libxml2 FEDORA-2014-17573
#
# Authors:
# System Generated Check
#
# Copyright:
# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.868769");
script_version("$Revision: 6630 $");
script_tag(name:"last_modification", value:"$Date: 2017-07-10 08:34:32 +0200 (Mon, 10 Jul 2017) $");
script_tag(name:"creation_date", value:"2015-01-05 14:50:49 +0100 (Mon, 05 Jan 2015)");
script_cve_id("CVE-2014-0191");
script_tag(name:"cvss_base", value:"4.3");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:N/I:N/A:P");
script_name("Fedora Update for mingw-libxml2 FEDORA-2014-17573");
script_tag(name: "summary", value: "Check the version of mingw-libxml2");
script_tag(name: "vuldetect", value: "Get the installed version with the help of detect NVT and check if the version is vulnerable or not.");
script_tag(name: "insight", value: "MinGW Windows libxml2 XML processing library.
");
script_tag(name: "affected", value: "mingw-libxml2 on Fedora 20");
script_tag(name: "solution", value: "Please Install the Updated Packages.");
script_xref(name: "FEDORA", value: "2014-17573");
script_xref(name: "URL" , value: "https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147322.html");
script_tag(name:"solution_type", value:"VendorFix");
script_tag(name:"qod_type", value:"package");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2015 Greenbone Networks GmbH");
script_family("Fedora Local Security Checks");
script_dependencies("gather-package-list.nasl");
script_mandatory_keys("ssh/login/fedora", "ssh/login/rpms");
exit(0);
}
include("revisions-lib.inc");
include("pkg-lib-rpm.inc");
release = get_kb_item("ssh/login/release");
res = "";
if(release == NULL){
exit(0);
}
if(release == "FC20")
{
if ((res = isrpmvuln(pkg:"mingw-libxml2", rpm:"mingw-libxml2~2.9.2~1.fc20", rls:"FC20")) != NULL)
{
security_message(data:res);
exit(0);
}
if (__pkg_match) exit(99); # Not vulnerable.
exit(0);
}
{"id": "OPENVAS:1361412562310868769", "bulletinFamily": "scanner", "title": "Fedora Update for mingw-libxml2 FEDORA-2014-17573", "description": "Check the version of mingw-libxml2", "published": "2015-01-05T00:00:00", "modified": "2017-07-10T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868769", "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "references": ["2014-17573", "https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147322.html"], "cvelist": ["CVE-2014-0191"], "type": "openvas", "lastseen": "2017-07-25T10:53:07", "history": [{"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2014-0191"], "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "description": "Check the version of mingw-libxml2", "edition": 1, "enchantments": {}, "hash": "ed11aaba47c4c5637c7f65bf8b933dbcbc2c2520a4cf668ed120ec630bdda109", "hashmap": [{"hash": "43a85f3a94742e3825d8895746d3e6d3", "key": "cvelist"}, {"hash": "159295b50f9d93a2f99cf6471805b8ab", "key": "published"}, {"hash": "f9f8b5987bdab1d07466d48ba1fd5f5b", "key": "pluginID"}, {"hash": "af239df7f4da639f49f6611f2a9ce5b9", "key": "references"}, {"hash": "a3a73e54829c0f8924bffd6399e4fddb", "key": "title"}, {"hash": "3873c836ae45fd496c2b40bae50467ed", "key": "cvss"}, {"hash": "e720cc2f0865a8a7e0ab0b01515ddf04", "key": "description"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "be931514784f88df80712740ad2723e7", "key": "naslFamily"}, {"hash": "1e898993712db5cf9f9a110102684025", "key": "reporter"}, {"hash": "2f67e6f11595015f8654c3ffc53f59c7", "key": "sourceData"}, {"hash": "80f9564fae6ce374a51796355fefa101", "key": "href"}, {"hash": "0b9bda101a59d322eb0b21f577836f9d", "key": "modified"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868769", "id": "OPENVAS:1361412562310868769", "lastseen": "2017-07-02T21:12:03", "modified": "2017-06-15T00:00:00", "naslFamily": "Fedora Local Security Checks", "objectVersion": "1.3", "pluginID": "1361412562310868769", "published": "2015-01-05T00:00:00", "references": ["2014-17573", "https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147322.html"], "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for mingw-libxml2 FEDORA-2014-17573\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868769\");\n script_version(\"$Revision: 6345 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-06-15 12:00:59 +0200 (Thu, 15 Jun 2017) $\");\n script_tag(name:\"creation_date\", value:\"2015-01-05 14:50:49 +0100 (Mon, 05 Jan 2015)\");\n script_cve_id(\"CVE-2014-0191\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_name(\"Fedora Update for mingw-libxml2 FEDORA-2014-17573\");\n script_tag(name: \"summary\", value: \"Check the version of mingw-libxml2\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help of detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"MinGW Windows libxml2 XML processing library.\n\");\n script_tag(name: \"affected\", value: \"mingw-libxml2 on Fedora 20\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n script_xref(name: \"FEDORA\", value: \"2014-17573\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147322.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"HostDetails/OS/cpe:/o:fedoraproject:fedora\", \"login/SSH/success\", \"ssh/login/release\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"mingw-libxml2\", rpm:\"mingw-libxml2~2.9.2~1.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "title": "Fedora Update for mingw-libxml2 FEDORA-2014-17573", "type": "openvas", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 1, "lastseen": "2017-07-02T21:12:03"}], "edition": 2, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cvelist", "hash": "43a85f3a94742e3825d8895746d3e6d3"}, {"key": "cvss", "hash": "3873c836ae45fd496c2b40bae50467ed"}, {"key": "description", "hash": "e720cc2f0865a8a7e0ab0b01515ddf04"}, {"key": "href", "hash": "80f9564fae6ce374a51796355fefa101"}, {"key": "modified", "hash": "0d134bf170d66438eb1e01173ee0187f"}, {"key": "naslFamily", "hash": "be931514784f88df80712740ad2723e7"}, {"key": "pluginID", "hash": "f9f8b5987bdab1d07466d48ba1fd5f5b"}, {"key": "published", "hash": "159295b50f9d93a2f99cf6471805b8ab"}, {"key": "references", "hash": "af239df7f4da639f49f6611f2a9ce5b9"}, {"key": "reporter", "hash": "1e898993712db5cf9f9a110102684025"}, {"key": "sourceData", "hash": "d5341c4a0c6b6ead497395e416f84d01"}, {"key": "title", "hash": "a3a73e54829c0f8924bffd6399e4fddb"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}], "hash": "e119128009fff16e7f5f4f96b4af6d4eed1c602086c2979c61da7ae78c38442e", "viewCount": 1, "enchantments": {"vulnersScore": 7.5}, "objectVersion": "1.3", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for mingw-libxml2 FEDORA-2014-17573\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868769\");\n script_version(\"$Revision: 6630 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:34:32 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2015-01-05 14:50:49 +0100 (Mon, 05 Jan 2015)\");\n script_cve_id(\"CVE-2014-0191\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_name(\"Fedora Update for mingw-libxml2 FEDORA-2014-17573\");\n script_tag(name: \"summary\", value: \"Check the version of mingw-libxml2\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help of detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"MinGW Windows libxml2 XML processing library.\n\");\n script_tag(name: \"affected\", value: \"mingw-libxml2 on Fedora 20\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n script_xref(name: \"FEDORA\", value: \"2014-17573\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147322.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"mingw-libxml2\", rpm:\"mingw-libxml2~2.9.2~1.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "naslFamily": "Fedora Local Security Checks", "pluginID": "1361412562310868769"}
{"result": {"cve": [{"id": "CVE-2014-0191", "type": "cve", "title": "CVE-2014-0191", "description": "The xmlParserHandlePEReference function in parser.c in libxml2 before 2.9.2, as used in Web Listener in Oracle HTTP Server in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 and other products, loads external parameter entities regardless of whether entity substitution or validation is enabled, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XML document.", "published": "2015-01-21T09:59:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0191", "cvelist": ["CVE-2014-0191"], "lastseen": "2017-08-29T10:48:05"}], "nessus": [{"id": "DEBIAN_DSA-2978.NASL", "type": "nessus", "title": "Debian DSA-2978-1 : libxml2 - security update", "description": "Daniel P. Berrange discovered a denial of service vulnerability in libxml2 entity substitution.", "published": "2014-07-15T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=76499", "cvelist": ["CVE-2014-0191"], "lastseen": "2017-10-29T13:40:59"}, {"id": "FEDORA_2015-4658.NASL", "type": "nessus", "title": "Fedora 21 : libxml2-2.9.1-7.fc21 (2015-4658)", "description": "fixes built in also added a couple of other entities related patches including a fix to CVE-2014-3660\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2015-04-08T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=82627", "cvelist": ["CVE-2014-0191"], "lastseen": "2017-10-29T13:33:05"}, {"id": "FREEBSD_PKG_EFDD0EDCDA3D11E39ECB2C4138874F7D.NASL", "type": "nessus", "title": "FreeBSD : libxml2 -- entity substitution DoS (efdd0edc-da3d-11e3-9ecb-2c4138874f7d)", "description": "Stefan Cornelius reports :\n\nIt was discovered that libxml2, a library providing support to read, modify and write XML files, incorrectly performs entity substitution in the doctype prolog, even if the application using libxml2 disabled any entity substitution. A remote attacker could provide a specially crafted XML file that, when processed, would lead to the exhaustion of CPU and memory resources or file descriptors.\n\nThis issue was discovered by Daniel Berrange of Red Hat.", "published": "2014-05-13T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=73975", "cvelist": ["CVE-2014-0191"], "lastseen": "2017-10-29T13:41:54"}, {"id": "SOLARIS11_LIBXML2_20140819.NASL", "type": "nessus", "title": "Oracle Solaris Third-Party Patch Update : libxml2 (cve_2014_0191_denial_of)", "description": "The remote Solaris system is missing necessary patches to address security updates.", "published": "2015-01-19T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=80692", "cvelist": ["CVE-2014-0191"], "lastseen": "2017-10-29T13:36:47"}, {"id": "GENTOO_GLSA-201409-08.NASL", "type": "nessus", "title": "GLSA-201409-08 : libxml2: Denial of Service", "description": "The remote host is affected by the vulnerability described in GLSA-201409-08 (libxml2: Denial of Service)\n\n A vulnerability in the xmlParserHandlePEReference() function of parser.c, when expanding entity references, can be exploited to consume large amounts of memory and cause a crash or hang.\n Impact :\n\n A remote attacker may be able to cause Denial of Service via a specially crafted XML file containing malicious attributes.\n Workaround :\n\n There is no known workaround at this time.", "published": "2014-09-22T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=77776", "cvelist": ["CVE-2014-0191"], "lastseen": "2017-10-29T13:38:08"}, {"id": "AIX_U862099.NASL", "type": "nessus", "title": "AIX 7.1 TL 3 : bos.rte.control (U862099)", "description": "The remote host is missing AIX PTF U862099, which is related to the security of the package bos.rte.control.\n\nLibxml2 is vulnerable to a denial of service, caused by the expansion of internal entities within the xmlParserHandlePEReference().", "published": "2014-11-10T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=79063", "cvelist": ["CVE-2014-0191"], "lastseen": "2017-10-29T13:37:06"}, {"id": "ORACLELINUX_ELSA-2015-0749.NASL", "type": "nessus", "title": "Oracle Linux 7 : libxml2 (ELSA-2015-0749)", "description": "From Red Hat Security Advisory 2015:0749 :\n\nUpdated libxml2 packages that fix one security issue are now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe libxml2 library is a development toolbox providing the implementation of various XML standards.\n\nIt was discovered that libxml2 loaded external parameter entities even when entity substitution was disabled. A remote attacker able to provide a specially crafted XML file to an application linked against libxml2 could use this flaw to conduct XML External Entity (XXE) attacks, possibly resulting in a denial of service or an information leak on the system. (CVE-2014-0191)\n\nThe CVE-2014-0191 issue was discovered by Daniel P. Berrange of Red Hat.\n\nAll libxml2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. The desktop must be restarted (log out, then log back in) for this update to take effect.", "published": "2015-03-31T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=82464", "cvelist": ["CVE-2014-0191"], "lastseen": "2017-10-29T13:36:06"}, {"id": "UBUNTU_USN-2214-1.NASL", "type": "nessus", "title": "Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.10 / 14.04 LTS : libxml2 vulnerability (USN-2214-1)", "description": "Daniel Berrange discovered that libxml2 would incorrectly perform entity substitution even when requested not to. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause resource consumption, resulting in a denial of service.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2014-05-16T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=74035", "cvelist": ["CVE-2014-0191"], "lastseen": "2017-10-29T13:41:17"}, {"id": "AIX_IV62447.NASL", "type": "nessus", "title": "AIX 6.1 TL 8 : libxml2 (IV62447)", "description": "Libxml2 is vulnerable to a denial of service, caused by the expansion of internal entities within the xmlParserHandlePEReference().", "published": "2014-08-20T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=77257", "cvelist": ["CVE-2014-0191"], "lastseen": "2017-10-29T13:34:28"}, {"id": "CENTOS_RHSA-2015-0749.NASL", "type": "nessus", "title": "CentOS 7 : libxml2 (CESA-2015:0749)", "description": "Updated libxml2 packages that fix one security issue are now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe libxml2 library is a development toolbox providing the implementation of various XML standards.\n\nIt was discovered that libxml2 loaded external parameter entities even when entity substitution was disabled. A remote attacker able to provide a specially crafted XML file to an application linked against libxml2 could use this flaw to conduct XML External Entity (XXE) attacks, possibly resulting in a denial of service or an information leak on the system. (CVE-2014-0191)\n\nThe CVE-2014-0191 issue was discovered by Daniel P. Berrange of Red Hat.\n\nAll libxml2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. The desktop must be restarted (log out, then log back in) for this update to take effect.", "published": "2015-04-01T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=82476", "cvelist": ["CVE-2014-0191"], "lastseen": "2017-10-29T13:39:41"}], "amazon": [{"id": "ALAS-2014-341", "type": "amazon", "title": "Medium: libxml2", "description": "**Issue Overview:**\n\nIt was discovered that libxml2, a library providing support to read, modify and write XML files, incorrectly performs entity substituton in the doctype prolog, even if the application using libxml2 disabled any entity substitution. A remote attacker could provide a specially-crafted XML file that, when processed, would lead to the exhaustion of CPU and memory resources or file descriptors.\n\n \n**Affected Packages:** \n\n\nlibxml2\n\n \n**Issue Correction:** \nRun _yum update libxml2_ to update your system. \n\n \n**New Packages:**\n \n \n i686: \n libxml2-debuginfo-2.9.1-1.1.30.amzn1.i686 \n libxml2-python-2.9.1-1.1.30.amzn1.i686 \n libxml2-2.9.1-1.1.30.amzn1.i686 \n libxml2-devel-2.9.1-1.1.30.amzn1.i686 \n libxml2-static-2.9.1-1.1.30.amzn1.i686 \n \n src: \n libxml2-2.9.1-1.1.30.amzn1.src \n \n x86_64: \n libxml2-debuginfo-2.9.1-1.1.30.amzn1.x86_64 \n libxml2-devel-2.9.1-1.1.30.amzn1.x86_64 \n libxml2-static-2.9.1-1.1.30.amzn1.x86_64 \n libxml2-2.9.1-1.1.30.amzn1.x86_64 \n libxml2-python-2.9.1-1.1.30.amzn1.x86_64 \n \n \n", "published": "2014-05-21T10:31:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://alas.aws.amazon.com/ALAS-2014-341.html", "cvelist": ["CVE-2014-0191"], "lastseen": "2016-09-28T21:04:01"}], "openvas": [{"id": "OPENVAS:1361412562310120474", "type": "openvas", "title": "Amazon Linux Local Check: ALAS-2014-341", "description": "Amazon Linux Local Security Checks", "published": "2015-09-08T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120474", "cvelist": ["CVE-2014-0191"], "lastseen": "2017-08-02T10:49:20"}, {"id": "OPENVAS:1361412562310702978", "type": "openvas", "title": "Debian Security Advisory DSA 2978-1 (libxml2 - security update)", "description": "Daniel P. Berrange discovered a denial of service vulnerability in\nlibxml2 entity substitution.", "published": "2014-07-11T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310702978", "cvelist": ["CVE-2014-0191"], "lastseen": "2018-04-06T11:11:05"}, {"id": "OPENVAS:1361412562310882149", "type": "openvas", "title": "CentOS Update for libxml2 CESA-2015:0749 centos7 ", "description": "Check the version of libxml2", "published": "2015-04-01T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882149", "cvelist": ["CVE-2014-0191"], "lastseen": "2017-07-25T10:53:28"}, {"id": "OPENVAS:1361412562310121271", "type": "openvas", "title": "Gentoo Linux Local Check: https://security.gentoo.org/glsa/201409-08", "description": "Gentoo Linux Local Security Checks https://security.gentoo.org/glsa/201409-08", "published": "2015-09-29T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310121271", "cvelist": ["CVE-2014-0191"], "lastseen": "2018-04-09T11:27:38"}, {"id": "OPENVAS:702978", "type": "openvas", "title": "Debian Security Advisory DSA 2978-1 (libxml2 - security update)", "description": "Daniel P. Berrange discovered a denial of service vulnerability in\nlibxml2 entity substitution.", "published": "2014-07-11T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=702978", "cvelist": ["CVE-2014-0191"], "lastseen": "2017-07-31T10:48:40"}, {"id": "OPENVAS:1361412562310871346", "type": "openvas", "title": "RedHat Update for libxml2 RHSA-2015:0749-01", "description": "Check the version of libxml2", "published": "2015-03-31T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871346", "cvelist": ["CVE-2014-0191"], "lastseen": "2017-07-27T10:53:25"}, {"id": "OPENVAS:1361412562310868768", "type": "openvas", "title": "Fedora Update for mingw-libxml2 FEDORA-2014-17609", "description": "Check the version of mingw-libxml2", "published": "2015-01-05T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868768", "cvelist": ["CVE-2014-0191"], "lastseen": "2017-07-25T10:52:18"}, {"id": "OPENVAS:1361412562310841826", "type": "openvas", "title": "Ubuntu Update for libxml2 USN-2214-1", "description": "Check for the Version of libxml2", "published": "2014-05-19T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310841826", "cvelist": ["CVE-2014-0191"], "lastseen": "2018-04-09T11:13:26"}, {"id": "OPENVAS:1361412562310871166", "type": "openvas", "title": "RedHat Update for libxml2 RHSA-2014:0513-01", "description": "Check for the Version of libxml2", "published": "2014-05-26T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871166", "cvelist": ["CVE-2014-0191", "CVE-2013-2877"], "lastseen": "2018-04-09T11:14:13"}, {"id": "OPENVAS:1361412562310123412", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2014-0513", "description": "Oracle Linux Local Security Checks ELSA-2014-0513", "published": "2015-10-06T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123412", "cvelist": ["CVE-2014-0191", "CVE-2013-2877"], "lastseen": "2017-07-24T12:53:37"}], "freebsd": [{"id": "EFDD0EDC-DA3D-11E3-9ECB-2C4138874F7D", "type": "freebsd", "title": "libxml2 -- entity substitution DoS", "description": "\nStefan Cornelius reports:\n\nIt was discovered that libxml2, a library providing\n\t support to read, modify and write XML files, incorrectly\n\t performs entity substitution in the doctype prolog, even if\n\t the application using libxml2 disabled any entity\n\t substitution. A remote attacker could provide a\n\t specially-crafted XML file that, when processed, would lead\n\t to the exhaustion of CPU and memory resources or file\n\t descriptors.\nThis issue was discovered by Daniel Berrange of Red Hat.\n\n", "published": "2013-12-03T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://vuxml.freebsd.org/freebsd/efdd0edc-da3d-11e3-9ecb-2c4138874f7d.html", "cvelist": ["CVE-2014-0191"], "lastseen": "2016-09-26T17:24:25"}], "debian": [{"id": "DLA-0016", "type": "debian", "title": "libxml2 -- LTS security update", "description": "Daniel P. Berrange discovered a denial of service vulnerability in libxml2 entity substitution.\n\nFor Debian 6 Squeeze, these issues have been fixed in libxml2 version 2.7.8.dfsg-2+squeeze9", "published": "2014-07-19T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://www.debian.org/security/2014/dla-0016", "cvelist": ["CVE-2014-0191"], "lastseen": "2016-09-02T12:56:52"}, {"id": "DSA-2978", "type": "debian", "title": "libxml2 -- security update", "description": "Daniel P. Berrange discovered a denial of service vulnerability in libxml2 entity substitution.\n\nFor the stable distribution (wheezy), this problem has been fixed in version 2.8.0+dfsg1-7+wheezy1.\n\nFor the unstable distribution (sid), this problem has been fixed in version 2.9.1+dfsg1-4.\n\nWe recommend that you upgrade your libxml2 packages.", "published": "2014-07-11T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://www.debian.org/security/dsa-2978", "cvelist": ["CVE-2014-0191"], "lastseen": "2016-09-02T18:30:46"}, {"id": "DLA-151", "type": "debian", "title": "libxml2 -- LTS security update", "description": "It was discovered that the update released for libxml2 in [DSA 2978](<../2014/dsa-2978>) fixing [CVE-2014-0191](<https://security-tracker.debian.org/tracker/CVE-2014-0191>) was incomplete. This caused libxml2 to still fetch external entities regardless of whether entity substitution or validation is enabled.\n\nIn addition, this update addresses a regression introduced in [DSA 3057](<../2014/dsa-3057>) by the patch fixing [CVE-2014-3660](<https://security-tracker.debian.org/tracker/CVE-2014-3660>). This caused libxml2 to not parse an entity when it's used first in another entity referenced from an attribute value.\n\nFor Debian 6 Squeeze, these issues have been fixed in libxml2 version 2.7.8.dfsg-2+squeeze11", "published": "2015-02-07T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://www.debian.org/security/2015/dla-151", "cvelist": ["CVE-2014-0191", "CVE-2014-3660"], "lastseen": "2016-09-02T12:57:53"}], "redhat": [{"id": "RHSA-2015:0749", "type": "redhat", "title": "(RHSA-2015:0749) Moderate: libxml2 security update", "description": "The libxml2 library is a development toolbox providing the implementation\nof various XML standards.\n\nIt was discovered that libxml2 loaded external parameter entities even when\nentity substitution was disabled. A remote attacker able to provide a\nspecially crafted XML file to an application linked against libxml2 could\nuse this flaw to conduct XML External Entity (XXE) attacks, possibly\nresulting in a denial of service or an information leak on the system.\n(CVE-2014-0191)\n\nThe CVE-2014-0191 issue was discovered by Daniel P. Berrange of Red Hat.\n\nAll libxml2 users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. The desktop must be\nrestarted (log out, then log back in) for this update to take effect.\n", "published": "2015-03-30T04:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2015:0749", "cvelist": ["CVE-2014-0191"], "lastseen": "2018-04-15T16:21:47"}, {"id": "RHSA-2014:0513", "type": "redhat", "title": "(RHSA-2014:0513) Moderate: libxml2 security update", "description": "The libxml2 library is a development toolbox providing the implementation\nof various XML standards.\n\nIt was discovered that libxml2 loaded external parameter entities even when\nentity substitution was disabled. A remote attacker able to provide a\nspecially crafted XML file to an application linked against libxml2 could\nuse this flaw to conduct XML External Entity (XXE) attacks, possibly\nresulting in a denial of service or an information leak on the system.\n(CVE-2014-0191)\n\nAn out-of-bounds read flaw was found in the way libxml2 detected the end of\nan XML file. A remote attacker could provide a specially crafted XML file\nthat, when processed by an application linked against libxml2, could cause\nthe application to crash. (CVE-2013-2877)\n\nThe CVE-2014-0191 issue was discovered by Daniel P. Berrange of Red Hat.\n\nAll libxml2 users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. The desktop must be\nrestarted (log out, then log back in) for this update to take effect.\n", "published": "2014-05-19T04:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2014:0513", "cvelist": ["CVE-2014-0191", "CVE-2013-2877"], "lastseen": "2017-03-10T13:18:33"}], "ubuntu": [{"id": "USN-2214-1", "type": "ubuntu", "title": "libxml2 vulnerability", "description": "Daniel Berrange discovered that libxml2 would incorrectly perform entity substitution even when requested not to. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause resource consumption, resulting in a denial of service.", "published": "2014-05-15T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://usn.ubuntu.com/2214-1/", "cvelist": ["CVE-2014-0191"], "lastseen": "2018-03-29T18:20:15"}], "gentoo": [{"id": "GLSA-201409-08", "type": "gentoo", "title": "libxml2: Denial of Service", "description": "### Background\n\nlibxml2 is the XML C parser and toolkit developed for the Gnome project.\n\n### Description\n\nA vulnerability in the xmlParserHandlePEReference() function of parser.c, when expanding entity references, can be exploited to consume large amounts of memory and cause a crash or hang. \n\n### Impact\n\nA remote attacker may be able to cause Denial of Service via a specially crafted XML file containing malicious attributes. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll libxml2 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-libs/libxml2-2.9.1-r4\"", "published": "2014-09-19T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://security.gentoo.org/glsa/201409-08", "cvelist": ["CVE-2014-0191"], "lastseen": "2016-09-06T19:46:29"}], "aix": [{"id": "LIBXML2_ADVISORY.ASC", "type": "aix", "title": "AIX libxml2 vulnerability", "description": "IBM SECURITY ADVISORY\n\nFirst Issued: Fri Aug 15 10:26:30 CDT 2014\nUpdated: Fri Aug 22 08:17:41 CDT 2014\nUpdate: fixed APAR availability dates\n|Update: Mon Aug 25 15:18:37 CDT 2014\n|Update Corrected a couple Service Pack level#s\n\nThe most recent version of this document is available here:\n\nhttp://aix.software.ibm.com/aix/efixes/security/libxml2_advisory.asc\nhttps://aix.software.ibm.com/aix/efixes/security/libxml2_advisory.asc\nftp://aix.software.ibm.com/aix/efixes/security/libxml2_advisory.asc\n\n===============================================================================\n VULNERABILITY SUMMARY\n\nVULNERABILITY: AIX libxml2 vulnerability\n\nPLATFORMS: AIX 6.1 and 7.1 releases\n VIOS 2.2.*\n\nSOLUTION: Apply the fix as described below\n\nTHREAT: A remote attacker could exploit this vulnerability using a\n specially-crafted XML document containing malicious attributes\n to consume all available CPU resources.\n\nCVE Number: CVE-2014-0191 CVSS=5.0\n\nReboot required? NO \nWorkarounds? NO\nProtected by FPM? NO\nProtected by SED? NO\n===============================================================================\n DETAILED INFORMATION\n\nI. DESCRIPTION\n\n Libxml2 is vulnerable to a denial of service, caused by the expansion of \n internal entities within the xmlParserHandlePEReference().\n\nII. CVSS\n\n CVSS Base Score: 5\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93092\n for more information\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\nIII. PLATFORM VULNERABILITY ASSESSMENT\n\n Note: To use the following commands on VIOS you must first\n execute:\n\n oem_setup_env\n\n To determine if your system is vulnerable, execute the following\n command:\n\n lslpp -L bos.rte.control\n\n The following fileset levels are vulnerable:\n\n AIX Fileset Lower Level Upper Level KEY\n --------------------------------------------------------\n bos.rte.control 6.1.8.0 6.1.8.17 key_w_fix\n bos.rte.control 6.1.9.0 6.1.9.15 key_w_fix\n bos.rte.control 7.1.2.0 7.1.2.17 key_w_fix\n bos.rte.control 7.1.3.0 7.1.3.15 key_w_fix\n\n AIX Fileset (VIOS) Lower Level Upper Level\n ----------------------------------------------------------------\n bos.rte.control 6.1.8.0(2.2.2.0) 6.1.8.17(2.2.2.4)\n bos.rte.control 6.1.9.0(2.2.3.0) 6.1.9.15(2.2.3.3)\n\nIV. SOLUTIONS\n\n A. APARS\n\n IBM has assigned the following APARs to this problem:\n\n AIX Level APAR number Availability KEY\n ------------------------------------------------------------\n| 6.1.8 IV62447 12/31/2014 SP6 key_w_apar\n 6.1.9 IV62448 10/24/2014 SP4 key_w_apar\n| 7.1.2 IV62449 12/31/2014 SP6 key_w_apar\n 7.1.3 IV62450 10/24/2014 SP4 key_w_apar\n \n Subscribe to the APARs here:\n\n http://www.ibm.com/support/docview.wss?uid=isg1IV62447\n http://www.ibm.com/support/docview.wss?uid=isg1IV62448\n http://www.ibm.com/support/docview.wss?uid=isg1IV62449\n http://www.ibm.com/support/docview.wss?uid=isg1IV62450\n\n By subscribing, you will receive periodic email alerting you\n to the status of the APAR, and a link to download the fix once\n it becomes available.\n\n B. FIXES\n\n Fixes are available. The fixes can be downloaded via ftp\n from:\n\n ftp://aix.software.ibm.com/aix/efixes/security/libxml2_fix.tar\n\n The link above is to a tar file containing this signed\n advisory, fix packages, and OpenSSL signatures for each package.\n The fixes below include prerequisite checking. This will\n enforce the correct mapping between the fixes and AIX\n Technology Levels.\n\n AIX Level Interim Fix (*.Z) KEY\n ---------------------------------------------------\n 6.1.8.4 IV62447s4a.140715.epkg.Z key_w_fix\n 6.1.9.3 IV62448s3a.140715.epkg.Z key_w_fix\n 7.1.2.4 IV62449s4a.140715.epkg.Z key_w_fix\n 7.1.3.3 IV62450s3a.140715.epkg.Z key_w_fix\n\n VIOS Level Interim Fix (*.Z)\n -------------------------------------\n 2.2.2.4 IV62447s4a.140715.epkg.Z\n 2.2.3.3 IV62448s3a.140715.epkg.Z\n\n To extract the fixes from the tar file:\n\n tar xvf libxml2_fix.tar\n cd libxml2_fix\n\n Verify you have retrieved the fixes intact:\n\n The checksums below were generated using the\n \"openssl dgst -sha256 file\" command is the following:\n\n openssl dgst -sha256 filename KEY\n ----------------------------------------------------------------------------------------------------\n c3b02f8faf29386056616d4ec015acc47d5b8849e84a6f10912db62082fd8a23 IV62447s4a.140715.epkg.Z key_w_csum\n d0beae655b28178f13952fb0da831e028a28b9ed25d3cfe267e61cbcf08ff5aa IV62448s3a.140715.epkg.Z key_w_csum\n 2ce78311783f31c76abc8fba4d8f4ebeb376c64e23c268f954b0b9356d431755 IV62449s4a.140715.epkg.Z key_w_csum\n 3b414db115af1f4d32879474d14d8aaed276f149db6bc022e398f2c58a6da0a2 IV62450s3a.140715.epkg.Z key_w_csum\n\n These sums should match exactly. The OpenSSL signatures in the tar\n file and on this advisory can also be used to verify the\n integrity of the fixes. If the sums or signatures cannot be\n confirmed, contact IBM AIX Security at\n security-alert@austin.ibm.com and describe the discrepancy.\n\n openssl dgst -sha1 -verify <pubkey_file> -signature <advisory_file>.sig <advisory_file>\n\n openssl dgst -sha1 -verify <pubkey_file> -signature <ifix_file>.sig <ifix_file>\n\n Published advisory OpenSSL signature file location:\n\n http://aix.software.ibm.com/aix/efixes/security/libxml2_advisory.asc.sig\n https://aix.software.ibm.com/aix/efixes/security/libxml2_advisory.asc.sig\n ftp://aix.software.ibm.com/aix/efixes/security/libxml2_advisory.asc.sig\n\n C. FIX AND INTERIM FIX INSTALLATION\n\n IMPORTANT: If possible, it is recommended that a mksysb backup\n of the system be created. Verify it is both bootable and\n readable before proceeding.\n\n Ti preview a fix installation:\n\n installp -a -d fix_name -p all # where fix_name is the name of the\n # fix package being previewed.\n To install a fix package:\n\n installp -a -d fix_name -X all # where fix_name is the name of the\n # fix package being installed.\n\n Interim fixes have had limited functional and regression\n testing but not the full regression testing that takes place\n for Service Packs; thus, IBM does not warrant the fully\n correct functionality of an interim fix.\n\n Interim fix management documentation can be found at:\n\n http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html\n\n To preview an interim fix installation:\n\n emgr -e ipkg_name -p # where ipkg_name is the name of the\n # interim fix package being previewed.\n\n To install an interim fix package:\n\n emgr -e ipkg_name -X # where ipkg_name is the name of the\n # interim fix package being installed.\n\nV. WORKAROUNDS\n\n None\n\nVI. OBTAINING FIXES\n\n AIX security fixes can be downloaded from:\n\n ftp://aix.software.ibm.com/aix/efixes/security\n\n AIX fixes can be downloaded from:\n\n http://www.ibm.com/eserver/support/fixes/fixcentral/main/pseries/aix\n\n NOTE: Affected customers are urged to upgrade to the latest\n applicable Technology Level and Service Pack.\n\nVII. CONTACT INFORMATION\n\n If you would like to receive AIX Security Advisories via email,\n please visit \"My Notifications\":\n\n http://www.ibm.com/support/mynotifications\n \n To view previously issued advisories, please visit:\n \n http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq\n\n Comments regarding the content of this announcement can be\n directed to:\n\n security-alert@austin.ibm.com\n\n\tTo obtain the OpenSSL public key that can be used to verify the\n signed advisories and ifixes:\n\n Download the key from our web page:\n\n http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt\n\n To request the PGP public key that can be used to communicate\n securely with the AIX Security Team you can either:\n\n A. Send an email with \"get key\" in the subject line to:\n\n security-alert@austin.ibm.com\n\n B. Download the key from a PGP Public Key Server. The key ID is:\n\n 0x28BFAA12\n\n Please contact your local IBM AIX support center for any\n assistance.\n\nVIII. ACKNOWLEDGMENTS\n\n IBM discovered and fixed this vulnerability as part of its\n commitment to secure the AIX operating system.\n\nIX. REFERENCES:\n\n Complete CVSS Guide: http://www.first.org/cvss/cvss-guide.html\n On-line Calculator V2: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2\n X-Force Vulnerability Database: http://xforce.iss.net/xforce/xfdb/75510\n CVE-2014-0191: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0191\n\n *The CVSS Environment Score is customer environment specific and will\n ultimately impact the Overall CVSS Score. Customers can evaluate the\n impact of this vulnerability in their environments by accessing the links\n in the Reference section of this Flash.\n\n Note: According to the Forum of Incident Response and Security Teams\n (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry\n open standard designed to convey vulnerability severity and help to\n determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES\n \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF\n MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE\n RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY\n VULNERABILITY.\n", "published": "2014-08-15T10:26:30", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://aix.software.ibm.com/aix/efixes/security/libxml2_advisory.asc", "cvelist": ["CVE-2014-0191"], "lastseen": "2016-10-24T17:48:11"}], "centos": [{"id": "CESA-2015:0749", "type": "centos", "title": "libxml2 security update", "description": "**CentOS Errata and Security Advisory** CESA-2015:0749\n\n\nThe libxml2 library is a development toolbox providing the implementation\nof various XML standards.\n\nIt was discovered that libxml2 loaded external parameter entities even when\nentity substitution was disabled. A remote attacker able to provide a\nspecially crafted XML file to an application linked against libxml2 could\nuse this flaw to conduct XML External Entity (XXE) attacks, possibly\nresulting in a denial of service or an information leak on the system.\n(CVE-2014-0191)\n\nThe CVE-2014-0191 issue was discovered by Daniel P. Berrange of Red Hat.\n\nAll libxml2 users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. The desktop must be\nrestarted (log out, then log back in) for this update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-April/021029.html\n\n**Affected packages:**\nlibxml2\nlibxml2-devel\nlibxml2-python\nlibxml2-static\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-0749.html", "published": "2015-04-01T03:26:34", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2015-April/021029.html", "cvelist": ["CVE-2014-0191"], "lastseen": "2017-10-03T18:25:05"}, {"id": "CESA-2014:0513", "type": "centos", "title": "libxml2 security update", "description": "**CentOS Errata and Security Advisory** CESA-2014:0513\n\n\nThe libxml2 library is a development toolbox providing the implementation\nof various XML standards.\n\nIt was discovered that libxml2 loaded external parameter entities even when\nentity substitution was disabled. A remote attacker able to provide a\nspecially crafted XML file to an application linked against libxml2 could\nuse this flaw to conduct XML External Entity (XXE) attacks, possibly\nresulting in a denial of service or an information leak on the system.\n(CVE-2014-0191)\n\nAn out-of-bounds read flaw was found in the way libxml2 detected the end of\nan XML file. A remote attacker could provide a specially crafted XML file\nthat, when processed by an application linked against libxml2, could cause\nthe application to crash. (CVE-2013-2877)\n\nThe CVE-2014-0191 issue was discovered by Daniel P. Berrange of Red Hat.\n\nAll libxml2 users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. The desktop must be\nrestarted (log out, then log back in) for this update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2014-May/020303.html\n\n**Affected packages:**\nlibxml2\nlibxml2-devel\nlibxml2-python\nlibxml2-static\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2014-0513.html", "published": "2014-05-19T13:08:11", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2014-May/020303.html", "cvelist": ["CVE-2014-0191", "CVE-2013-2877"], "lastseen": "2017-10-03T18:25:43"}], "oraclelinux": [{"id": "ELSA-2014-0513", "type": "oraclelinux", "title": "libxml2 security update", "description": "[2.7.6-14.0.1.el6_5.1]\n- Update doc/redhat.gif in tarball\n- Add libxml2-oracle-enterprise.patch and update logos in tarball\n[2-2.7.6-14.el6_5.1]\n- Improve handling of xmlStopParser(CVE-2013-2877)\n- Do not fetch external parameter entities (CVE-2014-0191)", "published": "2014-05-19T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://linux.oracle.com/errata/ELSA-2014-0513.html", "cvelist": ["CVE-2014-0191", "CVE-2013-2877"], "lastseen": "2016-09-04T11:17:13"}, {"id": "ELSA-2015-0749", "type": "oraclelinux", "title": "libxml2 security update", "description": "[2.9.1-5.0.1.el7_1.2]\n- Update doc/redhat.gif in tarball\n- Add libxml2-oracle-enterprise.patch and update logos in tarball\n[2.9.1-5.2]\n- Fix missing entities after CVE-2014-3660 fix\n- CVE-2014-0191 Do not fetch external parameter entities (rhbz#1195649)\n- Fix regressions introduced by CVE-2014-0191 patch", "published": "2015-03-30T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://linux.oracle.com/errata/ELSA-2015-0749.html", "cvelist": ["CVE-2014-0191", "CVE-2014-3660"], "lastseen": "2016-09-04T11:16:32"}, {"id": "ELSA-2015-2550", "type": "oraclelinux", "title": "libxml2 security update", "description": "[2.9.1-6.0.1.el7_1.2]\n- Update doc/redhat.gif in tarball\n- Add libxml2-oracle-enterprise.patch and update logos in tarball\n[2.9.1-6.2]\n- Fix a series of CVEs (rhbz#1286496)\n- CVE-2015-7941 Stop parsing on entities boundaries errors\n- CVE-2015-7941 Cleanup conditional section error handling\n- CVE-2015-8317 Fail parsing early on if encoding conversion failed\n- CVE-2015-7942 Another variation of overflow in Conditional sections\n- CVE-2015-7942 Fix an error in previous Conditional section patch\n- Fix parsing short unclosed comment uninitialized access\n- CVE-2015-7498 Avoid processing entities after encoding conversion failures\n- CVE-2015-7497 Avoid an heap buffer overflow in xmlDictComputeFastQKey\n- CVE-2015-5312 Another entity expansion issue\n- CVE-2015-7499 Add xmlHaltParser() to stop the parser\n- CVE-2015-7499 Detect incoherency on GROW\n- CVE-2015-7500 Fix memory access error due to incorrect entities boundaries\n- CVE-2015-8242 Buffer overead with HTML parser in push mode\n- CVE-2015-1819 Enforce the reader to run in constant memory\n[2.9.1-6]\n- Fix missing entities after CVE-2014-3660 fix\n- CVE-2014-0191 Do not fetch external parameter entities (rhbz#1195650)\n- Fix regressions introduced by CVE-2014-0191 patch\n[2.9.1-5.1]\n- CVE-2014-3660 denial of service via recursive entity expansion (rhbz#1149087)", "published": "2015-12-07T00:00:00", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2015-2550.html", "cvelist": ["CVE-2015-7497", "CVE-2015-7941", "CVE-2014-0191", "CVE-2015-8317", "CVE-2015-7498", "CVE-2015-8241", "CVE-2015-5312", "CVE-2015-7500", "CVE-2015-8242", "CVE-2015-1819", "CVE-2015-7499", "CVE-2014-3660", "CVE-2015-7942"], "lastseen": "2016-09-04T11:16:10"}], "archlinux": [{"id": "ASA-201410-12", "type": "archlinux", "title": "libxml2: Denial of service", "description": "Daniel Berrange discovered that libxml2 incorrectly performs entity\nsubstitution in the doctype prolog, even if the application using\nlibxml2 disabled any entity substitution. A remote attacker could\nprovide a specially crafted XML file that, when processed, leads to the\nexhaustion of CPU and memory resources or file descriptors.", "published": "2014-10-24T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://lists.archlinux.org/pipermail/arch-security/2014-October/000123.html", "cvelist": ["CVE-2014-0191", "CVE-2014-3660"], "lastseen": "2016-09-02T18:44:42"}], "vmware": [{"id": "VMSA-2014-0012", "type": "vmware", "title": "VMware vSphere product updates address security vulnerabilities", "description": "**a. VMware vCSA cross-site scripting vulnerability** \nVMware vCenter Server Appliance (vCSA) contains a vulnerability that may allow for Cross Site Scripting. Exploitation of this vulnerability in vCenter Server requires tricking a user to click on a malicious link or to open a malicious web page. \nVMware would like to thank Tanya Secker of Trustwave SpiderLabs for reporting this issue to us. \nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-3797 to this issue. \nColumn 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. \n\n", "published": "2014-12-04T00:00:00", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "href": "https://www.vmware.com/security/advisories/VMSA-2014-0012.html", "cvelist": ["CVE-2014-3797", "CVE-2014-0191", "CVE-2013-4238", "CVE-2013-2877", "CVE-2014-0015", "CVE-2013-1752", "CVE-2014-8371", "CVE-2014-0138"], "lastseen": "2016-09-04T11:19:25"}], "suse": [{"id": "SUSE-SU-2017:2699-1", "type": "suse", "title": "Security update for SLES 12 Docker image (important)", "description": "The SUSE Linux Enterprise Server 12 container image has been updated to\n include security and stability fixes.\n\n The following issues related to building of the container images have been\n fixed:\n\n - Included krb5 package to avoid the inclusion of krb5-mini which gets\n selected as a dependency by the Build Service solver. (bsc#1056193)\n - Do not install recommended packages when building container images.\n (bsc#975726)\n\n A number of security issues that have been already fixed by updates\n released for SUSE Linux Enterprise Server 12 are now included in the base\n image. A package/CVE cross-reference is available below.\n\n pam:\n\n - CVE-2015-3238\n\n libtasn1:\n\n - CVE-2015-3622\n - CVE-2016-4008\n\n libidn:\n\n - CVE-2015-2059\n - CVE-2015-8948\n - CVE-2016-6261\n - CVE-2016-6262\n - CVE-2016-6263\n\n zlib:\n\n - CVE-2016-9840\n - CVE-2016-9841\n - CVE-2016-9842\n - CVE-2016-9843\n\n curl:\n\n - CVE-2016-5419\n - CVE-2016-5420\n - CVE-2016-5421\n - CVE-2016-7141\n - CVE-2016-7167\n - CVE-2016-8615\n - CVE-2016-8616\n - CVE-2016-8617\n - CVE-2016-8618\n - CVE-2016-8619\n - CVE-2016-8620\n - CVE-2016-8621\n - CVE-2016-8622\n - CVE-2016-8623\n - CVE-2016-8624\n - CVE-2016-9586\n - CVE-2017-1000100\n - CVE-2017-1000101\n - CVE-2017-7407\n\n openssl:\n\n - CVE-2016-2105\n - CVE-2016-2106\n - CVE-2016-2107\n - CVE-2016-2108\n - CVE-2016-2109\n - CVE-2016-2177\n - CVE-2016-2178\n - CVE-2016-2179\n - CVE-2016-2180\n - CVE-2016-2181\n - CVE-2016-2182\n - CVE-2016-2183\n - CVE-2016-6302\n - CVE-2016-6303\n - CVE-2016-6304\n - CVE-2016-6306\n\n libxml2:\n\n - CVE-2014-0191\n - CVE-2015-8806\n - CVE-2016-1762\n - CVE-2016-1833\n - CVE-2016-1834\n - CVE-2016-1835\n - CVE-2016-1837\n - CVE-2016-1838\n - CVE-2016-1839\n - CVE-2016-1840\n - CVE-2016-2073\n - CVE-2016-3627\n - CVE-2016-3705\n - CVE-2016-4447\n - CVE-2016-4448\n - CVE-2016-4449\n - CVE-2016-4483\n - CVE-2016-4658\n - CVE-2016-9318\n - CVE-2016-9597\n - CVE-2017-9047\n - CVE-2017-9048\n - CVE-2017-9049\n - CVE-2017-9050\n\n util-linux:\n\n - CVE-2015-5218\n - CVE-2016-5011\n - CVE-2017-2616\n\n cracklib:\n\n - CVE-2016-6318\n\n systemd:\n\n - CVE-2014-9770\n - CVE-2015-8842\n - CVE-2016-7796\n\n pcre:\n\n - CVE-2014-8964\n - CVE-2015-2325\n - CVE-2015-2327\n - CVE-2015-2328\n - CVE-2015-3210\n - CVE-2015-3217\n - CVE-2015-5073\n - CVE-2015-8380\n - CVE-2015-8381\n - CVE-2015-8382\n - CVE-2015-8383\n - CVE-2015-8384\n - CVE-2015-8385\n - CVE-2015-8386\n - CVE-2015-8387\n - CVE-2015-8388\n - CVE-2015-8389\n - CVE-2015-8390\n - CVE-2015-8391\n - CVE-2015-8392\n - CVE-2015-8393\n - CVE-2015-8394\n - CVE-2015-8395\n - CVE-2016-1283\n - CVE-2016-3191\n\n appamor:\n\n - CVE-2017-6507\n\n bash:\n\n - CVE-2014-6277\n - CVE-2014-6278\n - CVE-2016-0634\n - CVE-2016-7543\n\n cpio:\n\n - CVE-2016-2037\n\n glibc:\n\n - CVE-2016-1234\n - CVE-2016-3075\n - CVE-2016-3706\n - CVE-2016-4429\n - CVE-2017-1000366\n\n perl:\n\n - CVE-2015-8853\n - CVE-2016-1238\n - CVE-2016-2381\n - CVE-2016-6185\n\n libssh2_org:\n\n - CVE-2016-0787\n\n expat:\n\n - CVE-2012-6702\n - CVE-2015-1283\n - CVE-2016-0718\n - CVE-2016-5300\n - CVE-2016-9063\n - CVE-2017-9233\n\n ncurses:\n\n - CVE-2017-10684\n - CVE-2017-10685\n - CVE-2017-11112\n - CVE-2017-11113\n\n libksba:\n\n - CVE-2016-4574\n - CVE-2016-4579\n\n libgcrypt:\n\n - CVE-2015-7511\n - CVE-2016-6313\n - CVE-2017-7526\n\n dbus-1:\n\n - CVE-2014-7824\n - CVE-2015-0245\n\n Finally, the following packages received non-security fixes:\n\n - augeas\n - bzip2\n - ca-certificates-mozilla\n - coreutils\n - cryptsetup\n - cyrus-sasl\n - dirmngr\n - e2fsprogs\n - findutils\n - gpg2\n - insserv-compat\n - kmod\n - libcap\n - libsolv\n - libzypp\n - openldap2\n - p11-kit\n - permissions\n - procps\n - rpm\n - sed\n - shadow\n - zypper\n\n", "published": "2017-10-11T03:06:53", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00010.html", "cvelist": ["CVE-2016-6262", "CVE-2017-7407", "CVE-2015-8388", "CVE-2016-8620", "CVE-2016-8623", "CVE-2017-9233", "CVE-2016-5420", "CVE-2016-9840", "CVE-2016-3705", "CVE-2016-1840", "CVE-2014-0191", "CVE-2016-8615", "CVE-2016-8616", "CVE-2015-5276", "CVE-2015-3210", "CVE-2015-2325", "CVE-2016-6261", "CVE-2016-8619", "CVE-2017-10685", "CVE-2016-6306", "CVE-2016-2183", "CVE-2016-2178", "CVE-2015-8391", "CVE-2016-6263", "CVE-2016-2108", "CVE-2016-9063", "CVE-2016-8618", "CVE-2016-1762", "CVE-2016-6302", "CVE-2016-5300", "CVE-2015-8395", "CVE-2016-7141", "CVE-2016-1834", "CVE-2017-11112", "CVE-2016-2177", "CVE-2014-7169", "CVE-2015-8382", "CVE-2016-3627", "CVE-2015-1283", "CVE-2014-6277", "CVE-2016-2105", "CVE-2016-9318", "CVE-2016-4483", "CVE-2016-2107", "CVE-2015-8386", "CVE-2014-6278", "CVE-2015-2327", "CVE-2017-9049", "CVE-2016-3075", "CVE-2016-8617", "CVE-2016-9842", "CVE-2016-7796", "CVE-2017-2616", "CVE-2016-0634", "CVE-2012-6702", "CVE-2015-3238", "CVE-2016-2180", "CVE-2016-1835", "CVE-2016-0787", "CVE-2016-1234", "CVE-2016-0718", "CVE-2016-6185", "CVE-2015-8392", "CVE-2016-4574", "CVE-2015-8389", "CVE-2016-2109", "CVE-2015-8380", "CVE-2016-2181", "CVE-2016-6304", "CVE-2016-4449", "CVE-2017-9048", "CVE-2014-8964", "CVE-2015-2059", "CVE-2017-11113", "CVE-2016-1283", "CVE-2016-6313", "CVE-2016-1837", "CVE-2016-6318", "CVE-2015-3622", "CVE-2016-4448", "CVE-2016-1238", "CVE-2015-8393", "CVE-2016-1838", "CVE-2016-3706", "CVE-2016-4429", "CVE-2016-2381", "CVE-2016-7543", "CVE-2017-1000101", "CVE-2016-8622", "CVE-2015-8853", "CVE-2014-7187", "CVE-2015-8394", "CVE-2016-4008", "CVE-2014-9770", "CVE-2015-3217", "CVE-2014-6271", "CVE-2017-7526", "CVE-2016-3191", "CVE-2017-1000366", "CVE-2016-1839", "CVE-2016-8624", "CVE-2015-8384", "CVE-2016-9843", "CVE-2017-9047", "CVE-2015-8948", "CVE-2014-7824", "CVE-2015-8842", "CVE-2016-9597", "CVE-2015-5218", "CVE-2016-6303", "CVE-2015-8383", "CVE-2017-1000100", "CVE-2015-8381", "CVE-2016-2182", "CVE-2016-5421", "CVE-2016-9586", "CVE-2015-5073", "CVE-2016-4447", "CVE-2016-5011", "CVE-2015-7511", "CVE-2015-8385", "CVE-2015-8806", "CVE-2016-9841", "CVE-2016-4579", "CVE-2015-0245", "CVE-2016-2037", "CVE-2016-2073", "CVE-2016-5419", "CVE-2015-2328", "CVE-2017-6507", "CVE-2016-4658", "CVE-2016-7167", "CVE-2017-10684", "CVE-2016-2179", "CVE-2016-2106", "CVE-2016-1833", "CVE-2015-8387", "CVE-2016-8621", "CVE-2015-8390", "CVE-2017-9050"], "lastseen": "2017-10-11T05:54:19"}, {"id": "SUSE-SU-2017:2700-1", "type": "suse", "title": "Security update for SLES 12-SP1 Docker image (important)", "description": "The SUSE Linux Enterprise Server 12 SP1 container image has been updated\n to include security and stability fixes.\n\n The following issues related to building of the container images have been\n fixed:\n\n - Included krb5 package to avoid the inclusion of krb5-mini which gets\n selected as a dependency by the Build Service solver. (bsc#1056193)\n - Do not install recommended packages when building container images.\n (bsc#975726)\n\n A number of security issues that have been already fixed by updates\n released for SUSE Linux Enterprise Server 12 SP1 are now included in the\n base image. A package/CVE cross-reference is available below.\n\n pam:\n\n - CVE-2015-3238\n\n libtasn1:\n\n - CVE-2015-3622\n - CVE-2016-4008\n\n expat:\n\n expat:\n\n - CVE-2012-6702\n - CVE-2015-1283\n - CVE-2016-0718\n - CVE-2016-5300\n - CVE-2016-9063\n - CVE-2017-9233\n\n libidn:\n\n - CVE-2015-2059\n - CVE-2015-8948\n - CVE-2016-6261\n - CVE-2016-6262\n - CVE-2016-6263\n\n\n zlib:\n\n - CVE-2016-9840\n - CVE-2016-9841\n - CVE-2016-9842\n - CVE-2016-9843\n\n curl:\n\n - CVE-2016-5419\n - CVE-2016-5420\n - CVE-2016-5421\n - CVE-2016-7141\n - CVE-2016-7167\n - CVE-2016-8615\n - CVE-2016-8616\n - CVE-2016-8617\n - CVE-2016-8618\n - CVE-2016-8619\n - CVE-2016-8620\n - CVE-2016-8621\n - CVE-2016-8622\n - CVE-2016-8623\n - CVE-2016-8624\n - CVE-2016-9586\n - CVE-2017-1000100\n - CVE-2017-1000101\n - CVE-2017-7407\n\n openssl:\n\n - CVE-2016-2105\n - CVE-2016-2106\n - CVE-2016-2107\n - CVE-2016-2108\n - CVE-2016-2109\n - CVE-2016-2177\n - CVE-2016-2178\n - CVE-2016-2179\n - CVE-2016-2180\n - CVE-2016-2181\n - CVE-2016-2182\n - CVE-2016-2183\n - CVE-2016-6302\n - CVE-2016-6303\n - CVE-2016-6304\n - CVE-2016-6306\n - CVE-2016-7056\n - CVE-2016-8610\n - CVE-2017-3731\n\n cracklib:\n\n - CVE-2016-6318\n\n pcre:\n\n - CVE-2014-8964\n - CVE-2015-2325\n - CVE-2015-2327\n - CVE-2015-2328\n - CVE-2015-3210\n - CVE-2015-3217\n - CVE-2015-5073\n - CVE-2015-8380\n - CVE-2015-8381\n - CVE-2015-8382\n - CVE-2015-8383\n - CVE-2015-8384\n - CVE-2015-8385\n - CVE-2015-8386\n - CVE-2015-8387\n - CVE-2015-8388\n - CVE-2015-8389\n - CVE-2015-8390\n - CVE-2015-8391\n - CVE-2015-8392\n - CVE-2015-8393\n - CVE-2015-8394\n - CVE-2015-8395\n - CVE-2016-1283\n - CVE-2016-3191\n\n appamor:\n\n - CVE-2017-6507\n\n bash:\n\n - CVE-2014-6277\n - CVE-2014-6278\n - CVE-2016-0634\n - CVE-2016-7543\n\n cpio:\n\n - CVE-2016-2037\n\n glibc:\n\n - CVE-2016-1234\n - CVE-2016-3075\n - CVE-2016-3706\n - CVE-2016-4429\n - CVE-2017-1000366\n\n perl:\n\n - CVE-2015-8853\n - CVE-2016-1238\n - CVE-2016-2381\n - CVE-2016-6185\n\n libssh2_org:\n\n - CVE-2016-0787\n\n util-linux:\n\n - CVE-2016-5011\n - CVE-2017-2616\n\n ncurses:\n\n - CVE-2017-10684\n - CVE-2017-10685\n - CVE-2017-11112\n - CVE-2017-11113\n\n libksba:\n\n - CVE-2016-4574\n - CVE-2016-4579\n\n libxml2:\n\n - CVE-2014-0191\n - CVE-2015-8806\n - CVE-2016-1762\n - CVE-2016-1833\n - CVE-2016-1834\n - CVE-2016-1835\n - CVE-2016-1837\n - CVE-2016-1838\n - CVE-2016-1839\n - CVE-2016-1840\n - CVE-2016-2073\n - CVE-2016-3627\n - CVE-2016-3705\n - CVE-2016-4447\n - CVE-2016-4448\n - CVE-2016-4449\n - CVE-2016-4483\n - CVE-2016-4658\n - CVE-2016-9318\n - CVE-2016-9597\n - CVE-2017-9047\n - CVE-2017-9048\n - CVE-2017-9049\n - CVE-2017-9050\n\n libgcrypt:\n\n - CVE-2015-7511\n - CVE-2016-6313\n - CVE-2017-7526\n\n update-alternatives:\n\n - CVE-2015-0860\n\n systemd:\n\n - CVE-2014-9770\n - CVE-2015-8842\n - CVE-2016-7796\n\n dbus-1:\n\n - CVE-2014-7824\n - CVE-2015-0245\n\n Finally, the following packages received non-security fixes:\n\n - augeas\n - bzip2\n - ca-certificates-mozilla\n - coreutils\n - cryptsetup\n - cyrus-sasl\n - dirmngr\n - e2fsprogs\n - findutils\n - gpg2\n - insserv-compat\n - kmod\n - libcap\n - libsolv\n - libzypp\n - lua51\n - lvm2\n - netcfg\n - p11-kit\n - permissions\n - procps\n - rpm\n - sed\n - sg3_utils\n - shadow\n - zypper\n\n", "published": "2017-10-11T03:07:32", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00011.html", "cvelist": ["CVE-2016-6262", "CVE-2016-7056", "CVE-2017-7407", "CVE-2015-8388", "CVE-2016-8620", "CVE-2016-8623", "CVE-2017-9233", "CVE-2016-5420", "CVE-2016-9840", "CVE-2016-3705", "CVE-2016-1840", "CVE-2014-0191", "CVE-2016-8615", "CVE-2016-8616", "CVE-2015-5276", "CVE-2015-3210", "CVE-2015-2325", "CVE-2016-6261", "CVE-2016-8619", "CVE-2017-10685", "CVE-2016-6306", "CVE-2016-2183", "CVE-2015-0860", "CVE-2016-2178", "CVE-2015-8391", "CVE-2016-6263", "CVE-2016-2108", "CVE-2016-9063", "CVE-2016-8618", "CVE-2016-1762", "CVE-2016-6302", "CVE-2016-5300", "CVE-2015-8395", "CVE-2016-7141", "CVE-2016-1834", "CVE-2017-11112", "CVE-2016-2177", "CVE-2014-7169", "CVE-2015-8382", "CVE-2016-3627", "CVE-2015-1283", "CVE-2014-6277", "CVE-2016-2105", "CVE-2016-9318", "CVE-2016-4483", "CVE-2016-2107", "CVE-2017-3731", "CVE-2015-8386", "CVE-2014-6278", "CVE-2015-2327", "CVE-2017-9049", "CVE-2016-3075", "CVE-2016-8617", "CVE-2016-9842", "CVE-2016-7796", "CVE-2017-2616", "CVE-2016-0634", "CVE-2012-6702", "CVE-2015-3238", "CVE-2016-2180", "CVE-2016-1835", "CVE-2016-0787", "CVE-2016-8610", "CVE-2016-1234", "CVE-2016-0718", "CVE-2016-6185", "CVE-2015-8392", "CVE-2016-4574", "CVE-2015-8389", "CVE-2016-2109", "CVE-2015-8380", "CVE-2016-2181", "CVE-2016-6304", "CVE-2016-4449", "CVE-2017-9048", "CVE-2014-8964", "CVE-2015-2059", "CVE-2017-11113", "CVE-2016-1283", "CVE-2016-6313", "CVE-2016-1837", "CVE-2016-6318", "CVE-2015-3622", "CVE-2016-4448", "CVE-2016-1238", "CVE-2015-8393", "CVE-2016-1838", "CVE-2016-3706", "CVE-2016-4429", "CVE-2016-2381", "CVE-2016-7543", "CVE-2017-1000101", "CVE-2016-8622", "CVE-2015-8853", "CVE-2014-7187", "CVE-2015-8394", "CVE-2016-4008", "CVE-2014-9770", "CVE-2015-3217", "CVE-2014-6271", "CVE-2017-7526", "CVE-2016-3191", "CVE-2017-1000366", "CVE-2016-1839", "CVE-2016-8624", "CVE-2015-8384", "CVE-2016-9843", "CVE-2017-9047", "CVE-2015-8948", "CVE-2014-7824", "CVE-2015-8842", "CVE-2016-9597", "CVE-2016-6303", "CVE-2015-8383", "CVE-2017-1000100", "CVE-2015-8381", "CVE-2016-2182", "CVE-2016-5421", "CVE-2016-9586", "CVE-2015-5073", "CVE-2016-4447", "CVE-2016-5011", "CVE-2015-7511", "CVE-2015-8385", "CVE-2015-8806", "CVE-2016-9841", "CVE-2016-4579", "CVE-2015-0245", "CVE-2016-2037", "CVE-2016-2073", "CVE-2016-5419", "CVE-2015-2328", "CVE-2017-6507", "CVE-2016-4658", "CVE-2016-7167", "CVE-2017-10684", "CVE-2016-2179", "CVE-2016-2106", "CVE-2016-1833", "CVE-2015-8387", "CVE-2016-8621", "CVE-2015-8390", "CVE-2017-9050"], "lastseen": "2017-10-11T05:54:20"}], "oracle": [{"id": "ORACLE:CPUOCT2015-2367953", "type": "oracle", "title": "Oracle Critical Patch Update - October 2015", "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n \n\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n \n\n\n**Oracle continues to periodically receive reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply available Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\n \n\n\nThis Critical Patch Update contains 153 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\n \n\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n\n \n\n", "published": "2015-10-20T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "cvelist": ["CVE-2015-4894", "CVE-2015-4000", "CVE-2015-4851", "CVE-2015-4895", "CVE-2015-4905", "CVE-2015-4866", "CVE-2015-4832", "CVE-2015-4822", "CVE-2015-4830", "CVE-2015-1792", "CVE-2015-4804", "CVE-2015-4816", "CVE-2015-0235", "CVE-2015-1793", "CVE-2015-4793", "CVE-2015-4863", "CVE-2014-7923", "CVE-2015-4913", "CVE-2015-4892", "CVE-2014-0191", "CVE-2015-4796", "CVE-2015-4864", "CVE-2015-4794", "CVE-2015-4887", "CVE-2015-2642", "CVE-2015-4860", "CVE-2015-3236", "CVE-2015-4868", "CVE-2014-3572", "CVE-2015-0206", "CVE-1999-0377", "CVE-2015-1789", "CVE-2015-4820", "CVE-2015-4903", "CVE-2015-0286", "CVE-2015-4906", "CVE-2014-8150", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4910", "CVE-2015-4872", "CVE-2015-4846", "CVE-2014-3576", "CVE-2015-2522", "CVE-2015-4876", "CVE-2014-3571", "CVE-2015-4883", "CVE-2015-0288", "CVE-2014-7940", "CVE-2015-4858", "CVE-2015-4802", "CVE-2015-4882", "CVE-2015-4801", "CVE-2015-4878", "CVE-2015-4799", "CVE-2015-4811", "CVE-2015-4834", "CVE-2015-4762", "CVE-2015-0285", "CVE-2015-4815", "CVE-2015-4812", "CVE-2015-4839", "CVE-2015-4798", "CVE-2015-4891", "CVE-2015-4734", "CVE-2015-4899", "CVE-2015-3153", "CVE-2015-0207", "CVE-2015-4865", "CVE-2015-4915", "CVE-2015-4871", "CVE-2015-4800", "CVE-2014-8275", "CVE-2015-4869", "CVE-2015-0208", "CVE-2015-4828", "CVE-2015-4803", "CVE-2015-4875", "CVE-2015-4902", "CVE-2014-3570", "CVE-2015-4917", "CVE-2015-4909", "CVE-2015-4791", "CVE-2015-4805", "CVE-2015-4849", "CVE-2015-4879", "CVE-2015-4888", "CVE-2015-4838", "CVE-2015-4850", "CVE-2014-8147", "CVE-2015-4806", "CVE-2015-4825", "CVE-2015-3144", "CVE-2015-4797", "CVE-2015-4792", "CVE-2015-4837", "CVE-2015-4904", "CVE-2015-4810", "CVE-2015-4827", "CVE-2014-0050", "CVE-2015-4817", "CVE-2015-4908", "CVE-2014-3707", "CVE-2015-4912", "CVE-2015-0293", "CVE-2015-4833", "CVE-2015-4847", "CVE-2015-4848", "CVE-2015-4730", "CVE-2015-4819", "CVE-2015-4896", "CVE-2015-1788", "CVE-2015-2633", "CVE-2015-4807", "CVE-2014-8146", "CVE-2015-4901", "CVE-2015-4835", "CVE-2015-0209", "CVE-2015-3183", "CVE-2015-4873", "CVE-2015-4766", "CVE-2015-4795", "CVE-2015-4907", "CVE-2015-0204", "CVE-2014-7926", "CVE-2015-4859", "CVE-2015-1829", "CVE-2015-4898", "CVE-2015-4874", "CVE-2015-4836", "CVE-2015-4824", "CVE-2015-1790", "CVE-2015-4900", "CVE-2015-4831", "CVE-2015-4861", "CVE-2015-0291", "CVE-2015-4911", "CVE-2015-4886", "CVE-2015-2608", "CVE-2015-4809", "CVE-2015-4877", "CVE-2015-4844", "CVE-2015-4870", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4854", "CVE-2015-0287", "CVE-2015-4856", "CVE-2015-4845", "CVE-2015-4914", "CVE-2015-4893", "CVE-2015-0289", "CVE-2015-4916", "CVE-2015-4826", "CVE-2015-0292", "CVE-2014-1569", "CVE-2015-4862", "CVE-2010-1622", "CVE-2015-4857", "CVE-2015-4890", "CVE-2015-4867", "CVE-2015-0290", "CVE-2015-0205", "CVE-2015-4884", "CVE-2015-4813", "CVE-2015-4841", "CVE-2015-1787", "CVE-2014-3569", "CVE-2015-4818", "CVE-2015-4880", "CVE-2015-1791", "CVE-2015-4823", "CVE-2015-4821"], "lastseen": "2018-04-18T20:24:08"}, {"id": "ORACLE:CPUJAN2015-1972971", "type": "oracle", "title": "Oracle Critical Patch Update - January 2015", "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n \n\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n \n\n\n**Oracle has received specific reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply these Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\n \n\n\nThis Critical Patch Update contains 169 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\n \n\n\nPlease note that on October 16, 2014, Oracle released information for [CVE-2014-3566 \"POODLE\"](<http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html>). Customers of affected Oracle products are strongly advised to apply the fixes and/or configuration steps that were announced for CVE-2014-3566 in addition to the fixes announced in this CPU.\n\n \n\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n\n \n\n", "published": "2015-03-10T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "cvelist": ["CVE-2015-0388", "CVE-2014-6574", "CVE-2015-0390", "CVE-2011-4317", "CVE-2014-6592", "CVE-2014-3566", "CVE-2011-4461", "CVE-2015-0386", "CVE-2015-0425", "CVE-2014-6566", "CVE-2013-4784", "CVE-2014-0191", "CVE-2015-0365", "CVE-2014-6579", "CVE-2014-6556", "CVE-2014-0231", "CVE-2014-6571", "CVE-2015-0427", "CVE-2014-6578", "CVE-2015-0398", "CVE-2014-6510", "CVE-2014-6595", "CVE-2011-3607", "CVE-2014-6518", "CVE-2015-0385", "CVE-2015-0395", "CVE-2015-0368", "CVE-2013-6449", "CVE-2014-6575", "CVE-2015-0380", "CVE-2015-0424", "CVE-2003-0001", "CVE-2014-6565", "CVE-2015-0407", "CVE-2014-0076", "CVE-2015-0362", "CVE-2015-0430", "CVE-2014-6585", "CVE-2015-0410", "CVE-2013-5704", "CVE-2015-0402", "CVE-2015-0379", "CVE-2014-6548", "CVE-2015-0396", "CVE-2015-0422", "CVE-2015-0435", "CVE-2014-5704", "CVE-2013-5605", "CVE-2014-6584", "CVE-2014-0224", "CVE-2014-4259", "CVE-2015-0391", "CVE-2014-6567", "CVE-2015-0418", "CVE-2013-0338", "CVE-2014-6480", "CVE-2014-6576", "CVE-2015-0428", "CVE-2015-0431", "CVE-2014-0098", "CVE-2014-6549", "CVE-2015-0420", "CVE-2015-0432", "CVE-2015-0383", "CVE-2011-3389", "CVE-2013-1741", "CVE-2014-6583", "CVE-2014-6597", "CVE-2014-4279", "CVE-2004-0230", "CVE-2015-0369", "CVE-2014-6525", "CVE-2015-0372", "CVE-2014-6582", "CVE-2015-0378", "CVE-2015-0392", "CVE-2015-0416", "CVE-2014-6587", "CVE-2013-1740", "CVE-2013-6438", "CVE-2015-0406", "CVE-2015-0401", "CVE-2014-6569", "CVE-2014-3470", "CVE-2012-0053", "CVE-2013-1739", "CVE-2014-6599", "CVE-2014-1492", "CVE-2013-2877", "CVE-2015-0417", "CVE-2015-0404", "CVE-2013-6450", "CVE-2013-5606", "CVE-2014-0114", "CVE-2015-0364", "CVE-2014-0050", "CVE-2010-5107", "CVE-2011-3368", "CVE-2014-6573", "CVE-2014-1490", "CVE-2010-5298", "CVE-2013-4286", "CVE-2015-0371", "CVE-2014-6526", "CVE-2015-0382", "CVE-2014-1568", "CVE-2015-0363", "CVE-2014-6600", "CVE-2014-6580", "CVE-2014-6509", "CVE-2015-0375", "CVE-2015-0414", "CVE-2014-0195", "CVE-2015-0413", "CVE-2014-6593", "CVE-2014-0198", "CVE-2014-6601", "CVE-2014-6594", "CVE-2015-0373", "CVE-2015-0421", "CVE-2013-2186", "CVE-2014-3567", "CVE-2014-6581", "CVE-2014-0015", "CVE-2015-0403", "CVE-2014-6570", "CVE-2015-0408", "CVE-2015-0429", "CVE-2014-6596", "CVE-2014-6521", "CVE-2015-0374", "CVE-2014-6591", "CVE-2014-6586", "CVE-2014-6524", "CVE-2014-6572", "CVE-2015-0370", "CVE-2015-0412", "CVE-2015-0400", "CVE-2015-0409", "CVE-2015-0387", "CVE-2015-0389", "CVE-2015-0399", "CVE-2014-0118", "CVE-2015-0415", "CVE-2014-6590", "CVE-2015-0376", "CVE-2014-6481", "CVE-2015-0393", "CVE-2015-0366", "CVE-2015-0419", "CVE-2014-6568", "CVE-2015-0377", "CVE-2015-0394", "CVE-2015-0397", "CVE-2015-0384", "CVE-2014-6589", "CVE-2014-1491", "CVE-2014-6528", "CVE-2014-6588", "CVE-2014-6541", "CVE-2011-1944", "CVE-2015-0437", "CVE-2014-6514", "CVE-2014-0117", "CVE-2014-4212", "CVE-2015-0436", "CVE-2014-6598", "CVE-2015-0367", "CVE-2014-0226", "CVE-2013-1620", "CVE-2013-4545", "CVE-2015-0426", "CVE-2015-0434", "CVE-2014-0221", "CVE-2015-0411", "CVE-2015-0381", "CVE-2014-6577"], "lastseen": "2018-04-18T20:23:51"}]}}