{"id": "OPENVAS:1361412562310868769", "bulletinFamily": "scanner", "title": "Fedora Update for mingw-libxml2 FEDORA-2014-17573", "description": "Check the version of mingw-libxml2", "published": "2015-01-05T00:00:00", "modified": "2017-07-10T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868769", "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "references": ["2014-17573", "https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147322.html"], "cvelist": ["CVE-2014-0191"], "type": "openvas", "lastseen": "2018-09-01T23:51:16", "history": [{"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2014-0191"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Check the version of mingw-libxml2", "edition": 3, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "7deacf8073b37f3963733b47fadaeb16073de1589d0906f3e85df6e3fc75cd7b", "hashmap": [{"hash": "43a85f3a94742e3825d8895746d3e6d3", "key": "cvelist"}, {"hash": "159295b50f9d93a2f99cf6471805b8ab", "key": "published"}, {"hash": "f9f8b5987bdab1d07466d48ba1fd5f5b", "key": "pluginID"}, {"hash": "af239df7f4da639f49f6611f2a9ce5b9", "key": "references"}, {"hash": "a3a73e54829c0f8924bffd6399e4fddb", "key": "title"}, {"hash": "e720cc2f0865a8a7e0ab0b01515ddf04", "key": "description"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "be931514784f88df80712740ad2723e7", "key": "naslFamily"}, {"hash": "d5341c4a0c6b6ead497395e416f84d01", "key": "sourceData"}, {"hash": "1e898993712db5cf9f9a110102684025", "key": "reporter"}, {"hash": "80f9564fae6ce374a51796355fefa101", "key": "href"}, {"hash": "0d134bf170d66438eb1e01173ee0187f", "key": "modified"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868769", "id": "OPENVAS:1361412562310868769", "lastseen": "2018-08-30T19:22:31", "modified": "2017-07-10T00:00:00", "naslFamily": "Fedora Local Security Checks", "objectVersion": "1.3", "pluginID": "1361412562310868769", "published": "2015-01-05T00:00:00", "references": ["2014-17573", "https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147322.html"], "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for mingw-libxml2 FEDORA-2014-17573\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868769\");\n script_version(\"$Revision: 6630 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:34:32 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2015-01-05 14:50:49 +0100 (Mon, 05 Jan 2015)\");\n script_cve_id(\"CVE-2014-0191\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_name(\"Fedora Update for mingw-libxml2 FEDORA-2014-17573\");\n script_tag(name: \"summary\", value: \"Check the version of mingw-libxml2\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help of detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"MinGW Windows libxml2 XML processing library.\n\");\n script_tag(name: \"affected\", value: \"mingw-libxml2 on Fedora 20\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n script_xref(name: \"FEDORA\", value: \"2014-17573\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147322.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"mingw-libxml2\", rpm:\"mingw-libxml2~2.9.2~1.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "title": "Fedora Update for mingw-libxml2 FEDORA-2014-17573", "type": "openvas", "viewCount": 1}, "differentElements": ["cvss"], "edition": 3, "lastseen": "2018-08-30T19:22:31"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2014-0191"], "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "description": "Check the version of mingw-libxml2", "edition": 1, "enchantments": {}, "hash": "ed11aaba47c4c5637c7f65bf8b933dbcbc2c2520a4cf668ed120ec630bdda109", "hashmap": [{"hash": "43a85f3a94742e3825d8895746d3e6d3", "key": "cvelist"}, {"hash": "159295b50f9d93a2f99cf6471805b8ab", "key": "published"}, {"hash": "f9f8b5987bdab1d07466d48ba1fd5f5b", "key": "pluginID"}, {"hash": "af239df7f4da639f49f6611f2a9ce5b9", "key": "references"}, {"hash": "a3a73e54829c0f8924bffd6399e4fddb", "key": "title"}, {"hash": "3873c836ae45fd496c2b40bae50467ed", "key": "cvss"}, {"hash": "e720cc2f0865a8a7e0ab0b01515ddf04", "key": "description"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "be931514784f88df80712740ad2723e7", "key": "naslFamily"}, {"hash": "1e898993712db5cf9f9a110102684025", "key": "reporter"}, {"hash": "2f67e6f11595015f8654c3ffc53f59c7", "key": "sourceData"}, {"hash": "80f9564fae6ce374a51796355fefa101", "key": "href"}, {"hash": "0b9bda101a59d322eb0b21f577836f9d", "key": "modified"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868769", "id": "OPENVAS:1361412562310868769", "lastseen": "2017-07-02T21:12:03", "modified": "2017-06-15T00:00:00", "naslFamily": "Fedora Local Security Checks", "objectVersion": "1.3", "pluginID": "1361412562310868769", "published": "2015-01-05T00:00:00", "references": ["2014-17573", "https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147322.html"], "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for mingw-libxml2 FEDORA-2014-17573\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868769\");\n script_version(\"$Revision: 6345 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-06-15 12:00:59 +0200 (Thu, 15 Jun 2017) $\");\n script_tag(name:\"creation_date\", value:\"2015-01-05 14:50:49 +0100 (Mon, 05 Jan 2015)\");\n script_cve_id(\"CVE-2014-0191\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_name(\"Fedora Update for mingw-libxml2 FEDORA-2014-17573\");\n script_tag(name: \"summary\", value: \"Check the version of mingw-libxml2\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help of detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"MinGW Windows libxml2 XML processing library.\n\");\n script_tag(name: \"affected\", value: \"mingw-libxml2 on Fedora 20\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n script_xref(name: \"FEDORA\", value: \"2014-17573\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147322.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"HostDetails/OS/cpe:/o:fedoraproject:fedora\", \"login/SSH/success\", \"ssh/login/release\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"mingw-libxml2\", rpm:\"mingw-libxml2~2.9.2~1.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "title": "Fedora Update for mingw-libxml2 FEDORA-2014-17573", "type": "openvas", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 1, "lastseen": "2017-07-02T21:12:03"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2014-0191"], "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "description": "Check the version of mingw-libxml2", "edition": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "e119128009fff16e7f5f4f96b4af6d4eed1c602086c2979c61da7ae78c38442e", "hashmap": [{"hash": "43a85f3a94742e3825d8895746d3e6d3", "key": "cvelist"}, {"hash": "159295b50f9d93a2f99cf6471805b8ab", "key": "published"}, {"hash": "f9f8b5987bdab1d07466d48ba1fd5f5b", "key": "pluginID"}, {"hash": "af239df7f4da639f49f6611f2a9ce5b9", "key": "references"}, {"hash": "a3a73e54829c0f8924bffd6399e4fddb", "key": "title"}, {"hash": "3873c836ae45fd496c2b40bae50467ed", "key": "cvss"}, {"hash": "e720cc2f0865a8a7e0ab0b01515ddf04", "key": "description"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "be931514784f88df80712740ad2723e7", "key": "naslFamily"}, {"hash": "d5341c4a0c6b6ead497395e416f84d01", "key": "sourceData"}, {"hash": "1e898993712db5cf9f9a110102684025", "key": "reporter"}, {"hash": "80f9564fae6ce374a51796355fefa101", "key": "href"}, {"hash": "0d134bf170d66438eb1e01173ee0187f", "key": "modified"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868769", "id": "OPENVAS:1361412562310868769", "lastseen": "2017-07-25T10:53:07", "modified": "2017-07-10T00:00:00", "naslFamily": "Fedora Local Security Checks", "objectVersion": "1.3", "pluginID": "1361412562310868769", "published": "2015-01-05T00:00:00", "references": ["2014-17573", "https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147322.html"], "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for mingw-libxml2 FEDORA-2014-17573\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868769\");\n script_version(\"$Revision: 6630 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:34:32 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2015-01-05 14:50:49 +0100 (Mon, 05 Jan 2015)\");\n script_cve_id(\"CVE-2014-0191\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_name(\"Fedora Update for mingw-libxml2 FEDORA-2014-17573\");\n script_tag(name: \"summary\", value: \"Check the version of mingw-libxml2\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help of detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"MinGW Windows libxml2 XML processing library.\n\");\n script_tag(name: \"affected\", value: \"mingw-libxml2 on Fedora 20\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n script_xref(name: \"FEDORA\", value: \"2014-17573\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147322.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"mingw-libxml2\", rpm:\"mingw-libxml2~2.9.2~1.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "title": "Fedora Update for mingw-libxml2 FEDORA-2014-17573", "type": "openvas", "viewCount": 1}, "differentElements": ["cvss"], "edition": 2, "lastseen": "2017-07-25T10:53:07"}], "edition": 4, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cvelist", "hash": "43a85f3a94742e3825d8895746d3e6d3"}, {"key": "cvss", "hash": "3873c836ae45fd496c2b40bae50467ed"}, {"key": "description", "hash": "e720cc2f0865a8a7e0ab0b01515ddf04"}, {"key": "href", "hash": "80f9564fae6ce374a51796355fefa101"}, {"key": "modified", "hash": "0d134bf170d66438eb1e01173ee0187f"}, {"key": "naslFamily", "hash": "be931514784f88df80712740ad2723e7"}, {"key": "pluginID", "hash": "f9f8b5987bdab1d07466d48ba1fd5f5b"}, {"key": "published", "hash": "159295b50f9d93a2f99cf6471805b8ab"}, {"key": "references", "hash": "af239df7f4da639f49f6611f2a9ce5b9"}, {"key": "reporter", "hash": "1e898993712db5cf9f9a110102684025"}, {"key": "sourceData", "hash": "d5341c4a0c6b6ead497395e416f84d01"}, {"key": "title", "hash": "a3a73e54829c0f8924bffd6399e4fddb"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}], "hash": "e119128009fff16e7f5f4f96b4af6d4eed1c602086c2979c61da7ae78c38442e", "viewCount": 1, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "objectVersion": "1.3", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for mingw-libxml2 FEDORA-2014-17573\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868769\");\n script_version(\"$Revision: 6630 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:34:32 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2015-01-05 14:50:49 +0100 (Mon, 05 Jan 2015)\");\n script_cve_id(\"CVE-2014-0191\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_name(\"Fedora Update for mingw-libxml2 FEDORA-2014-17573\");\n script_tag(name: \"summary\", value: \"Check the version of mingw-libxml2\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help of detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"MinGW Windows libxml2 XML processing library.\n\");\n script_tag(name: \"affected\", value: \"mingw-libxml2 on Fedora 20\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n script_xref(name: \"FEDORA\", value: \"2014-17573\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147322.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"mingw-libxml2\", rpm:\"mingw-libxml2~2.9.2~1.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "naslFamily": "Fedora Local Security Checks", "pluginID": "1361412562310868769"}

{"cve": [{"lastseen": "2017-08-29T10:48:05", "references": ["http://www.securityfocus.com/bid/67233", "https://support.apple.com/kb/HT205031", "https://exchange.xforce.ibmcloud.com/vulnerabilities/93092", "http://lists.opensuse.org/opensuse-updates/2015-12/msg00120.html", "http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html", "http://lists.apple.com/archives/security-announce/2015/Aug/msg00002.html", "http://www-01.ibm.com/support/docview.wss?uid=swg21678183", "http://rhn.redhat.com/errata/RHSA-2015-0749.html", "https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df", "https://bugzilla.redhat.com/show_bug.cgi?id=1090976", "http://xmlsoft.org/news.html", "https://support.apple.com/kb/HT205030", "http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html", "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html"], "edition": 3, "description": "The xmlParserHandlePEReference function in parser.c in libxml2 before 2.9.2, as used in Web Listener in Oracle HTTP Server in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 and other products, loads external parameter entities regardless of whether entity substitution or validation is enabled, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XML document.", "reporter": "NVD", "published": "2015-01-21T09:59:00", "title": "CVE-2014-0191", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2014-0191"], "scanner": [], "cpe": ["cpe:/a:oracle:fusion_middleware:11.1.1.7.0", "cpe:/a:oracle:fusion_middleware:12.1.2.0.0", "cpe:/a:oracle:fusion_middleware:12.1.3.0.0"], "modified": "2017-08-28T21:34:08", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0191", "id": "CVE-2014-0191", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "nessus": [{"lastseen": "2018-09-01T23:33:01", "references": ["http://www.nessus.org/u?bea9144b", "https://bugzilla.redhat.com/show_bug.cgi?id=1090976"], "pluginID": "82627", "description": "fixes built in also added a couple of other entities related patches including a fix to CVE-2014-3660\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 4, "reporter": "Tenable", "published": "2015-04-08T00:00:00", "title": "Fedora 21 : libxml2-2.9.1-7.fc21 (2015-4658)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0191"], "modified": "2015-10-19T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:libxml2", "cpe:/o:fedoraproject:fedora:21"], "id": "FEDORA_2015-4658.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=82627", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-4658.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(82627);\n script_version(\"$Revision: 1.3 $\");\n script_cvs_date(\"$Date: 2015/10/19 23:06:18 $\");\n\n script_cve_id(\"CVE-2014-0191\");\n script_xref(name:\"FEDORA\", value:\"2015-4658\");\n\n script_name(english:\"Fedora 21 : libxml2-2.9.1-7.fc21 (2015-4658)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"fixes built in also added a couple of other entities related patches\nincluding a fix to CVE-2014-3660\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1090976\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-April/154408.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?bea9144b\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libxml2 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:libxml2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:21\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/04/08\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^21([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 21.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC21\", reference:\"libxml2-2.9.1-7.fc21\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libxml2\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-11-13T17:00:24", "references": ["https://packages.debian.org/source/wheezy/libxml2", "https://www.debian.org/security/2014/dsa-2978"], "pluginID": "76499", "description": "Daniel P. Berrange discovered a denial of service vulnerability in libxml2 entity substitution.", "edition": 6, "reporter": "Tenable", "published": "2014-07-15T00:00:00", "title": "Debian DSA-2978-1 : libxml2 - security update", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0191"], "modified": "2018-11-10T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libxml2", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DSA-2978.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=76499", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-2978. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(76499);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/11/10 11:49:36\");\n\n script_cve_id(\"CVE-2014-0191\");\n script_bugtraq_id(67233);\n script_xref(name:\"DSA\", value:\"2978\");\n\n script_name(english:\"Debian DSA-2978-1 : libxml2 - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Daniel P. Berrange discovered a denial of service vulnerability in\nlibxml2 entity substitution.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/libxml2\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2014/dsa-2978\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the libxml2 packages.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 2.8.0+dfsg1-7+wheezy1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libxml2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/07/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/07/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"libxml2\", reference:\"2.8.0+dfsg1-7+wheezy1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libxml2-dbg\", reference:\"2.8.0+dfsg1-7+wheezy1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libxml2-dev\", reference:\"2.8.0+dfsg1-7+wheezy1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libxml2-doc\", reference:\"2.8.0+dfsg1-7+wheezy1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libxml2-utils\", reference:\"2.8.0+dfsg1-7+wheezy1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libxml2-utils-dbg\", reference:\"2.8.0+dfsg1-7+wheezy1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"python-libxml2\", reference:\"2.8.0+dfsg1-7+wheezy1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"python-libxml2-dbg\", reference:\"2.8.0+dfsg1-7+wheezy1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-11-17T02:56:55", "references": ["http://www.nessus.org/u?4a913f44", "https://blogs.oracle.com/sunsecurity/cve-2014-0191-denial-of-servicedos-vulnerability-in-libxml2"], "pluginID": "80692", "description": "The remote Solaris system is missing necessary patches to address security updates.", "edition": 5, "reporter": "Tenable", "published": "2015-01-19T00:00:00", "title": "Oracle Solaris Third-Party Patch Update : libxml2 (cve_2014_0191_denial_of)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "naslFamily": "Solaris Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0191"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/o:oracle:solaris:11.2", "p-cpe:/a:oracle:solaris:libxml2"], "id": "SOLARIS11_LIBXML2_20140819.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=80692", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Oracle Third Party software advisories.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(80692);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2018/11/15 20:50:25\");\n\n script_cve_id(\"CVE-2014-0191\");\n\n script_name(english:\"Oracle Solaris Third-Party Patch Update : libxml2 (cve_2014_0191_denial_of)\");\n script_summary(english:\"Check for the 'entire' version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Solaris system is missing a security patch for third-party\nsoftware.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote Solaris system is missing necessary patches to address\nsecurity updates.\"\n );\n # https://www.oracle.com/technetwork/topics/security/thirdparty-patch-map-1482893.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?4a913f44\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://blogs.oracle.com/sunsecurity/cve-2014-0191-denial-of-servicedos-vulnerability-in-libxml2\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Solaris 11.2.1.5.0.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:solaris:11.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:solaris:libxml2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/08/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Solaris Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Solaris11/release\", \"Host/Solaris11/pkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"solaris.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Solaris11/release\");\nif (isnull(release)) audit(AUDIT_OS_NOT, \"Solaris11\");\npkg_list = solaris_pkg_list_leaves();\nif (isnull (pkg_list)) audit(AUDIT_PACKAGE_LIST_MISSING, \"Solaris pkg-list packages\");\n\nif (empty_or_null(egrep(string:pkg_list, pattern:\"^libxml2$\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libxml2\");\n\nflag = 0;\n\nif (solaris_check_release(release:\"0.5.11-0.175.2.1.0.5.0\", sru:\"SRU 11.2.1.5.0\") > 0) flag++;\n\nif (flag)\n{\n error_extra = 'Affected package : libxml2\\n' + solaris_get_report2();\n error_extra = ereg_replace(pattern:\"version\", replace:\"OS version\", string:error_extra);\n if (report_verbosity > 0) security_warning(port:0, extra:error_extra);\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_PACKAGE_NOT_AFFECTED, \"libxml2\");\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-11-24T03:26:00", "references": ["http://www.nessus.org/u?40a55a7a", "https://www.openwall.com/lists/oss-security/2014/05/06/4", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0191", "https://git.gnome.org/browse/libxml2/tag/?id=CVE-2014-0191"], "pluginID": "73975", "description": "Stefan Cornelius reports :\n\nIt was discovered that libxml2, a library providing support to read, modify and write XML files, incorrectly performs entity substitution in the doctype prolog, even if the application using libxml2 disabled any entity substitution. A remote attacker could provide a specially crafted XML file that, when processed, would lead to the exhaustion of CPU and memory resources or file descriptors.\n\nThis issue was discovered by Daniel Berrange of Red Hat.", "edition": 6, "reporter": "Tenable", "published": "2014-05-13T00:00:00", "title": "FreeBSD : libxml2 -- entity substitution DoS (efdd0edc-da3d-11e3-9ecb-2c4138874f7d)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "naslFamily": "FreeBSD Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0191"], "modified": "2018-11-23T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:linux-c6-libxml2", "cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:linux-f10-libxml2", "p-cpe:/a:freebsd:freebsd:libxml2"], "id": "FREEBSD_PKG_EFDD0EDCDA3D11E39ECB2C4138874F7D.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=73975", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(73975);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/11/23 12:49:57\");\n\n script_cve_id(\"CVE-2014-0191\");\n\n script_name(english:\"FreeBSD : libxml2 -- entity substitution DoS (efdd0edc-da3d-11e3-9ecb-2c4138874f7d)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Stefan Cornelius reports :\n\nIt was discovered that libxml2, a library providing support to read,\nmodify and write XML files, incorrectly performs entity substitution\nin the doctype prolog, even if the application using libxml2 disabled\nany entity substitution. A remote attacker could provide a\nspecially crafted XML file that, when processed, would lead to the\nexhaustion of CPU and memory resources or file descriptors.\n\nThis issue was discovered by Daniel Berrange of Red Hat.\"\n );\n # http://www.openwall.com/lists/oss-security/2014/05/06/4\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.openwall.com/lists/oss-security/2014/05/06/4\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://git.gnome.org/browse/libxml2/tag/?id=CVE-2014-0191\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0191\"\n );\n # https://vuxml.freebsd.org/freebsd/efdd0edc-da3d-11e3-9ecb-2c4138874f7d.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?40a55a7a\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:libxml2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:linux-c6-libxml2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:linux-f10-libxml2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/12/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/05/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/05/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"libxml2<2.9.1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"linux-c6-libxml2<2.7.6_2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"linux-f10-libxml2>=*\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:35:28", "references": ["http://aix.software.ibm.com/aix/efixes/security/libxml2_advisory.asc"], "pluginID": "77257", "description": "Libxml2 is vulnerable to a denial of service, caused by the expansion of internal entities within the xmlParserHandlePEReference().", "edition": 4, "reporter": "Tenable", "published": "2014-08-20T00:00:00", "title": "AIX 6.1 TL 8 : libxml2 (IV62447)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "AIX Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0191"], "modified": "2015-01-23T00:00:00", "cpe": ["cpe:/o:ibm:aix:6.1"], "id": "AIX_IV62447.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=77257", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory libxml2_advisory.asc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(77257);\n script_version(\"$Revision: 1.4 $\");\n script_cvs_date(\"$Date: 2015/01/23 14:22:56 $\");\n\n script_cve_id(\"CVE-2014-0191\");\n\n script_name(english:\"AIX 6.1 TL 8 : libxml2 (IV62447)\");\n script_summary(english:\"Check for APAR IV62447\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote AIX host is missing a security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Libxml2 is vulnerable to a denial of service, caused by the expansion\nof internal entities within the xmlParserHandlePEReference().\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://aix.software.ibm.com/aix/efixes/security/libxml2_advisory.asc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install the appropriate interim fix.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix:6.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/08/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/08/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/08/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"aix.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/AIX/version\") ) audit(AUDIT_OS_NOT, \"AIX\");\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This iFix check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nif (aix_check_ifix(release:\"6.1\", ml:\"08\", sp:\"04\", patch:\"IV62447s4a\", package:\"bos.rte.control\", minfilesetver:\"6.1.8.0\", maxfilesetver:\"6.1.8.17\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:aix_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:51:17", "references": ["http://advisories.mageia.org/MGASA-2014-0214.html"], "pluginID": "73978", "description": "Updated libxml2 packages fix security vulnerability :\n\nIt was discovered that libxml2, a library providing support to read, modify and write XML files, incorrectly performs entity substituton in the doctype prolog, even if the application using libxml2 disabled any entity substitution. A remote attacker could provide a specially crafted XML file that, when processed, would lead to the exhaustion of CPU and memory resources or file descriptors (CVE-2014-0191).", "edition": 5, "reporter": "Tenable", "published": "2014-05-13T00:00:00", "title": "Mandriva Linux Security Advisory : libxml2 (MDVSA-2014:086)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "naslFamily": "Mandriva Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0191"], "modified": "2018-07-19T00:00:00", "cpe": ["p-cpe:/a:mandriva:linux:libxml2-utils", "cpe:/o:mandriva:business_server:1", "p-cpe:/a:mandriva:linux:lib64xml2-devel", "p-cpe:/a:mandriva:linux:lib64xml2_2", "p-cpe:/a:mandriva:linux:libxml2-python"], "id": "MANDRIVA_MDVSA-2014-086.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=73978", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2014:086. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(73978);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/07/19 20:59:18\");\n\n script_cve_id(\"CVE-2014-0191\");\n script_bugtraq_id(67233);\n script_xref(name:\"MDVSA\", value:\"2014:086\");\n\n script_name(english:\"Mandriva Linux Security Advisory : libxml2 (MDVSA-2014:086)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated libxml2 packages fix security vulnerability :\n\nIt was discovered that libxml2, a library providing support to read,\nmodify and write XML files, incorrectly performs entity substituton in\nthe doctype prolog, even if the application using libxml2 disabled any\nentity substitution. A remote attacker could provide a specially\ncrafted XML file that, when processed, would lead to the exhaustion of\nCPU and memory resources or file descriptors (CVE-2014-0191).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2014-0214.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64xml2-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64xml2_2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libxml2-python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libxml2-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/05/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/05/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64xml2-devel-2.7.8-14.20120229.2.4.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64xml2_2-2.7.8-14.20120229.2.4.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"libxml2-python-2.7.8-14.20120229.2.4.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"libxml2-utils-2.7.8-14.20120229.2.4.mbs1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-11-11T12:53:41", "references": ["http://www.nessus.org/u?111409dc"], "pluginID": "82476", "description": "Updated libxml2 packages that fix one security issue are now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe libxml2 library is a development toolbox providing the implementation of various XML standards.\n\nIt was discovered that libxml2 loaded external parameter entities even when entity substitution was disabled. A remote attacker able to provide a specially crafted XML file to an application linked against libxml2 could use this flaw to conduct XML External Entity (XXE) attacks, possibly resulting in a denial of service or an information leak on the system. (CVE-2014-0191)\n\nThe CVE-2014-0191 issue was discovered by Daniel P. Berrange of Red Hat.\n\nAll libxml2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. The desktop must be restarted (log out, then log back in) for this update to take effect.", "edition": 7, "reporter": "Tenable", "published": "2015-04-01T00:00:00", "title": "CentOS 7 : libxml2 (CESA-2015:0749)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "CentOS Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0191"], "modified": "2018-11-10T00:00:00", "cpe": ["p-cpe:/a:centos:centos:libxml2", "cpe:/o:centos:centos:7", "p-cpe:/a:centos:centos:libxml2-python", "p-cpe:/a:centos:centos:libxml2-static", "p-cpe:/a:centos:centos:libxml2-devel"], "id": "CENTOS_RHSA-2015-0749.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=82476", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:0749 and \n# CentOS Errata and Security Advisory 2015:0749 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(82476);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/11/10 11:49:31\");\n\n script_cve_id(\"CVE-2014-0191\");\n script_bugtraq_id(67233);\n script_xref(name:\"RHSA\", value:\"2015:0749\");\n\n script_name(english:\"CentOS 7 : libxml2 (CESA-2015:0749)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated libxml2 packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Moderate\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe libxml2 library is a development toolbox providing the\nimplementation of various XML standards.\n\nIt was discovered that libxml2 loaded external parameter entities even\nwhen entity substitution was disabled. A remote attacker able to\nprovide a specially crafted XML file to an application linked against\nlibxml2 could use this flaw to conduct XML External Entity (XXE)\nattacks, possibly resulting in a denial of service or an information\nleak on the system. (CVE-2014-0191)\n\nThe CVE-2014-0191 issue was discovered by Daniel P. Berrange of Red\nHat.\n\nAll libxml2 users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue. The desktop\nmust be restarted (log out, then log back in) for this update to take\neffect.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2015-April/021029.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?111409dc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libxml2 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:libxml2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:libxml2-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:libxml2-python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:libxml2-static\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/04/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/CentOS/release\")) audit(AUDIT_OS_NOT, \"CentOS\");\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"libxml2-2.9.1-5.el7_1.2\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"libxml2-devel-2.9.1-5.el7_1.2\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"libxml2-python-2.9.1-5.el7_1.2\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"libxml2-static-2.9.1-5.el7_1.2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-11-13T17:00:14", "references": ["https://lists.opensuse.org/opensuse-updates/2014-06/msg00009.html", "https://bugzilla.novell.com/show_bug.cgi?id=876652"], "pluginID": "75381", "description": "Removed fix for CVE-2014-0191. This fix breaks existing applications and there's currently no way to prevent that.", "edition": 5, "reporter": "Tenable", "published": "2014-06-13T00:00:00", "title": "openSUSE Security Update : libxml2 / python-libxml2 (openSUSE-SU-2014:0753-1)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "SuSE Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0191"], "modified": "2018-11-10T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:libxml2-2-debuginfo", "p-cpe:/a:novell:opensuse:python-libxml2-debuginfo", "p-cpe:/a:novell:opensuse:python-libxml2", "cpe:/o:novell:opensuse:12.3", "p-cpe:/a:novell:opensuse:libxml2-2", "p-cpe:/a:novell:opensuse:libxml2-devel-32bit", "p-cpe:/a:novell:opensuse:libxml2-debugsource", "p-cpe:/a:novell:opensuse:libxml2-devel", "p-cpe:/a:novell:opensuse:libxml2-2-32bit", "p-cpe:/a:novell:opensuse:python-libxml2-debugsource", "p-cpe:/a:novell:opensuse:libxml2-tools-debuginfo", "cpe:/o:novell:opensuse:13.1", "p-cpe:/a:novell:opensuse:libxml2-tools", "p-cpe:/a:novell:opensuse:libxml2-2-debuginfo-32bit"], "id": "OPENSUSE-2014-409.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=75381", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2014-409.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(75381);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/11/10 11:50:02\");\n\n script_cve_id(\"CVE-2014-0191\");\n\n script_name(english:\"openSUSE Security Update : libxml2 / python-libxml2 (openSUSE-SU-2014:0753-1)\");\n script_summary(english:\"Check for the openSUSE-2014-409 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Removed fix for CVE-2014-0191. This fix breaks existing applications\nand there's currently no way to prevent that.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=876652\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2014-06/msg00009.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libxml2 / python-libxml2 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libxml2-2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libxml2-2-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libxml2-2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libxml2-2-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libxml2-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libxml2-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libxml2-devel-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libxml2-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libxml2-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-libxml2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-libxml2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-libxml2-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/06/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE12\\.3|SUSE13\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"12.3 / 13.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE12.3\", reference:\"libxml2-2-2.9.0-2.29.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"libxml2-2-debuginfo-2.9.0-2.29.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"libxml2-debugsource-2.9.0-2.29.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"libxml2-devel-2.9.0-2.29.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"libxml2-tools-2.9.0-2.29.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"libxml2-tools-debuginfo-2.9.0-2.29.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"python-libxml2-2.9.0-2.29.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"python-libxml2-debuginfo-2.9.0-2.29.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"python-libxml2-debugsource-2.9.0-2.29.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"libxml2-2-32bit-2.9.0-2.29.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"libxml2-2-debuginfo-32bit-2.9.0-2.29.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"libxml2-devel-32bit-2.9.0-2.29.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"libxml2-2-2.9.1-2.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"libxml2-2-debuginfo-2.9.1-2.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"libxml2-debugsource-2.9.1-2.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"libxml2-devel-2.9.1-2.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"libxml2-tools-2.9.1-2.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"libxml2-tools-debuginfo-2.9.1-2.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"python-libxml2-2.9.1-2.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"python-libxml2-debuginfo-2.9.1-2.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"python-libxml2-debugsource-2.9.1-2.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"libxml2-2-32bit-2.9.1-2.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"libxml2-2-debuginfo-32bit-2.9.1-2.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"libxml2-devel-32bit-2.9.1-2.12.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libxml2 / python-libxml2\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:52:26", "references": ["http://www.nessus.org/u?dc8e05cc"], "pluginID": "82468", "description": "It was discovered that libxml2 loaded external parameter entities even when entity substitution was disabled. A remote attacker able to provide a specially crafted XML file to an application linked against libxml2 could use this flaw to conduct XML External Entity (XXE) attacks, possibly resulting in a denial of service or an information leak on the system. (CVE-2014-0191)\n\nThe desktop must be restarted (log out, then log back in) for this update to take effect.", "edition": 4, "reporter": "Tenable", "published": "2015-03-31T00:00:00", "title": "Scientific Linux Security Update : libxml2 on SL7.x x86_64", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "naslFamily": "Scientific Linux Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0191"], "modified": "2015-03-31T00:00:00", "cpe": ["x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20150330_LIBXML2_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=82468", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(82468);\n script_version(\"$Revision: 1.1 $\");\n script_cvs_date(\"$Date: 2015/03/31 13:56:07 $\");\n\n script_cve_id(\"CVE-2014-0191\");\n\n script_name(english:\"Scientific Linux Security Update : libxml2 on SL7.x x86_64\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that libxml2 loaded external parameter entities even\nwhen entity substitution was disabled. A remote attacker able to\nprovide a specially crafted XML file to an application linked against\nlibxml2 could use this flaw to conduct XML External Entity (XXE)\nattacks, possibly resulting in a denial of service or an information\nleak on the system. (CVE-2014-0191)\n\nThe desktop must be restarted (log out, then log back in) for this\nupdate to take effect.\"\n );\n # http://listserv.fnal.gov/scripts/wa.exe?A2=ind1503&L=scientific-linux-errata&T=0&P=4139\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?dc8e05cc\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/31\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015 Tenable Network Security, Inc.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"libxml2-2.9.1-5.el7_1.2\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"libxml2-debuginfo-2.9.1-5.el7_1.2\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"libxml2-devel-2.9.1-5.el7_1.2\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"libxml2-python-2.9.1-5.el7_1.2\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"libxml2-static-2.9.1-5.el7_1.2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:43:04", "references": ["http://aix.software.ibm.com/aix/efixes/security/libxml2_advisory.asc"], "pluginID": "77258", "description": "Libxml2 is vulnerable to a denial of service, caused by the expansion of internal entities within the xmlParserHandlePEReference().", "edition": 4, "reporter": "Tenable", "published": "2014-08-20T00:00:00", "title": "AIX 6.1 TL 9 : libxml2 (IV62448)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "AIX Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0191"], "modified": "2015-01-23T00:00:00", "cpe": ["cpe:/o:ibm:aix:6.1"], "id": "AIX_IV62448.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=77258", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory libxml2_advisory.asc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(77258);\n script_version(\"$Revision: 1.4 $\");\n script_cvs_date(\"$Date: 2015/01/23 14:22:56 $\");\n\n script_cve_id(\"CVE-2014-0191\");\n\n script_name(english:\"AIX 6.1 TL 9 : libxml2 (IV62448)\");\n script_summary(english:\"Check for APAR IV62448\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote AIX host is missing a security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Libxml2 is vulnerable to a denial of service, caused by the expansion\nof internal entities within the xmlParserHandlePEReference().\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://aix.software.ibm.com/aix/efixes/security/libxml2_advisory.asc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install the appropriate interim fix.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix:6.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/08/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/08/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/08/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"aix.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/AIX/version\") ) audit(AUDIT_OS_NOT, \"AIX\");\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This iFix check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nif (aix_check_ifix(release:\"6.1\", ml:\"09\", sp:\"03\", patch:\"IV62448s3a\", package:\"bos.rte.control\", minfilesetver:\"6.1.9.0\", maxfilesetver:\"6.1.9.15\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:aix_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "openvas": [{"lastseen": "2018-09-01T23:54:28", "references": ["http://www.debian.org/security/2014/dsa-2978.html"], "pluginID": "1361412562310702978", "description": "Daniel P. Berrange discovered a denial of service vulnerability in\nlibxml2 entity substitution.", "edition": 3, "reporter": "Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net", "published": "2014-07-11T00:00:00", "title": "Debian Security Advisory DSA 2978-1 (libxml2 - security update)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0191"], "modified": "2018-04-06T00:00:00", "id": "OPENVAS:1361412562310702978", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310702978", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2978.nasl 9354 2018-04-06 07:15:32Z cfischer $\n# Auto-generated from advisory DSA 2978-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_affected = \"libxml2 on Debian Linux\";\ntag_insight = \"XML is a metalanguage to let you design your own markup language.\nA regular markup language defines a way to describe information in\na certain class of documents (eg HTML). XML lets you define your\nown customized markup languages for many classes of document. It\ncan do this because it's written in SGML, the international standard\nmetalanguage for markup languages.\";\ntag_solution = \"For the stable distribution (wheezy), this problem has been fixed in\nversion 2.8.0+dfsg1-7+wheezy1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 2.9.1+dfsg1-4.\n\nWe recommend that you upgrade your libxml2 packages.\";\ntag_summary = \"Daniel P. Berrange discovered a denial of service vulnerability in\nlibxml2 entity substitution.\";\ntag_vuldetect = \"This check tests the installed software version using the apt package manager.\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.702978\");\n script_version(\"$Revision: 9354 $\");\n script_cve_id(\"CVE-2014-0191\");\n script_name(\"Debian Security Advisory DSA 2978-1 (libxml2 - security update)\");\n script_tag(name: \"last_modification\", value:\"$Date: 2018-04-06 09:15:32 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name: \"creation_date\", value:\"2014-07-11 00:00:00 +0200 (Fri, 11 Jul 2014)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2014/dsa-2978.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: tag_affected);\n script_tag(name: \"insight\", value: tag_insight);\n# script_tag(name: \"impact\", value: tag_impact);\n script_tag(name: \"solution\", value: tag_solution);\n script_tag(name: \"summary\", value: tag_summary);\n script_tag(name: \"vuldetect\", value: tag_vuldetect);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"libxml2\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2-dbg\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2-dev\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2-doc\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2-utils\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2-utils-dbg\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"python-libxml2\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"python-libxml2-dbg\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2-dbg\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2-dev\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2-doc\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2-utils\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2-utils-dbg\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"python-libxml2\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"python-libxml2-dbg\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2-dbg\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2-dev\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2-doc\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2-utils\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2-utils-dbg\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"python-libxml2\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"python-libxml2-dbg\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2-dbg\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2-dev\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2-doc\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2-utils\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2-utils-dbg\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"python-libxml2\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"python-libxml2-dbg\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-10-02T14:32:33", "references": ["https://alas.aws.amazon.com/ALAS-2014-341.html"], "pluginID": "1361412562310120474", "description": "Amazon Linux Local Security Checks", "edition": 6, "reporter": "Eero Volotinen", "published": "2015-09-08T00:00:00", "title": "Amazon Linux Local Check: ALAS-2014-341", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "naslFamily": "Amazon Linux Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0191"], "modified": "2018-10-01T00:00:00", "id": "OPENVAS:1361412562310120474", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120474", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: alas-2014-341.nasl 6750 2017-07-18 09:56:47Z teissa$\n#\n# Amazon Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@iki.fi>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://ping-viini.org\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120474\");\n script_version(\"$Revision: 11703 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-08 13:27:15 +0200 (Tue, 08 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-01 10:05:31 +0200 (Mon, 01 Oct 2018) $\");\n script_name(\"Amazon Linux Local Check: ALAS-2014-341\");\n script_tag(name:\"insight\", value:\"It was discovered that libxml2, a library providing support to read, modify and write XML files, incorrectly performs entity substituton in the doctype prolog, even if the application using libxml2 disabled any entity substitution. A remote attacker could provide a specially-crafted XML file that, when processed, would lead to the exhaustion of CPU and memory resources or file descriptors.\");\n script_tag(name:\"solution\", value:\"Run yum update libxml2 to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2014-341.html\");\n script_cve_id(\"CVE-2014-0191\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Amazon Linux Local Security Checks\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"AMAZON\")\n{\nif ((res = isrpmvuln(pkg:\"libxml2-debuginfo\", rpm:\"libxml2-debuginfo~2.9.1~1.1.30.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"libxml2-python\", rpm:\"libxml2-python~2.9.1~1.1.30.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"libxml2\", rpm:\"libxml2~2.9.1~1.1.30.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"libxml2-devel\", rpm:\"libxml2-devel~2.9.1~1.1.30.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"libxml2-static\", rpm:\"libxml2-static~2.9.1~1.1.30.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-09-28T18:24:05", "references": ["http://linux.oracle.com/errata/ELSA-2015-0749.html"], "pluginID": "1361412562310123148", "description": "Oracle Linux Local Security Checks ELSA-2015-0749", "edition": 6, "reporter": "Eero Volotinen", "published": "2015-10-06T00:00:00", "title": "Oracle Linux Local Check: ELSA-2015-0749", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "naslFamily": "Oracle Linux Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0191"], "modified": "2018-09-28T00:00:00", "id": "OPENVAS:1361412562310123148", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123148", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2015-0749.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123148\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 13:59:58 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2015-0749\");\n script_tag(name:\"insight\", value:\"ELSA-2015-0749 - libxml2 security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2015-0749\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2015-0749.html\");\n script_cve_id(\"CVE-2014-0191\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux7\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux7\")\n{\n if ((res = isrpmvuln(pkg:\"libxml2\", rpm:\"libxml2~2.9.1~5.0.1.el7_1.2\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"libxml2-devel\", rpm:\"libxml2-devel~2.9.1~5.0.1.el7_1.2\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"libxml2-python\", rpm:\"libxml2-python~2.9.1~5.0.1.el7_1.2\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"libxml2-static\", rpm:\"libxml2-static~2.9.1~5.0.1.el7_1.2\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:51:42", "references": ["2014-17609", "https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147320.html"], "pluginID": "1361412562310868768", "description": "Check the version of mingw-libxml2", "edition": 4, "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "published": "2015-01-05T00:00:00", "title": "Fedora Update for mingw-libxml2 FEDORA-2014-17609", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0191"], "modified": "2017-07-10T00:00:00", "id": "OPENVAS:1361412562310868768", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868768", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for mingw-libxml2 FEDORA-2014-17609\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868768\");\n script_version(\"$Revision: 6630 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:34:32 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2015-01-05 14:50:49 +0100 (Mon, 05 Jan 2015)\");\n script_cve_id(\"CVE-2014-0191\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_name(\"Fedora Update for mingw-libxml2 FEDORA-2014-17609\");\n script_tag(name: \"summary\", value: \"Check the version of mingw-libxml2\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help of detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"MinGW Windows libxml2 XML processing library.\n\");\n script_tag(name: \"affected\", value: \"mingw-libxml2 on Fedora 21\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n script_xref(name: \"FEDORA\", value: \"2014-17609\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147320.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC21\")\n{\n\n if ((res = isrpmvuln(pkg:\"mingw-libxml2\", rpm:\"mingw-libxml2~2.9.2~1.fc21\", rls:\"FC21\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-11-23T15:13:23", "references": ["https://www.redhat.com/archives/rhsa-announce/2015-March/msg00054.html", "2015:0749-01"], "pluginID": "1361412562310871346", "description": "The remote host is missing an update for the ", "edition": 7, "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "published": "2015-03-31T00:00:00", "title": "RedHat Update for libxml2 RHSA-2015:0749-01", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "naslFamily": "Red Hat Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0191"], "modified": "2018-11-23T00:00:00", "id": "OPENVAS:1361412562310871346", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871346", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for libxml2 RHSA-2015:0749-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871346\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-03-31 07:09:15 +0200 (Tue, 31 Mar 2015)\");\n script_cve_id(\"CVE-2014-0191\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for libxml2 RHSA-2015:0749-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'libxml2'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The libxml2 library is a development toolbox providing the implementation\nof various XML standards.\n\nIt was discovered that libxml2 loaded external parameter entities even when\nentity substitution was disabled. A remote attacker able to provide a\nspecially crafted XML file to an application linked against libxml2 could\nuse this flaw to conduct XML External Entity (XXE) attacks, possibly\nresulting in a denial of service or an information leak on the system.\n(CVE-2014-0191)\n\nThe CVE-2014-0191 issue was discovered by Daniel P. Berrange of Red Hat.\n\nAll libxml2 users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. The desktop must be\nrestarted (log out, then log back in) for this update to take effect.\");\n script_tag(name:\"affected\", value:\"libxml2 on Red Hat Enterprise Linux Server (v. 7)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_xref(name:\"RHSA\", value:\"2015:0749-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2015-March/msg00054.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_7\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_7\")\n{\n\n if ((res = isrpmvuln(pkg:\"libxml2\", rpm:\"libxml2~2.9.1~5.el7_1.2\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libxml2-debuginfo\", rpm:\"libxml2-debuginfo~2.9.1~5.el7_1.2\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libxml2-devel\", rpm:\"libxml2-devel~2.9.1~5.el7_1.2\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libxml2-python\", rpm:\"libxml2-python~2.9.1~5.el7_1.2\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:51:59", "references": ["2015:0749", "http://lists.centos.org/pipermail/centos-announce/2015-April/021029.html"], "pluginID": "1361412562310882149", "description": "Check the version of libxml2", "edition": 4, "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "published": "2015-04-01T00:00:00", "title": "CentOS Update for libxml2 CESA-2015:0749 centos7 ", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "naslFamily": "CentOS Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0191"], "modified": "2017-07-10T00:00:00", "id": "OPENVAS:1361412562310882149", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882149", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for libxml2 CESA-2015:0749 centos7 \n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882149\");\n script_version(\"$Revision: 6657 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 13:50:44 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2015-04-01 07:25:04 +0200 (Wed, 01 Apr 2015)\");\n script_cve_id(\"CVE-2014-0191\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for libxml2 CESA-2015:0749 centos7 \");\n script_tag(name: \"summary\", value: \"Check the version of libxml2\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help of detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"The libxml2 library is a development toolbox providing the implementation\nof various XML standards.\n\nIt was discovered that libxml2 loaded external parameter entities even when\nentity substitution was disabled. A remote attacker able to provide a\nspecially crafted XML file to an application linked against libxml2 could\nuse this flaw to conduct XML External Entity (XXE) attacks, possibly\nresulting in a denial of service or an information leak on the system.\n(CVE-2014-0191)\n\nThe CVE-2014-0191 issue was discovered by Daniel P. Berrange of Red Hat.\n\nAll libxml2 users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. The desktop must be\nrestarted (log out, then log back in) for this update to take effect.\n\");\n script_tag(name: \"affected\", value: \"libxml2 on CentOS 7\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n script_xref(name: \"CESA\", value: \"2015:0749\");\n script_xref(name: \"URL\" , value: \"http://lists.centos.org/pipermail/centos-announce/2015-April/021029.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS7\")\n{\n\n if ((res = isrpmvuln(pkg:\"libxml2\", rpm:\"libxml2~2.9.1~5.el7_1.2\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libxml2-devel\", rpm:\"libxml2-devel~2.9.1~5.el7_1.2\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libxml2-python\", rpm:\"libxml2-python~2.9.1~5.el7_1.2\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libxml2-static\", rpm:\"libxml2-static~2.9.1~5.el7_1.2\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-07-31T10:48:40", "references": ["http://www.debian.org/security/2014/dsa-2978.html"], "pluginID": "702978", "description": "Daniel P. Berrange discovered a denial of service vulnerability in\nlibxml2 entity substitution.", "edition": 3, "reporter": "Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net", "published": "2014-07-11T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "title": "Debian Security Advisory DSA 2978-1 (libxml2 - security update)", "type": "openvas", "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0191"], "modified": "2017-07-14T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=702978", "id": "OPENVAS:702978", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2978.nasl 6724 2017-07-14 09:57:17Z teissa $\n# Auto-generated from advisory DSA 2978-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_affected = \"libxml2 on Debian Linux\";\ntag_insight = \"XML is a metalanguage to let you design your own markup language.\nA regular markup language defines a way to describe information in\na certain class of documents (eg HTML). XML lets you define your\nown customized markup languages for many classes of document. It\ncan do this because it's written in SGML, the international standard\nmetalanguage for markup languages.\";\ntag_solution = \"For the stable distribution (wheezy), this problem has been fixed in\nversion 2.8.0+dfsg1-7+wheezy1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 2.9.1+dfsg1-4.\n\nWe recommend that you upgrade your libxml2 packages.\";\ntag_summary = \"Daniel P. Berrange discovered a denial of service vulnerability in\nlibxml2 entity substitution.\";\ntag_vuldetect = \"This check tests the installed software version using the apt package manager.\";\n\nif(description)\n{\n script_id(702978);\n script_version(\"$Revision: 6724 $\");\n script_cve_id(\"CVE-2014-0191\");\n script_name(\"Debian Security Advisory DSA 2978-1 (libxml2 - security update)\");\n script_tag(name: \"last_modification\", value:\"$Date: 2017-07-14 11:57:17 +0200 (Fri, 14 Jul 2017) $\");\n script_tag(name: \"creation_date\", value:\"2014-07-11 00:00:00 +0200 (Fri, 11 Jul 2014)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2014/dsa-2978.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: tag_affected);\n script_tag(name: \"insight\", value: tag_insight);\n# script_tag(name: \"impact\", value: tag_impact);\n script_tag(name: \"solution\", value: tag_solution);\n script_tag(name: \"summary\", value: tag_summary);\n script_tag(name: \"vuldetect\", value: tag_vuldetect);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"libxml2\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2-dbg\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2-dev\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2-doc\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2-utils\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2-utils-dbg\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"python-libxml2\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"python-libxml2-dbg\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2-dbg\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2-dev\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2-doc\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2-utils\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2-utils-dbg\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"python-libxml2\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"python-libxml2-dbg\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2-dbg\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2-dev\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2-doc\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2-utils\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2-utils-dbg\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"python-libxml2\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"python-libxml2-dbg\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2-dbg\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2-dev\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2-doc\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2-utils\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxml2-utils-dbg\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"python-libxml2\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"python-libxml2-dbg\", ver:\"2.8.0+dfsg1-7+wheezy1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-10-29T12:40:13", "references": ["https://security.gentoo.org/glsa/201409-08"], "pluginID": "1361412562310121271", "description": "Gentoo Linux Local Security Checks GLSA 201409-08", "edition": 7, "reporter": "Eero Volotinen", "published": "2015-09-29T00:00:00", "title": "Gentoo Security Advisory GLSA 201409-08", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "naslFamily": "Gentoo Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0191"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310121271", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310121271", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: glsa-201409-08.nasl 12128 2018-10-26 13:35:25Z cfischer $\n#\n# Gentoo Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.121271\");\n script_version(\"$Revision: 12128 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-29 11:27:54 +0300 (Tue, 29 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 15:35:25 +0200 (Fri, 26 Oct 2018) $\");\n script_name(\"Gentoo Security Advisory GLSA 201409-08\");\n script_tag(name:\"insight\", value:\"A vulnerability in the xmlParserHandlePEReference() function of parser.c, when expanding entity references, can be exploited to consume large amounts of memory and cause a crash or hang.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://security.gentoo.org/glsa/201409-08\");\n script_cve_id(\"CVE-2014-0191\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Gentoo Linux Local Security Checks GLSA 201409-08\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Gentoo Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\n\nif((res=ispkgvuln(pkg:\"dev-libs/libxml2\", unaffected: make_list(\"ge 2.9.1-r4\"), vulnerable: make_list(\"lt 2.9.1-r4\"))) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-11-19T13:03:29", "references": ["2214-1", "http://www.ubuntu.com/usn/usn-2214-1/"], "pluginID": "1361412562310841826", "description": "The remote host is missing an update for the ", "edition": 9, "reporter": "Copyright (C) 2014 Greenbone Networks GmbH", "published": "2014-05-19T00:00:00", "title": "Ubuntu Update for libxml2 USN-2214-1", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Ubuntu Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0191"], "modified": "2018-11-16T00:00:00", "id": "OPENVAS:1361412562310841826", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310841826", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_2214_1.nasl 12381 2018-11-16 11:16:30Z cfischer $\n#\n# Ubuntu Update for libxml2 USN-2214-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.841826\");\n script_version(\"$Revision: 12381 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-16 12:16:30 +0100 (Fri, 16 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-05-19 11:25:10 +0530 (Mon, 19 May 2014)\");\n script_cve_id(\"CVE-2014-0191\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_name(\"Ubuntu Update for libxml2 USN-2214-1\");\n\n\n script_tag(name:\"affected\", value:\"libxml2 on Ubuntu 14.04 LTS,\n Ubuntu 13.10,\n Ubuntu 12.10,\n Ubuntu 12.04 LTS,\n Ubuntu 10.04 LTS\");\n script_tag(name:\"insight\", value:\"Daniel Berrange discovered that libxml2 would incorrectly\nperform entity substitution even when requested not to. If a user or automated\nsystem were tricked into opening a specially crafted document, an attacker\ncould possibly cause resource consumption, resulting in a denial of service.\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"USN\", value:\"2214-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-2214-1/\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'libxml2'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|12\\.04 LTS|10\\.04 LTS|13\\.10|12\\.10)\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libxml2:i386\", ver:\"2.9.1+dfsg1-3ubuntu4.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libxml2\", ver:\"2.7.8.dfsg-5.1ubuntu4.7\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU10.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libxml2\", ver:\"2.7.6.dfsg-1ubuntu1.11\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU13.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libxml2:i386\", ver:\"2.9.1+dfsg1-3ubuntu2.1\", rls:\"UBUNTU13.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libxml2\", ver:\"2.8.0+dfsg1-5ubuntu2.5\", rls:\"UBUNTU12.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-11-23T15:14:07", "references": ["2014:0513-01", "https://www.redhat.com/archives/rhsa-announce/2014-May/msg00020.html"], "pluginID": "1361412562310871166", "description": "The remote host is missing an update for the ", "edition": 8, "reporter": "Copyright (C) 2014 Greenbone Networks GmbH", "published": "2014-05-26T00:00:00", "title": "RedHat Update for libxml2 RHSA-2014:0513-01", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "naslFamily": "Red Hat Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0191", "CVE-2013-2877"], "modified": "2018-11-23T00:00:00", "id": "OPENVAS:1361412562310871166", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871166", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for libxml2 RHSA-2014:0513-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871166\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-05-26 16:05:50 +0530 (Mon, 26 May 2014)\");\n script_cve_id(\"CVE-2013-2877\", \"CVE-2014-0191\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_name(\"RedHat Update for libxml2 RHSA-2014:0513-01\");\n\n\n script_tag(name:\"affected\", value:\"libxml2 on Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name:\"insight\", value:\"The libxml2 library is a development toolbox providing the implementation\nof various XML standards.\n\nIt was discovered that libxml2 loaded external parameter entities even when\nentity substitution was disabled. A remote attacker able to provide a\nspecially crafted XML file to an application linked against libxml2 could\nuse this flaw to conduct XML External Entity (XXE) attacks, possibly\nresulting in a denial of service or an information leak on the system.\n(CVE-2014-0191)\n\nAn out-of-bounds read flaw was found in the way libxml2 detected the end of\nan XML file. A remote attacker could provide a specially crafted XML file\nthat, when processed by an application linked against libxml2, could cause\nthe application to crash. (CVE-2013-2877)\n\nThe CVE-2014-0191 issue was discovered by Daniel P. Berrange of Red Hat.\n\nAll libxml2 users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. The desktop must be\nrestarted (log out, then log back in) for this update to take effect.\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"RHSA\", value:\"2014:0513-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2014-May/msg00020.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'libxml2'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_6\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"libxml2\", rpm:\"libxml2~2.7.6~14.el6_5.1\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libxml2-debuginfo\", rpm:\"libxml2-debuginfo~2.7.6~14.el6_5.1\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libxml2-devel\", rpm:\"libxml2-devel~2.7.6~14.el6_5.1\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libxml2-python\", rpm:\"libxml2-python~2.7.6~14.el6_5.1\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "amazon": [{"lastseen": "2018-10-02T16:55:18", "references": [], "affectedPackage": [{"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "2.9.1-1.1.30.amzn1", "arch": "x86_64", "packageFilename": "libxml2-python-2.9.1-1.1.30.amzn1.x86_64.rpm", "packageName": "libxml2-python", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "2.9.1-1.1.30.amzn1", "arch": "src", "packageFilename": "libxml2-2.9.1-1.1.30.amzn1.src.rpm", "packageName": "libxml2", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "2.9.1-1.1.30.amzn1", "arch": "i686", "packageFilename": "libxml2-devel-2.9.1-1.1.30.amzn1.i686.rpm", "packageName": "libxml2-devel", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "2.9.1-1.1.30.amzn1", "arch": "x86_64", "packageFilename": "libxml2-static-2.9.1-1.1.30.amzn1.x86_64.rpm", "packageName": "libxml2-static", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "2.9.1-1.1.30.amzn1", "arch": "i686", "packageFilename": "libxml2-python-2.9.1-1.1.30.amzn1.i686.rpm", "packageName": "libxml2-python", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "2.9.1-1.1.30.amzn1", "arch": "x86_64", "packageFilename": "libxml2-debuginfo-2.9.1-1.1.30.amzn1.x86_64.rpm", "packageName": "libxml2-debuginfo", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "2.9.1-1.1.30.amzn1", "arch": "i686", "packageFilename": "libxml2-2.9.1-1.1.30.amzn1.i686.rpm", "packageName": "libxml2", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "2.9.1-1.1.30.amzn1", "arch": "x86_64", "packageFilename": "libxml2-devel-2.9.1-1.1.30.amzn1.x86_64.rpm", "packageName": "libxml2-devel", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "2.9.1-1.1.30.amzn1", "arch": "x86_64", "packageFilename": "libxml2-2.9.1-1.1.30.amzn1.x86_64.rpm", "packageName": "libxml2", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "2.9.1-1.1.30.amzn1", "arch": "i686", "packageFilename": "libxml2-static-2.9.1-1.1.30.amzn1.i686.rpm", "packageName": "libxml2-static", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "2.9.1-1.1.30.amzn1", "arch": "i686", "packageFilename": "libxml2-debuginfo-2.9.1-1.1.30.amzn1.i686.rpm", "packageName": "libxml2-debuginfo", "operator": "lt"}], "description": "**Issue Overview:**\n\nIt was discovered that libxml2, a library providing support to read, modify and write XML files, incorrectly performs entity substituton in the doctype prolog, even if the application using libxml2 disabled any entity substitution. A remote attacker could provide a specially-crafted XML file that, when processed, would lead to the exhaustion of CPU and memory resources or file descriptors.\n\n \n**Affected Packages:** \n\n\nlibxml2\n\n \n**Issue Correction:** \nRun _yum update libxml2_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n libxml2-debuginfo-2.9.1-1.1.30.amzn1.i686 \n libxml2-python-2.9.1-1.1.30.amzn1.i686 \n libxml2-2.9.1-1.1.30.amzn1.i686 \n libxml2-devel-2.9.1-1.1.30.amzn1.i686 \n libxml2-static-2.9.1-1.1.30.amzn1.i686 \n \n src: \n libxml2-2.9.1-1.1.30.amzn1.src \n \n x86_64: \n libxml2-debuginfo-2.9.1-1.1.30.amzn1.x86_64 \n libxml2-devel-2.9.1-1.1.30.amzn1.x86_64 \n libxml2-static-2.9.1-1.1.30.amzn1.x86_64 \n libxml2-2.9.1-1.1.30.amzn1.x86_64 \n libxml2-python-2.9.1-1.1.30.amzn1.x86_64 \n \n \n", "edition": 1, "reporter": "Amazon", "published": "2014-09-18T00:35:00", "title": "Medium: libxml2", "type": "amazon", "enchantments": {"score": {"modified": "2018-10-02T16:55:18", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-0191"], "modified": "2014-09-18T00:35:00", "id": "ALAS-2014-341", "href": "https://alas.aws.amazon.com/ALAS-2014-341.html", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "ubuntu": [{"lastseen": "2018-08-31T00:08:56", "references": ["https://people.canonical.com/~ubuntu-security/cve/CVE-2014-0191"], "affectedPackage": [{"OS": "Ubuntu", "OSVersion": "14.04", "packageVersion": "2.9.1+dfsg1-3ubuntu4.1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "libxml2", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "12.10", "packageVersion": "2.8.0+dfsg1-5ubuntu2.5", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "libxml2", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "10.04", "packageVersion": "2.7.6.dfsg-1ubuntu1.11", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "libxml2", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "12.04", "packageVersion": "2.7.8.dfsg-5.1ubuntu4.7", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "libxml2", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "13.10", "packageVersion": "2.9.1+dfsg1-3ubuntu2.1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "libxml2", "operator": "lt"}], "description": "Daniel Berrange discovered that libxml2 would incorrectly perform entity substitution even when requested not to. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause resource consumption, resulting in a denial of service.", "edition": 3, "reporter": "Ubuntu", "published": "2014-05-15T00:00:00", "title": "libxml2 vulnerability", "type": "ubuntu", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-0191"], "modified": "2014-05-15T00:00:00", "id": "USN-2214-1", "href": "https://usn.ubuntu.com/2214-1/", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "debian": [{"lastseen": "2018-10-18T13:50:30", "references": [], "affectedPackage": [{"OS": "Debian", "OSVersion": "7", "packageVersion": "2.8.0+dfsg1-7+wheezy1", "arch": "all", "packageFilename": "libxml2_2.8.0+dfsg1-7+wheezy1_all.deb", "packageName": "libxml2", "operator": "lt"}], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2978-1 security@debian.org\nhttp://www.debian.org/security/ Moritz Muehlenhoff\nJuly 11, 2014 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : libxml2\nCVE ID : CVE-2014-0191\n\nDaniel P. Berrange discovered a denial of service vulnerability in \nlibxml2 entity substitution.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 2.8.0+dfsg1-7+wheezy1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 2.9.1+dfsg1-4.\n\nWe recommend that you upgrade your libxml2 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 2, "reporter": "Debian", "published": "2014-07-11T14:30:16", "title": "[SECURITY] [DSA 2978-1] libxml2 security update", "type": "debian", "enchantments": {"score": {"modified": "2018-10-18T13:50:30", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-0191"], "modified": "2014-07-11T14:30:16", "id": "DEBIAN:DSA-2978-1:D9688", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2014/msg00159.html", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-10-16T22:14:13", "references": [], "affectedPackage": [], "description": "Package : libxml2\nVersion : 2.7.8.dfsg-2+squeeze9\nCVE ID : CVE-2014-0191\nDebian Bug : #747309\n\nDaniel P. Berrange discovered a denial of service vulnerability in\nlibxml2 entity substitution.\n\n", "edition": 1, "reporter": "Debian", "published": "2014-07-19T14:46:40", "title": "libxml2 security update", "type": "debian", "enchantments": {"score": {"modified": "2018-10-16T22:14:13", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-0191"], "modified": "2014-07-19T14:46:40", "id": "DEBIAN:8613E99116DFAD11AB50FECC40F571E0:036E2", "href": "https://lists.debian.org/debian-lts-announce/2014/debian-lts-announce-201407/msg00004.html", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-10-16T22:13:50", "references": [], "affectedPackage": [{"OS": "Debian", "OSVersion": "6", "packageVersion": "2.7.8.dfsg-2+squeeze", "arch": "all", "packageFilename": "libxml2-utils_2.7.8.dfsg-2+squeeze_all.deb", "packageName": "libxml2-utils", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "2.7.8.dfsg-2+squeeze", "arch": "all", "packageFilename": "libxml2-doc_2.7.8.dfsg-2+squeeze_all.deb", "packageName": "libxml2-doc", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "2.7.8.dfsg-2+squeeze", "arch": "all", "packageFilename": "python-libxml2_2.7.8.dfsg-2+squeeze_all.deb", "packageName": "python-libxml2", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "2.7.8.dfsg-2+squeeze", "arch": "all", "packageFilename": "libxml2-dbg_2.7.8.dfsg-2+squeeze_all.deb", "packageName": "libxml2-dbg", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "2.7.8.dfsg-2+squeeze", "arch": "all", "packageFilename": "libxml2_2.7.8.dfsg-2+squeeze_all.deb", "packageName": "libxml2", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "2.7.8.dfsg-2+squeeze", "arch": "all", "packageFilename": "python-libxml2-dbg_2.7.8.dfsg-2+squeeze_all.deb", "packageName": "python-libxml2-dbg", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "2.7.8.dfsg-2+squeeze", "arch": "all", "packageFilename": "libxml2-dev_2.7.8.dfsg-2+squeeze_all.deb", "packageName": "libxml2-dev", "operator": "lt"}], "description": "Package : libxml2\nVersion : 2.7.8.dfsg-2+squeeze9\nCVE ID : CVE-2014-0191\nDebian Bug : #747309\n\nDaniel P. Berrange discovered a denial of service vulnerability in\nlibxml2 entity substitution.\n\n", "edition": 1, "reporter": "Debian", "published": "2014-07-19T15:16:39", "title": "[DLA-0016-1] libxml2 security update", "type": "debian", "enchantments": {"score": {"modified": "2018-10-16T22:13:50", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-0191"], "modified": "2014-07-19T15:16:39", "id": "DEBIAN:DLA-0016-1:08E9F", "href": "https://lists.debian.org/debian-lts-announce/2014/debian-lts-announce-201407/msg00005.html", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-10-16T22:13:19", "references": [], "affectedPackage": [{"OS": "Debian", "OSVersion": "6", "packageVersion": "2.7.8.dfsg-2+squeeze11", "arch": "all", "packageFilename": "libxml2-utils_2.7.8.dfsg-2+squeeze11_all.deb", "packageName": "libxml2-utils", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "2.7.8.dfsg-2+squeeze11", "arch": "all", "packageFilename": "python-libxml2-dbg_2.7.8.dfsg-2+squeeze11_all.deb", "packageName": "python-libxml2-dbg", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "2.7.8.dfsg-2+squeeze11", "arch": "all", "packageFilename": "libxml2_2.7.8.dfsg-2+squeeze11_all.deb", "packageName": "libxml2", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "2.7.8.dfsg-2+squeeze11", "arch": "all", "packageFilename": "libxml2-dbg_2.7.8.dfsg-2+squeeze11_all.deb", "packageName": "libxml2-dbg", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "2.7.8.dfsg-2+squeeze11", "arch": "all", "packageFilename": "libxml2-dev_2.7.8.dfsg-2+squeeze11_all.deb", "packageName": "libxml2-dev", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "2.7.8.dfsg-2+squeeze11", "arch": "all", "packageFilename": "libxml2-doc_2.7.8.dfsg-2+squeeze11_all.deb", "packageName": "libxml2-doc", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "2.7.8.dfsg-2+squeeze11", "arch": "all", "packageFilename": "python-libxml2_2.7.8.dfsg-2+squeeze11_all.deb", "packageName": "python-libxml2", "operator": "lt"}], "description": "Package : libxml2\nVersion : 2.7.8.dfsg-2+squeeze11\nCVE ID : CVE-2014-0191 CVE-2014-3660\nDebian Bug : 768089\n\nIt was discovered that the update released for libxml2 in DSA 2978 fixing\nCVE-2014-0191 was incomplete. This caused libxml2 to still fetch external\nentities regardless of whether entity substitution or validation is\nenabled.\n\nIn addition, this update addresses a regression introduced in DSA 3057 by\nthe patch fixing CVE-2014-3660. This caused libxml2 to not parse an\nentity when it&#x27;s used first in another entity referenced from an\nattribute value.\n\n", "edition": 1, "reporter": "Debian", "published": "2015-02-07T16:15:24", "title": "[SECURITY] [DLA 151-1] libxml2 security update", "type": "debian", "enchantments": {"score": {"modified": "2018-10-16T22:13:19", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-0191", "CVE-2014-3660"], "modified": "2015-02-07T16:15:24", "id": "DEBIAN:DLA-151-1:ED039", "href": "https://lists.debian.org/debian-lts-announce/2015/debian-lts-announce-201502/msg00005.html", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-10-16T22:13:15", "references": [], "affectedPackage": [{"OS": "Debian", "OSVersion": "6", "packageVersion": "2.7.8.dfsg-2+squeeze10", "arch": "all", "packageFilename": "libxml2_2.7.8.dfsg-2+squeeze10_all.deb", "packageName": "libxml2", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "2.7.8.dfsg-2+squeeze10", "arch": "all", "packageFilename": "python-libxml2-dbg_2.7.8.dfsg-2+squeeze10_all.deb", "packageName": "python-libxml2-dbg", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "2.7.8.dfsg-2+squeeze10", "arch": "all", "packageFilename": "python-libxml2_2.7.8.dfsg-2+squeeze10_all.deb", "packageName": "python-libxml2", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "2.7.8.dfsg-2+squeeze10", "arch": "all", "packageFilename": "libxml2-dbg_2.7.8.dfsg-2+squeeze10_all.deb", "packageName": "libxml2-dbg", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "2.7.8.dfsg-2+squeeze10", "arch": "all", "packageFilename": "libxml2-dev_2.7.8.dfsg-2+squeeze10_all.deb", "packageName": "libxml2-dev", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "2.7.8.dfsg-2+squeeze10", "arch": "all", "packageFilename": "libxml2-utils_2.7.8.dfsg-2+squeeze10_all.deb", "packageName": "libxml2-utils", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "2.7.8.dfsg-2+squeeze10", "arch": "all", "packageFilename": "libxml2-doc_2.7.8.dfsg-2+squeeze10_all.deb", "packageName": "libxml2-doc", "operator": "lt"}], "description": "Package : libxml2\nVersion : 2.7.8.dfsg-2+squeeze10\nCVE ID : CVE-2014-0191 CVE-2014-3660\n\nSogeti found a denial of service flaw in libxml2, a library providing\nsupport to read, modify and write XML and HTML files. A remote attacker\ncould provide a specially crafted XML file that, when processed by an\napplication using libxml2, would lead to excessive CPU consumption\n(denial of service) based on excessive entity substitutions, even if\nentity substitution was disabled, which is the parser default behavior.\n(CVE-2014-3660)\n\nIn addition, this update addresses a misapplied chunk for a patch\nreleased the previous version (#762864).\n", "edition": 1, "reporter": "Debian", "published": "2014-10-29T21:45:26", "title": "[SECURITY] [DLA 80-1] libxml2 security update", "type": "debian", "enchantments": {"score": {"modified": "2018-10-16T22:13:15", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-0191", "CVE-2014-3660"], "modified": "2014-10-29T21:45:26", "id": "DEBIAN:DLA-80-1:DE419", "href": "https://lists.debian.org/debian-lts-announce/2014/debian-lts-announce-201410/msg00014.html", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-10-18T13:49:17", "references": [], "affectedPackage": [{"OS": "Debian", "OSVersion": "7", "packageVersion": "2.8.0+dfsg1-7+wheezy3", "arch": "all", "packageFilename": "libxml2_2.8.0+dfsg1-7+wheezy3_all.deb", "packageName": "libxml2", "operator": "lt"}], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2978-2 security@debian.org\nhttp://www.debian.org/security/ Alessandro Ghedini\nFebruary 06, 2015 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : libxml2\nCVE ID : CVE-2014-0191 CVE-2014-3660\nDebian Bug : 768089\n\nIt was discovered that the update released for libxml2 in DSA 2978 fixing\nCVE-2014-0191 was incomplete. This caused libxml2 to still fetch external\nentities regardless of whether entity substitution or validation is\nenabled.\n\nIn addition, this update addresses a regression introduced in DSA 3057 by\nthe patch fixing CVE-2014-3660. This caused libxml2 to not parse an\nentity when it&#x27;s used first in another entity referenced from an\nattribute value.\n\nFor the stable distribution (wheezy), these problems have been fixed in\nversion 2.8.0+dfsg1-7+wheezy3.\n\nFor the upcoming stable distribution (jessie), these problems have been\nfixed in version 2.9.1+dfsg1-4.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 2.9.1+dfsg1-4.\n\nWe recommend that you upgrade your libxml2 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 2, "reporter": "Debian", "published": "2015-02-06T22:41:13", "title": "[SECURITY] [DSA 2978-2] libxml2 security update", "type": "debian", "enchantments": {"score": {"modified": "2018-10-18T13:49:17", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-0191", "CVE-2014-3660"], "modified": "2015-02-06T22:41:13", "id": "DEBIAN:DSA-2978-2:69125", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2015/msg00039.html", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:29", "references": ["https://bugs.gentoo.org/show_bug.cgi?id=509834", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0191"], "affectedPackage": [{"OS": "Gentoo", "OSVersion": "any", "packageVersion": "2.9.1-r4", "arch": "all", "packageFilename": "UNKNOWN", "packageName": "dev-libs/libxml2", "operator": "lt"}], "edition": 1, "description": "### Background\n\nlibxml2 is the XML C parser and toolkit developed for the Gnome project.\n\n### Description\n\nA vulnerability in the xmlParserHandlePEReference() function of parser.c, when expanding entity references, can be exploited to consume large amounts of memory and cause a crash or hang. \n\n### Impact\n\nA remote attacker may be able to cause Denial of Service via a specially crafted XML file containing malicious attributes. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll libxml2 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-libs/libxml2-2.9.1-r4\"", "reporter": "Gentoo Foundation", "published": "2014-09-19T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "type": "gentoo", "title": "libxml2: Denial of Service", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0191"], "modified": "2014-09-19T00:00:00", "id": "GLSA-201409-08", "href": "https://security.gentoo.org/glsa/201409-08", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "freebsd": [{"lastseen": "2018-08-31T01:14:50", "references": ["http://www.openwall.com/lists/oss-security/2014/05/06/4", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0191", "https://git.gnome.org/browse/libxml2/tag/?id=CVE-2014-0191"], "affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "2.9.1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "libxml2", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "2.7.6_2", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "linux-c6-libxml2", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "*", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "linux-f10-libxml2", "operator": "eq"}], "description": "\nStefan Cornelius reports:\n\nIt was discovered that libxml2, a library providing\n\t support to read, modify and write XML files, incorrectly\n\t performs entity substitution in the doctype prolog, even if\n\t the application using libxml2 disabled any entity\n\t substitution. A remote attacker could provide a\n\t specially-crafted XML file that, when processed, would lead\n\t to the exhaustion of CPU and memory resources or file\n\t descriptors.\nThis issue was discovered by Daniel Berrange of Red Hat.\n\n", "edition": 3, "reporter": "FreeBSD", "published": "2013-12-03T00:00:00", "title": "libxml2 -- entity substitution DoS", "type": "freebsd", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-0191"], "modified": "2015-07-15T00:00:00", "id": "EFDD0EDC-DA3D-11E3-9ECB-2C4138874F7D", "href": "https://vuxml.freebsd.org/freebsd/efdd0edc-da3d-11e3-9ecb-2c4138874f7d.html", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:55", "references": ["https://vulners.com/securityvulns/securityvulns:doc:30700"], "description": "CPU exhaustion on XML parsing.", "edition": 1, "reporter": "OSS-SECURITY", "published": "2014-05-07T00:00:00", "title": "libxml2 DoS", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:09:55", "vector": "NONE", "value": 10.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2014-0191"], "modified": "2014-05-07T00:00:00", "id": "SECURITYVULNS:VULN:13754", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13754", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:52", "references": [], "description": "\r\n\r\nHi,\r\n\r\nIt was discovered that libxml2, a library providing support to read,\r\nmodify and write XML files, incorrectly performs entity substituton in\r\nthe doctype prolog, even if the application using libxml2 disabled any\r\nentity substitution. A remote attacker could provide a\r\nspecially-crafted XML file that, when processed, would lead to the\r\nexhaustion of CPU and memory resources or file descriptors.\r\n\r\nThis issue was discovered by Daniel Berrange of Red Hat.\r\n\r\nUpstream patch:\r\nhttps://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df\r\n\r\nRed Hat bug:\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1090976\r\n\r\n-- Stefan Cornelius / Red Hat Security Response Team\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2014-05-07T00:00:00", "title": "[oss-security] CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:52", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": [], "modified": "2014-05-07T00:00:00", "id": "SECURITYVULNS:DOC:30700", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30700", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:56", "references": [], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n- ------------------------------------------------------------------------\r\n VMware Security Advisory\r\n\r\nAdvisory ID: VMSA-2014-0012\r\nSynopsis: VMware vSphere product updates address security \r\n vulnerabilities\r\nIssue date: 2014-12-04\r\nUpdated on: 2014-12-04 &#40;Initial Advisory&#41;\r\nCVE number: CVE-2014-3797, CVE-2014-8371, CVE-2013-2877, CVE-2014-0191, \r\n CVE-2014-0015, CVE-2014-0138, CVE-2013-1752 and \r\n CVE-2013-4238\r\n- ------------------------------------------------------------------------\r\n\r\n1. Summary\r\n\r\n VMware vSphere product updates address a Cross Site Scripting issue, \r\n a certificate validation issue and security vulnerabilities in \r\n third-party libraries.\r\n \r\n2. Relevant releases\r\n\r\n VMware vCenter Server Appliance 5.1 Prior to Update 3 \r\n\r\n VMware vCenter Server 5.5 prior to Update 2\r\n VMware vCenter Server 5.1 prior to Update 3\r\n VMware vCenter Server 5.0 prior to Update 3c\r\n\r\n VMware ESXi 5.1 without patch ESXi510-201412101-SG\r\n\r\n3. Problem Description \r\n\r\n a. VMware vCSA cross-site scripting vulnerability\r\n\r\n VMware vCenter Server Appliance &#40;vCSA&#41; contains a vulnerability\r\n that may allow for Cross Site Scripting. Exploitation of this \r\n vulnerability in vCenter Server requires tricking a user to click\r\n on a malicious link or to open a malicious web page while they are\r\n logged in into vCenter. \r\n\r\n VMware would like to thank Tanya Secker of Trustwave SpiderLabs for \r\n reporting this issue to us. \r\n\r\n The Common Vulnerabilities and Exposures project &#40;cve.mitre.org&#41; \r\n has assigned the name CVE-2014-3797 to this issue. \r\n\r\n Column 4 of the following table lists the action required to\r\n remediate the vulnerability in each release, if a solution is \r\n available.\r\n\r\n VMware Product\tRunning Replace with/\r\n Product Version\ton Apply Patch\r\n ============= =======\t======= =================\r\n vCSA 5.5 any Not Affected\r\n vCSA 5.1 any 5.1 Update 3\r\n vCSA 5.0 any Not Affected\r\n\r\n b. vCenter Server certificate validation issue\r\n\r\n vCenter Server does not properly validate the presented certificate \r\n when establishing a connection to a CIM Server residing on an ESXi \r\n host. This may allow for a Man-in-the-middle attack against the CIM \r\n service.\r\n\r\n VMware would like to thank The Google Security Team for reporting \r\n this issue to us.\r\n\r\n The Common Vulnerabilities and Exposures project &#40;cve.mitre.org&#41;\r\n has assigned the identifier CVE-2014-8371 to this issue. \r\n\r\n Column 4 of the following table lists the action required to\r\n remediate the vulnerability in each release, if a solution is \r\n available.\r\n\r\n VMware Product Running Replace with/\r\n Product Version on Apply Patch\r\n ============= =======\t======= ==============\r\n vCenter Server 5.5 any 5.5 Update 2\r\n vCenter Server 5.1 any 5.1 Update 3\r\n vCenter Server 5.0 any 5.0 Update 3c\r\n\r\n c. Update to ESXi libxml2 package\r\n\r\n libxml2 is updated to address multiple security issues. \r\n\r\n The Common Vulnerabilities and Exposures project \r\n &#40;cve.mitre.org&#41; has assigned the names CVE-2013-2877 and\r\n CVE-2014-0191 to these issues. \r\n\r\n Column 4 of the following table lists the action required to\r\n remediate the vulnerability in each release, if a solution is \r\n available.\r\n\r\n VMware Product Running Replace with/\r\n Product Version on Apply Patch\r\n ============= ======= ======= =================\r\n ESXi 5.5 any Patch Pending\r\n ESXi 5.1 any ESXi510-201412101-SG\r\n ESXi 5.0 any No patch planned\r\n\r\n d. Update to ESXi Curl package\r\n\r\n Curl is updated to address multiple security issues. \r\n\r\n The Common Vulnerabilities and Exposures project \r\n &#40;cve.mitre.org&#41; has assigned the names CVE-2014-0015 and \r\n CVE-2014-0138 to these issues. \r\n\r\n Column 4 of the following table lists the action required to\r\n remediate the vulnerability in each release, if a solution is \r\n available.\r\n\r\n VMware Product\tRunning Replace with/\r\n Product Version\ton Apply Patch\r\n ========= =======\t======= =================\r\n ESXi 5.5 any Patch Pending\r\n ESXi 5.1 any ESXi510-201412101-SG\r\n ESXi 5.0 any No patch planned\r\n\r\n e. Update to ESXi Python package\r\n\r\n Python is updated to address multiple security issues. \r\n\r\n The Common Vulnerabilities and Exposures project \r\n &#40;cve.mitre.org&#41; has assigned the names CVE-2013-1752 and \r\n CVE-2013-4238 to these issues. \r\n\r\n Column 4 of the following table lists the action required to\r\n remediate the vulnerability in each release, if a solution is \r\n available.\r\n\r\n VMware Product Running Replace with/\r\n Product Version on Apply Patch\r\n ============= ======= ======= =================\r\n ESXi 5.5 any Patch Pending\r\n ESXi 5.1 any ESXi510-201412101-SG\r\n ESXi 5.0 any Patch Pending\r\n\r\n f. vCenter and Update Manager, Oracle JRE 1.6 Update 81\r\n\r\n Oracle has documented the CVE identifiers that are addressed in \r\n JRE 1.6.0 update 81 in the Oracle Java SE Critical Patch Update\r\n Advisory of July 2014. The References section provides a link to\r\n this advisory. \r\n\r\n VMware Product Running Replace with/\r\n Product Version on Apply Patch\r\n ============= ======= ======= =================\r\n vCenter Server 5.5 any not applicable *\r\n vCenter Server 5.1 any 5.1 Update 3\r\n vCenter Server 5.0 any patch pending\r\n vCenter Update Manager 5.5 any not applicable *\r\n vCenter Update Manager 5.1 any 5.1 Update 3\r\n vCenter Update Manager 5.0 any patch pending\r\n\r\n * this product uses the Oracle JRE 1.7.0 family\r\n\r\n4. Solution\r\n\r\n Please review the patch/release notes for your product and version \r\n and verify the checksum of your downloaded file. \r\n \r\n vCSA 5.1 Update 3, vCenter Server 5.1 Update 3 and Update Manager 5.1\r\n Update 3\r\n ----------------------------\r\n Downloads and Documentation: \r\n https://www.vmware.com/go/download-vsphere\r\n\r\n ESXi 5.1\r\n ----------------------------\r\n File: update-from-esxi5.1-5.1_update03.zip.zip\r\n md5sum: b3fd3549b59c6c59c04bfd09b08c6edf\r\n sha1sum: 02139101fe205894774caac02820f6ea8416fb8b\r\n http://kb.vmware.com/kb/2086288\r\n update-from-esxi5.1-5.1_update03 contains ESXi510-201412101-SG\r\n \r\n5. References\r\n\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3797\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8371\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2877\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0191\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0015\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0138\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1752\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4238\r\n\r\n JRE \r\n Oracle Java SE Critical Patch Update Advisory of July 2014\r\n\r\n http://www.oracle.com/technetwork/topics/security/cpujul2014-\r\n1972956.html\r\n\r\n- ------------------------------------------------------------------------\r\n\r\n6. Change log\r\n\r\n 2014-12-04 VMSA-2014-0012\r\n Initial security advisory in conjunction with the release of VMware\r\n vCSA 5.1 Update 3, vCenter Server 5.1 Update 3 and ESXi 5.1 Patches \r\n released on 2014-12-04.\r\n\r\n- ------------------------------------------------------------------------\r\n\r\n7. Contact\r\n\r\n E-mail list for product security notifications and announcements:\r\n http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce\r\n\r\n This Security Advisory is posted to the following lists:\r\n\r\n security-announce at lists.vmware.com\r\n bugtraq at securityfocus.com\r\n fulldisclosure at seclists.org\r\n\r\n E-mail: security at vmware.com\r\n PGP key at: http://kb.vmware.com/kb/1055\r\n\r\n VMware Security Advisories\r\n http://www.vmware.com/security/advisories\r\n\r\n Consolidated list of VMware Security Advisories\r\n http://kb.vmware.com/kb/2078735\r\n\r\n VMware Security Response Policy\r\n https://www.vmware.com/support/policies/security_response.html\r\n\r\n VMware Lifecycle Support Phases\r\n https://www.vmware.com/support/policies/lifecycle.html\r\n \r\n Twitter\r\n https://twitter.com/VMwareSRC\r\n\r\n Copyright 2014 VMware Inc. All rights reserved.\r\n\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: Encryption Desktop 10.3.0 &#40;Build 8741&#41;\r\nCharset: utf-8\r\n\r\nwj8DBQFUgLnkDEcm8Vbi9kMRArHeAKDSKrUyaCHxpcXMS8KRHlaB80B90wCdGoV1\r\nea+5vLRA631Cn0q1Mt63s4s=\r\n=OYK3\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2014-12-11T00:00:00", "title": "NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:56", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2014-3797", "CVE-2014-0191", "CVE-2013-4238", "CVE-2013-2877", "CVE-2014-0015", "CVE-2013-1752", "CVE-2014-8371", "CVE-2014-0138"], "modified": "2014-12-11T00:00:00", "id": "SECURITYVULNS:DOC:31491", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31491", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:01", "references": ["https://vulners.com/securityvulns/securityvulns:doc:32392"], "description": "Over 70 of different vulnerabilities.", "edition": 1, "reporter": "BUGTRAQ", "published": "2015-08-17T00:00:00", "title": "Apple iOS multiple security vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:01", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Apple iOS", "version": "8.4", "operator": "eq"}], "cvelist": ["CVE-2015-3758", "CVE-2015-3733", "CVE-2015-3776", "CVE-2015-3736", "CVE-2015-3802", "CVE-2015-3797", "CVE-2014-0191", "CVE-2015-5752", "CVE-2015-3744", "CVE-2015-3734", "CVE-2015-3731", "CVE-2015-3778", "CVE-2015-3752", "CVE-2015-3732", "CVE-2015-5776", "CVE-2015-3766", "CVE-2015-3798", "CVE-2015-3738", "CVE-2015-5777", "CVE-2015-5759", "CVE-2015-3740", "CVE-2015-3782", "CVE-2015-3739", "CVE-2015-3784", "CVE-2015-3743", "CVE-2015-3768", "CVE-2015-3747", "CVE-2015-5781", "CVE-2015-5749", "CVE-2015-3805", "CVE-2015-5774", "CVE-2015-3730", "CVE-2015-3803", "CVE-2015-3750", "CVE-2015-3795", "CVE-2015-3755", "CVE-2015-5766", "CVE-2015-5746", "CVE-2015-5761", "CVE-2015-3753", "CVE-2015-5773", "CVE-2015-3800", "CVE-2015-3807", "CVE-2015-5756", "CVE-2014-3660", "CVE-2015-3749", "CVE-2015-3742", "CVE-2012-6685", "CVE-2015-3748", "CVE-2015-5775", "CVE-2015-3759", "CVE-2015-3746", "CVE-2015-5770", "CVE-2015-3793", "CVE-2015-5755", "CVE-2015-3756", "CVE-2015-5758", "CVE-2015-3763", "CVE-2015-3804", "CVE-2015-3741", "CVE-2015-3751", "CVE-2015-5782", "CVE-2015-5778", "CVE-2015-3745", "CVE-2015-3735", "CVE-2015-5757", "CVE-2015-3796", "CVE-2015-3806", "CVE-2015-3737", "CVE-2015-5769", "CVE-2015-3729"], "modified": "2015-08-17T00:00:00", "id": "SECURITYVULNS:VULN:14631", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14631", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:11:00", "references": [], "description": "\r\n\r\nAPPLE-SA-2015-08-13-3 iOS 8.4.1\r\n\r\niOS 8.4.1 is now available and addresses the following:\r\n\r\nAppleFileConduit\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: A maliciously crafted afc command may allow access to\r\nprotected parts of the filesystem\r\nDescription: An issue existed in the symbolic linking mechanism of\r\nafc. This issue was addressed by adding additional path checks.\r\nCVE-ID\r\nCVE-2015-5746 : evad3rs, TaiG Jailbreak Team\r\n\r\nAir Traffic\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: AirTraffic may have allowed access to protected parts of the\r\nfilesystem\r\nDescription: A path traversal issue existed in asset handling. This\r\nwas addressed with improved validation.\r\nCVE-ID\r\nCVE-2015-5766 : TaiG Jailbreak Team\r\n\r\nBackup\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: A malicious application may be able to create symlinks to\r\nprotected regions of the disk\r\nDescription: An issue existed within the path validation logic for\r\nsymlinks. This issue was addressed through improved path\r\nsanitization.\r\nCVE-ID\r\nCVE-2015-5752 : TaiG Jailbreak Team\r\n\r\nbootp\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: A malicious Wi-Fi network may be able to determine networks\r\na device has previously accessed\r\nDescription: Upon connecting to a Wi-Fi network, iOS may have\r\nbroadcast MAC addresses of previously accessed networks via the DNAv4\r\nprotocol. This issue was addressed through disabling DNAv4 on\r\nunencrypted Wi-Fi networks.\r\nCVE-ID\r\nCVE-2015-3778 : Piers O&#39;Hanlon of Oxford Internet Institute,\r\nUniversity of Oxford &#40;on the EPSRC Being There project&#41;\r\n\r\nCertificate UI\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: An attacker with a privileged network position may be able\r\nto accept untrusted certificates from the lock screen\r\nDescription: Under certain circumstances, the device may have\r\npresented a certificate trust dialog while in a locked state. This\r\nissue was addressed through improved state management.\r\nCVE-ID\r\nCVE-2015-3756 : Andy Grant of NCC Group\r\n\r\nCloudKit\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: A malicious application may be able to access the iCloud\r\nuser record of a previously signed in user\r\nDescription: A state inconsistency existed in CloudKit when signing\r\nout users. This issue was addressed through improved state handling.\r\nCVE-ID\r\nCVE-2015-3782 : Deepkanwal Plaha of University of Toronto\r\n\r\nCFPreferences\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: A malicious app may be able to read other apps&#39; managed\r\npreferences\r\nDescription: An issue existed in the third-party app sandbox. This\r\nissue was addressed by improving the third-party sandbox profile.\r\nCVE-ID\r\nCVE-2015-3793 : Andreas Weinlein of the Appthority Mobility Threat\r\nTeam\r\n\r\nCode Signing\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: A malicious application may be able to execute unsigned code\r\nDescription: An issue existed that allowed unsigned code to be\r\nappended to signed code in a specially crafted executable file. This\r\nissue was addressed through improved code signature validation.\r\nCVE-ID\r\nCVE-2015-3806 : TaiG Jailbreak Team\r\n\r\nCode Signing\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: A specially crafted executable file could allow unsigned,\r\nmalicious code to execute\r\nDescription: An issue existed in the way multi-architecture\r\nexecutable files were evaluated that could have allowed unsigned code\r\nto be executed. This issue was addressed through improved validation\r\nof executable files.\r\nCVE-ID\r\nCVE-2015-3803 : TaiG Jailbreak Team\r\n\r\nCode Signing\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: A local user may be able to execute unsigned code\r\nDescription: A validation issue existed in the handling of Mach-O\r\nfiles. This was addressed by adding additional checks.\r\nCVE-ID\r\nCVE-2015-3802 : TaiG Jailbreak Team\r\nCVE-2015-3805 : TaiG Jailbreak Team\r\n\r\nCoreMedia Playback\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: Viewing a maliciously crafted movie file may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: A memory corruption issue existed in CoreMedia\r\nPlayback. This issue was addressed through improved memory handling.\r\nCVE-ID\r\nCVE-2015-5777 : Apple\r\nCVE-2015-5778 : Apple\r\n\r\nCoreText\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: Processing a maliciously crafted font file may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: A memory corruption issue existed in the processing of\r\nfont files. This issue was addressed through improved input\r\nvalidation.\r\nCVE-ID\r\nCVE-2015-5755 : John Villamil &#40;@day6reak&#41;, Yahoo Pentest Team\r\nCVE-2015-5761 : John Villamil &#40;@day6reak&#41;, Yahoo Pentest Team\r\n\r\nDiskImages\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: Processing a maliciously crafted DMG file may lead to an\r\nunexpected application termination or arbitrary code execution with\r\nsystem privileges\r\nDescription: A memory corruption issue existed in parsing of\r\nmalformed DMG images. This issue was addressed through improved\r\nmemory handling.\r\nCVE-ID\r\nCVE-2015-3800 : Frank Graziano of the Yahoo Pentest Team\r\n\r\nFontParser\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: Processing a maliciously crafted font file may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: A memory corruption issue existed in the processing of\r\nfont files. This issue was addressed through improved input\r\nvalidation.\r\nCVE-ID\r\nCVE-2015-3804 : Apple\r\nCVE-2015-5756 : John Villamil &#40;@day6reak&#41;, Yahoo Pentest Team\r\nCVE-2015-5775 : Apple\r\n\r\nImageIO\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: Processing a maliciously crafted .tiff file may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: A memory corruption issue existed in the processing of\r\n.tiff files. This issue was addressed through improved bounds\r\nchecking.\r\nCVE-ID\r\nCVE-2015-5758 : Apple\r\n\r\nImageIO\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: Visiting a maliciously crafted website may result in the\r\ndisclosure of process memory\r\nDescription: An uninitialized memory access issue existed in\r\nImageIO&#39;s handling of PNG images. Visiting a malicious website may\r\nresult in sending data from process memory to the website. This issue\r\nwas addressed through improved memory initialization and additional\r\nvalidation of PNG images.\r\nCVE-ID\r\nCVE-2015-5781 : Michal Zalewski\r\n\r\nImageIO\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: Visiting a maliciously crafted website may result in the\r\ndisclosure of process memory\r\nDescription: An uninitialized memory access issue existed in\r\nImageIO&#39;s handling of TIFF images. Visiting a malicious website may\r\nresult in sending data from process memory to the website. This issue\r\nis addressed through improved memory initialization and additional\r\nvalidation of TIFF images.\r\nCVE-ID\r\nCVE-2015-5782 : Michal Zalewski\r\n\r\nIOKit\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: Parsing a maliciously crafted plist may lead to an\r\nunexpected application termination or arbitrary code execution with\r\nsystem privileges\r\nDescription: A memory corruption existed in processing of malformed\r\nplists. This issue was addressed through improved memory handling.\r\nCVE-ID\r\nCVE-2015-3776 : Teddy Reed of Facebook Security, Patrick Stein\r\n&#40;@jollyjinx&#41; of Jinx Germany\r\n\r\nIOHIDFamily\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: A local user may be able to execute arbitrary code with\r\nsystem privileges\r\nDescription: A buffer overflow issue existed in IOHIDFamily. This\r\nissue was addressed through improved memory handling.\r\nCVE-ID\r\nCVE-2015-5774 : TaiG Jailbreak Team\r\n\r\nKernel\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: A malicious application may be able to determine kernel\r\nmemory layout\r\nDescription: An issue existed in the mach_port_space_info interface,\r\nwhich could have led to the disclosure of kernel memory layout. This\r\nwas addressed by disabling the mach_port_space_info interface.\r\nCVE-ID\r\nCVE-2015-3766 : Cererdlong of Alibaba Mobile Security Team,\r\n@PanguTeam\r\n\r\nKernel\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: A malicious application may be able to execute arbitrary\r\ncode with system privileges\r\nDescription: An integer overflow existed in the handling of IOKit\r\nfunctions. This issue was addressed through improved validation of\r\nIOKit API arguments.\r\nCVE-ID\r\nCVE-2015-3768 : Ilja van Sprundel\r\n\r\nLibc\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: Processing a maliciously crafted regular expression may lead\r\nto an unexpected application termination or arbitrary code execution\r\nDescription: A memory corruption issue existed in the TRE library.\r\nThis issue was addressed through improved memory handling.\r\nCVE-ID\r\nCVE-2015-3796 : Ian Beer of Google Project Zero\r\nCVE-2015-3797 : Ian Beer of Google Project Zero\r\nCVE-2015-3798 : Ian Beer of Google Project Zero\r\n\r\nLibinfo\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: A remote attacker may be able to cause unexpected\r\napplication termination or arbitrary code execution\r\nDescription: A memory corruption issue existed in handling AF_INET6\r\nsockets. This issue was addressed by improved memory handling.\r\nCVE-ID\r\nCVE-2015-5776 : Apple\r\n\r\nlibpthread\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: A malicious application may be able to execute arbitrary\r\ncode with system privileges\r\nDescription: A memory corruption issue existed in handling syscalls.\r\nThis issue was addressed through improved lock state checking.\r\nCVE-ID\r\nCVE-2015-5757 : Lufeng Li of Qihoo 360\r\n\r\nlibxml2\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: Parsing a maliciously crafted XML document may lead to\r\ndisclosure of user information\r\nDescription: A memory corruption issue existed in parsing of XML\r\nfiles. This issue was addressed through improved memory handling.\r\nCVE-ID\r\nCVE-2015-3807 : Michal Zalewski\r\n\r\nlibxml2\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: Multiple vulnerabilities existed in libxml2 versions prior\r\nto 2.9.2, the most serious of which may allow a remote attacker to\r\ncause a denial of service\r\nDescription: Multiple vulnerabilities existed in libxml2 versions\r\nprior to 2.9.2. These were addressed by updating libxml2 to version\r\n2.9.2.\r\nCVE-ID\r\nCVE-2012-6685 : Felix Groebert of Google\r\nCVE-2014-0191 : Felix Groebert of Google\r\nCVE-2014-3660 : Felix Groebert of Google\r\n\r\nlibxpc\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: A malicious application may be able to execute arbitrary\r\ncode with system privileges\r\nDescription: A memory corruption issue existed in handling of\r\nmalformed XPC messages. This issue was improved through improved\r\nbounds checking.\r\nCVE-ID\r\nCVE-2015-3795 : Mathew Rowley\r\n\r\nLocation Framework\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: A local user may be able to modify protected parts of the\r\nfilesystem\r\nDescription: A symbolic link issue was addressed through improved\r\npath validation.\r\nCVE-ID\r\nCVE-2015-3759 : Cererdlong of Alibaba Mobile Security Team\r\n\r\nMobileInstallation\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: A malicious enterprise application may be able to replace\r\nextensions for other apps\r\nDescription: An issue existed in the install logic for universal\r\nprovisioning profile apps, which allowed a collision to occur with\r\nexisting bundle IDs. This issue was addressed through improved bundle\r\nID validation.\r\nCVE-ID\r\nCVE-2015-5770 : FireEye\r\n\r\nMSVDX Driver\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: Viewing a malicious video may lead to a unexpected system\r\ntermination\r\nDescription: A denial of service issue was addressed through\r\nimproved memory handling.\r\nCVE-ID\r\nCVE-2015-5769 : Proteas of Qihoo 360 Nirvan Team\r\n\r\nOffice Viewer\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: Parsing a maliciously crafted XML file may lead to\r\ndisclosure of user information\r\nDescription: An external entity reference issue existed in XML file\r\nparsing. This issue was addressed through improved parsing.\r\nCVE-ID\r\nCVE-2015-3784 : Bruno Morisson of INTEGRITY S.A.\r\n\r\nQL Office\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: Parsing a maliciously crafted office document may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: A memory corruption issue existed in parsing of office\r\ndocuments. This issue was addressed through improved memory handling.\r\nCVE-ID\r\nCVE-2015-5773 : Apple\r\n\r\nSafari\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: Visiting a malicious website may lead to user interface\r\nspoofing\r\nDescription: A malicious website could open another site and prompt\r\nfor user input without a way for the user to tell where the prompt\r\noriginated. The issue was addressed by displaying the prompt&#39;s origin\r\nto the user.\r\nCVE-ID\r\nCVE-2015-3729 : Code Audit Labs of VulnHunt.com\r\n\r\nSafari\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: A malicious website may trigger an infinite number of alert\r\nmessages\r\nDescription: An issue existed where a malicious or hacked website\r\ncould show infinite alert messages and make users believe their\r\nbrowser was locked. The issue was addressed through throttling of\r\nJavaScript alerts.\r\nCVE-ID\r\nCVE-2015-3763\r\n\r\nSandbox_profiles\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: An malicious app may be able to read other apps&#39; managed\r\npreferences\r\nDescription: An issue existed in the third-party app sandbox. This\r\nissue was addressed by improving the third-party sandbox profile.\r\nCVE-ID\r\nCVE-2015-5749 : Andreas Weinlein of the Appthority Mobility Threat\r\nTeam\r\n\r\nUIKit WebView\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: A malicious application may be able to initiate FaceTime\r\ncalls without user authorization\r\nDescription: An issue existed in the parsing of FaceTime URLs within\r\nWebViews. This issue was addressed through improved URL validation.\r\nCVE-ID\r\nCVE-2015-3758 : Brian Simmons of Salesforce, Guillaume Ross\r\n\r\nWebKit\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: Visiting a maliciously crafted website may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: Multiple memory corruption issues existed in WebKit.\r\nThese issues were addressed through improved memory handling.\r\nCVE-ID\r\nCVE-2015-3730 : Apple\r\nCVE-2015-3731 : Apple\r\nCVE-2015-3732 : Apple\r\nCVE-2015-3733 : Apple\r\nCVE-2015-3734 : Apple\r\nCVE-2015-3735 : Apple\r\nCVE-2015-3736 : Apple\r\nCVE-2015-3737 : Apple\r\nCVE-2015-3738 : Apple\r\nCVE-2015-3739 : Apple\r\nCVE-2015-3740 : Apple\r\nCVE-2015-3741 : Apple\r\nCVE-2015-3742 : Apple\r\nCVE-2015-3743 : Apple\r\nCVE-2015-3744 : Apple\r\nCVE-2015-3745 : Apple\r\nCVE-2015-3746 : Apple\r\nCVE-2015-3747 : Apple\r\nCVE-2015-3748 : Apple\r\nCVE-2015-3749 : Apple\r\n\r\nWeb\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: Visiting a malicious website may lead to user interface\r\nspoofing\r\nDescription: Navigating to a malformed URL may have allowed a\r\nmalicious website to display an arbitrary URL. This issue was\r\naddressed through improved URL handling.\r\nCVE-ID\r\nCVE-2015-3755 : xisigr of Tencent&#39;s Xuanwu Lab\r\n\r\nWebKit\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: A malicious website may exfiltrate image data cross-origin\r\nDescription: Images fetched through URLs that redirected to a\r\ndata:image resource could have been exfiltrated cross-origin. This\r\nissue was addressed through improved canvas taint tracking.\r\nCVE-ID\r\nCVE-2015-3753 : Antonio Sanso and Damien Antipa of Adobe\r\n\r\nWebKit\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: A malicious website can trigger plaintext requests to an\r\norigin under HTTP Strict Transport Security\r\nDescription: An issue existed where Content Security Policy report\r\nrequests would not honor HTTP Strict Transport Security &#40;HSTS&#41;. The\r\nissue was addressed by applying HSTS to CSP.\r\nCVE-ID\r\nCVE-2015-3750 : Muneaki Nishimura &#40;nishimunea&#41;\r\n\r\nWebKit\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: A malicious website can make a tap event produce a synthetic\r\nclick on another page\r\nDescription: An issue existed in how synthetic clicks are generated\r\nfrom tap events that could cause clicks to target other pages. The\r\nissue was addressed through restricted click propagation.\r\nCVE-ID\r\nCVE-2015-5759 : Phillip Moon and Matt Weston of Sandfield\r\n\r\nWebKit\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: Content Security Policy report requests may leak cookies\r\nDescription: Two issues existed in how cookies were added to Content\r\nSecurity Policy report requests. Cookies were sent in cross-origin\r\nreport requests in violation of the standard. Cookies set during\r\nregular browsing were sent in private browsing. These issues were\r\naddressed through improved cookie handling.\r\nCVE-ID\r\nCVE-2015-3752 : Muneaki Nishimura &#40;nishimunea&#41;\r\n\r\nWebKit\r\nAvailable for: iPhone 4s and later,\r\niPod touch &#40;5th generation&#41; and later, iPad 2 and later\r\nImpact: Image loading may violate a website&#39;s Content Security\r\nPolicy directive\r\nDescription: An issue existed where websites with video controls\r\nwould load images nested in object elements in violation of the\r\nwebsite&#39;s Content Security Policy directive. This issue was addressed\r\nthrough improved Content Security Policy enforcement.\r\nCVE-ID\r\nCVE-2015-3751 : Muneaki Nishimura &#40;nishimunea&#41;\r\n\r\n\r\nInstallation note:\r\n\r\nThis update is available through iTunes and Software Update on your\r\niOS device, and will not appear in your computer&#39;s Software Update\r\napplication, or in the Apple Downloads site. Make sure you have an\r\nInternet connection and have installed the latest version of iTunes\r\nfrom www.apple.com/itunes/\r\n\r\niTunes and Software Update on the device will automatically check\r\nApple&#39;s update server on its weekly schedule. When an update is\r\ndetected, it is downloaded and the option to be installed is\r\npresented to the user when the iOS device is docked. We recommend\r\napplying the update immediately if possible. Selecting Don&#39;t Install\r\nwill present the option the next time you connect your iOS device.\r\n\r\nThe automatic update process may take up to a week depending on the\r\nday that iTunes or the device checks for updates. You may manually\r\nobtain the update via the Check for Updates button within iTunes, or\r\nthe Software Update on your device.\r\n\r\nTo check that the iPhone, iPod touch, or iPad has been updated:\r\n\r\n* Navigate to Settings\r\n* Select General\r\n* Select About. The version after applying this update\r\nwill be &quot;8.4.1&quot;.\r\n\r\nInformation will also be posted to the Apple Security Updates\r\nweb site: https://support.apple.com/kb/HT201222\r\n\r\nThis message is signed with Apple&#39;s Product Security PGP key,\r\nand details are available at:\r\nhttps://www.apple.com/support/security/pgp/\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2015-08-17T00:00:00", "title": "APPLE-SA-2015-08-13-3 iOS 8.4.1", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:11:00", "vector": "NONE", "value": 9.3}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2015-3758", "CVE-2015-3733", "CVE-2015-3776", "CVE-2015-3736", "CVE-2015-3802", "CVE-2015-3797", "CVE-2014-0191", "CVE-2015-5752", "CVE-2015-3744", "CVE-2015-3734", "CVE-2015-3731", "CVE-2015-3778", "CVE-2015-3752", "CVE-2015-3732", "CVE-2015-5776", "CVE-2015-3766", "CVE-2015-3798", "CVE-2015-3738", "CVE-2015-5777", "CVE-2015-5759", "CVE-2015-3740", "CVE-2015-3782", "CVE-2015-3739", "CVE-2015-3784", "CVE-2015-3743", "CVE-2015-3768", "CVE-2015-3747", "CVE-2015-5781", "CVE-2015-5749", "CVE-2015-3805", "CVE-2015-5774", "CVE-2015-3730", "CVE-2015-3803", "CVE-2015-3750", "CVE-2015-3795", "CVE-2015-3755", "CVE-2015-5766", "CVE-2015-5746", "CVE-2015-5761", "CVE-2015-3753", "CVE-2015-5773", "CVE-2015-3800", "CVE-2015-3807", "CVE-2015-5756", "CVE-2014-3660", "CVE-2015-3749", "CVE-2015-3742", "CVE-2012-6685", "CVE-2015-3748", "CVE-2015-5775", "CVE-2015-3759", "CVE-2015-3746", "CVE-2015-5770", "CVE-2015-3793", "CVE-2015-5755", "CVE-2015-3756", "CVE-2015-5758", "CVE-2015-3763", "CVE-2015-3804", "CVE-2015-3741", "CVE-2015-3751", "CVE-2015-5782", "CVE-2015-5778", "CVE-2015-3745", "CVE-2015-3735", "CVE-2015-5757", "CVE-2015-3796", "CVE-2015-3806", "CVE-2015-3737", "CVE-2015-5769", "CVE-2015-3729"], "modified": "2015-08-17T00:00:00", "id": "SECURITYVULNS:DOC:32392", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32392", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:03", "references": ["https://vulners.com/securityvulns/securityvulns:doc:32657", "https://vulners.com/securityvulns/securityvulns:doc:32654", "https://vulners.com/securityvulns/securityvulns:doc:32655", "https://vulners.com/securityvulns/securityvulns:doc:32656", "https://vulners.com/securityvulns/securityvulns:doc:32658", "https://vulners.com/securityvulns/securityvulns:doc:32659", "https://vulners.com/securityvulns/securityvulns:doc:32653"], "description": "Quarterly update closes 140 vulnerabilities in different applications.", "edition": 1, "reporter": "ORACLE", "published": "2015-11-02T00:00:00", "title": "Oracle / Sun / PeopleSoft / MySQL multiple security vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:03", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "PeopleSoft Enterprise HCM Talent Acquistion Managment", "version": "9.2", "operator": "eq"}, {"name": "Endeca Server", "version": "7.6", "operator": "eq"}, {"name": "Oracle Transportation Management", "version": "6.2", "operator": "eq"}, {"name": "Oracle Traffic Director", "version": "11.1", "operator": "eq"}, {"name": "Java SE", "version": "8", "operator": "eq"}, {"name": "Oracle Communications LSMS", "version": "13.1", "operator": "eq"}, {"name": "Oracle Communications Messaging Server", "version": "8.0", "operator": "eq"}, {"name": "Oracle Enterprise Data Quality", "version": "12.1", "operator": "eq"}, {"name": "PeopleSoft Enterprise FSCM", "version": "9.2", "operator": "eq"}, {"name": "Hyperion Installation Technology", "version": "11.1", "operator": "eq"}, {"name": "Oracle", "version": "12.1", "operator": "eq"}, {"name": "Java SE Embedded", "version": "8", "operator": "eq"}, {"name": "Outside In Technology", "version": "8.5", "operator": "eq"}, {"name": "Exalogic Infrastructure", "version": "2.0", "operator": "eq"}, {"name": "Oracle", "version": "11.2", "operator": "eq"}, {"name": "Oracle Retail Returns Management", "version": "14.0", "operator": "eq"}, {"name": "Oracle E-Business Suite", "version": "12.2", "operator": "eq"}, {"name": "Solaris", "version": "11.2", "operator": "eq"}, {"name": "MySQL Enterprise Monitor", "version": "3.0", "operator": "eq"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.54", "operator": "eq"}, {"name": "Oracle Agile PLM", "version": "9.3", "operator": "eq"}, {"name": "PeopleSoft Enterprise HCM", "version": "9.2", "operator": "eq"}, {"name": "Oracle WebCenter Content", "version": "10.1", "operator": "eq"}, {"name": "Oracle Configurator", "version": "12.2", "operator": "eq"}, {"name": "Oracle Communications Performance Intelligence Center Software", "version": "10.1", "operator": "eq"}, {"name": "Oracle Communications Diameter Signaling Router", "version": "7.1", "operator": "eq"}, {"name": "Oracle Identity Manager", "version": "11.1", "operator": "eq"}, {"name": "Enterprise Manager Base Platform", "version": "12.1", "operator": "eq"}, {"name": "FS1-2 Flash Storage System", "version": "6.3", "operator": "eq"}, {"name": "Integrated Lights Out Manager", "version": "3.2", "operator": "eq"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "11.1", "operator": "eq"}, {"name": "OSS Support Tools", "version": "8.8", "operator": "eq"}, {"name": "Oracle Retail Back Office", "version": "14.0", "operator": "eq"}, {"name": "Oracle Agile Engineering Data Management", "version": "6.2", "operator": "eq"}, {"name": "Oracle Communications Tekelec HLR Router", "version": "4.0", "operator": "eq"}, {"name": "VirtualBox", "version": "5.0", "operator": "eq"}, {"name": "MySQL Server", "version": "5.6", "operator": "eq"}, {"name": "PeopleSoft Enterprise FIN Expenses", "version": "9.2", "operator": "eq"}, {"name": "GlassFish Server", "version": "3.1", "operator": "eq"}, {"name": "Oracle Mobile Security Suite", "version": "3.0", "operator": "eq"}, {"name": "Oracle Communications User Data Repository", "version": "10.2", "operator": "eq"}, {"name": "Oracle Communications Convergence", "version": "3.0", "operator": "eq"}, {"name": "Oracle Access Manager", "version": "11.1", "operator": "eq"}, {"name": "JDeveloper", "version": "12.1", "operator": "eq"}, {"name": "Oracle Mobile Server", "version": "12.1", "operator": "eq"}, {"name": "Oracle Utilities Work and Asset Management", "version": "1.9", "operator": "eq"}, {"name": "Oracle Communications Policy Management", "version": "12.1", "operator": "eq"}, {"name": "Oracle WebCenter Sites", "version": "11.1", "operator": "eq"}, {"name": "JavaFX", "version": "2.2", "operator": "eq"}, {"name": "Fusion Middleware", "version": "12.1", "operator": "eq"}, {"name": "Siebel Applications", "version": "2015", "operator": "eq"}, {"name": "Oracle HTTP Server", "version": "12.1", "operator": "eq"}, {"name": "Oracle Retail Central Office", "version": "14.0", "operator": "eq"}, {"name": "Enterprise Manager Ops Center", "version": "12.2", "operator": "eq"}, {"name": "JRockit", "version": "28.3", "operator": "eq"}, {"name": "Oracle Fusion Applications", "version": "11.1", "operator": "eq"}, {"name": "Oracle Retail Open Commerce Platform", "version": "3.0", "operator": "eq"}], "cvelist": ["CVE-2015-4894", "CVE-2015-4000", "CVE-2015-4851", "CVE-2015-4895", "CVE-2015-4905", "CVE-2015-4866", "CVE-2015-4832", "CVE-2015-4822", "CVE-2015-4830", "CVE-2015-4804", "CVE-2015-4816", "CVE-2015-0235", "CVE-2015-1793", "CVE-2015-4793", "CVE-2015-4863", "CVE-2015-4913", "CVE-2015-4892", "CVE-2014-0191", "CVE-2015-4796", "CVE-2015-4864", "CVE-2015-4794", "CVE-2015-4887", "CVE-2015-2642", "CVE-2015-4860", "CVE-2015-4868", "CVE-1999-0377", "CVE-2015-4820", "CVE-2015-4903", "CVE-2015-0286", "CVE-2015-4906", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4910", "CVE-2015-4872", "CVE-2015-4846", "CVE-2014-3576", "CVE-2015-4876", "CVE-2014-3571", "CVE-2015-4883", "CVE-2014-7940", "CVE-2015-4858", "CVE-2015-4802", "CVE-2015-4882", "CVE-2015-4801", "CVE-2015-4878", "CVE-2015-4799", "CVE-2015-4811", "CVE-2015-4834", "CVE-2015-4762", "CVE-2015-4815", "CVE-2015-4812", "CVE-2015-4839", "CVE-2015-4798", "CVE-2015-4891", "CVE-2015-4734", "CVE-2015-4899", "CVE-2015-4865", "CVE-2015-4915", "CVE-2015-4871", "CVE-2015-4800", "CVE-2015-4869", "CVE-2015-4828", "CVE-2015-4803", "CVE-2015-4875", "CVE-2015-4902", "CVE-2015-4917", "CVE-2015-4909", "CVE-2015-4791", "CVE-2015-4805", "CVE-2015-4849", "CVE-2015-4879", "CVE-2015-4888", "CVE-2015-4838", "CVE-2015-4850", "CVE-2015-4806", "CVE-2015-4825", "CVE-2015-3144", "CVE-2015-4797", "CVE-2015-4792", "CVE-2015-4837", "CVE-2015-4904", "CVE-2015-4810", "CVE-2015-4827", "CVE-2014-0050", "CVE-2015-4817", "CVE-2015-4908", "CVE-2015-4912", "CVE-2015-4833", "CVE-2015-4847", "CVE-2015-4855", "CVE-2015-4848", "CVE-2015-4730", "CVE-2015-4819", "CVE-2015-4896", "CVE-2015-2633", "CVE-2015-4807", "CVE-2015-4901", "CVE-2015-4835", "CVE-2015-4873", "CVE-2015-4766", "CVE-2015-4795", "CVE-2015-4907", "CVE-2015-4859", "CVE-2015-1829", "CVE-2015-4898", "CVE-2015-4874", "CVE-2015-4836", "CVE-2015-4824", "CVE-2015-4900", "CVE-2015-4831", "CVE-2015-4861", "CVE-2015-4911", "CVE-2015-4886", "CVE-2015-2608", "CVE-2015-4809", "CVE-2015-4877", "CVE-2015-4844", "CVE-2015-4870", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4856", "CVE-2015-4845", "CVE-2015-4914", "CVE-2015-4893", "CVE-2015-4916", "CVE-2015-4826", "CVE-2014-1569", "CVE-2015-4862", "CVE-2010-1622", "CVE-2015-4857", "CVE-2015-4890", "CVE-2015-4867", "CVE-2015-4884", "CVE-2015-4813", "CVE-2015-4841", "CVE-2015-4818", "CVE-2015-4880", "CVE-2015-1791", "CVE-2015-4823", "CVE-2015-4821"], "modified": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14755", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14755", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:01", "references": ["https://vulners.com/securityvulns/securityvulns:doc:32391", "https://vulners.com/securityvulns/securityvulns:doc:32390"], "description": "Over 150 different vulnerabilities in system components and libraries.", "edition": 1, "reporter": "BUGTRAQ", "published": "2015-08-17T00:00:00", "title": "Apple Mac OS X / OS X Server multiple security vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:01", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "MacOS X", "version": "10.10", "operator": "eq"}, {"name": "MacOS X Server", "version": "4.1", "operator": "eq"}], "cvelist": ["CVE-2015-5768", "CVE-2015-5600", "CVE-2015-2787", "CVE-2015-5779", "CVE-2013-1775", "CVE-2015-3185", "CVE-2015-3786", "CVE-2015-1792", "CVE-2015-3761", "CVE-2014-7844", "CVE-2015-3781", "CVE-2015-3776", "CVE-2015-2783", "CVE-2015-5748", "CVE-2014-1912", "CVE-2015-5477", "CVE-2015-3802", "CVE-2015-3797", "CVE-2014-0191", "CVE-2015-3762", "CVE-2015-3329", "CVE-2009-5078", "CVE-2015-5754", "CVE-2015-3783", "CVE-2015-3330", "CVE-2014-3613", "CVE-2015-1789", "CVE-2015-3789", "CVE-2014-8150", "CVE-2014-3583", "CVE-2015-3779", "CVE-2015-3788", "CVE-2015-3778", "CVE-2015-0241", "CVE-2013-1776", "CVE-2015-5776", "CVE-2015-3766", "CVE-2015-3775", "CVE-2013-7338", "CVE-2015-3798", "CVE-2015-5777", "CVE-2015-3765", "CVE-2015-3782", "CVE-2015-0242", "CVE-2015-0253", "CVE-2015-3784", "CVE-2015-3787", "CVE-2015-3799", "CVE-2015-3153", "CVE-2015-3768", "CVE-2015-3760", "CVE-2015-4148", "CVE-2015-5781", "CVE-2015-3805", "CVE-2015-3790", "CVE-2015-5774", "CVE-2015-3792", "CVE-2015-3803", "CVE-2015-3307", "CVE-2015-4025", "CVE-2015-5784", "CVE-2015-5751", "CVE-2015-4024", "CVE-2015-3795", "CVE-2015-5750", "CVE-2015-5747", "CVE-2015-4021", "CVE-2015-3144", "CVE-2014-7185", "CVE-2015-5761", "CVE-2013-2777", "CVE-2015-3794", "CVE-2015-5773", "CVE-2015-3769", "CVE-2014-3707", "CVE-2015-3800", "CVE-2015-0228", "CVE-2015-3807", "CVE-2015-0244", "CVE-2015-4026", "CVE-2014-8769", "CVE-2015-5756", "CVE-2014-3660", "CVE-2015-1788", "CVE-2015-4147", "CVE-2014-8161", "CVE-2012-6685", "CVE-2015-5753", "CVE-2015-3183", "CVE-2015-3772", "CVE-2014-3620", "CVE-2014-9140", "CVE-2013-2776", "CVE-2015-4022", "CVE-2015-3770", "CVE-2015-3777", "CVE-2015-5771", "CVE-2015-5775", "CVE-2015-3780", "CVE-2013-7422", "CVE-2015-5755", "CVE-2015-3145", "CVE-2015-1790", "CVE-2015-5758", "CVE-2014-0106", "CVE-2015-0243", "CVE-2015-3804", "CVE-2015-3773", "CVE-2014-3581", "CVE-2015-3774", "CVE-2015-5782", "CVE-2014-8109", "CVE-2015-5778", "CVE-2013-7040", "CVE-2015-3757", "CVE-2015-3764", "CVE-2015-3143", "CVE-2014-0067", "CVE-2015-5772", "CVE-2015-3791", "CVE-2014-9365", "CVE-2014-8151", "CVE-2015-5757", "CVE-2015-3796", "CVE-2009-5044", "CVE-2015-5783", "CVE-2014-9680", "CVE-2015-5763", "CVE-2014-8767", "CVE-2015-3767", "CVE-2015-3806", "CVE-2015-1791", "CVE-2015-3771", "CVE-2015-3148"], "modified": "2015-08-17T00:00:00", "id": "SECURITYVULNS:VULN:14630", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14630", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:11:00", "references": [], "description": "\r\n\r\nAPPLE-SA-2015-08-13-2 OS X Yosemite v10.10.5 and Security Update\r\n2015-006\r\n\r\nOS X Yosemite v10.10.5 and Security Update 2015-006 is now available\r\nand addresses the following:\r\n\r\napache\r\nAvailable for: OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.4\r\nImpact: Multiple vulnerabilities existed in Apache 2.4.16, the most\r\nserious of which may allow a remote attacker to cause a denial of\r\nservice.\r\nDescription: Multiple vulnerabilities existed in Apache versions\r\nprior to 2.4.16. These were addressed by updating Apache to version\r\n2.4.16.\r\nCVE-ID\r\nCVE-2014-3581\r\nCVE-2014-3583\r\nCVE-2014-8109\r\nCVE-2015-0228\r\nCVE-2015-0253\r\nCVE-2015-3183\r\nCVE-2015-3185\r\n\r\napache_mod_php\r\nAvailable for: OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.4\r\nImpact: Multiple vulnerabilities existed in PHP 5.5.20, the most\r\nserious of which may lead to arbitrary code execution.\r\nDescription: Multiple vulnerabilities existed in PHP versions prior\r\nto 5.5.20. These were addressed by updating Apache to version 5.5.27.\r\nCVE-ID\r\nCVE-2015-2783\r\nCVE-2015-2787\r\nCVE-2015-3307\r\nCVE-2015-3329\r\nCVE-2015-3330\r\nCVE-2015-4021\r\nCVE-2015-4022\r\nCVE-2015-4024\r\nCVE-2015-4025\r\nCVE-2015-4026\r\nCVE-2015-4147\r\nCVE-2015-4148\r\n\r\nApple ID OD Plug-in\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A malicious application may be able change the password of a\r\nlocal user\r\nDescription: In some circumstances, a state management issue existed\r\nin password authentication. The issue was addressed through improved\r\nstate management.\r\nCVE-ID\r\nCVE-2015-3799 : an anonymous researcher working with HP&#39;s Zero Day\r\nInitiative\r\n\r\nAppleGraphicsControl\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A malicious application may be able to determine kernel\r\nmemory layout\r\nDescription: An issue existed in AppleGraphicsControl which could\r\nhave led to the disclosure of kernel memory layout. This issue was\r\naddressed through improved bounds checking.\r\nCVE-ID\r\nCVE-2015-5768 : JieTao Yang of KeenTeam\r\n\r\nBluetooth\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A local user may be able to execute arbitrary code with\r\nsystem privileges\r\nDescription: A memory corruption issue existed in\r\nIOBluetoothHCIController. This issue was addressed through improved\r\nmemory handling.\r\nCVE-ID\r\nCVE-2015-3779 : Teddy Reed of Facebook Security\r\n\r\nBluetooth\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A malicious application may be able to determine kernel\r\nmemory layout\r\nDescription: A memory management issue could have led to the\r\ndisclosure of kernel memory layout. This issue was addressed with\r\nimproved memory management.\r\nCVE-ID\r\nCVE-2015-3780 : Roberto Paleari and Aristide Fattori of Emaze\r\nNetworks\r\n\r\nBluetooth\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A malicious app may be able to access notifications from\r\nother iCloud devices\r\nDescription: An issue existed where a malicious app could access a\r\nBluetooth-paired Mac or iOS device&#39;s Notification Center\r\nnotifications via the Apple Notification Center Service. The issue\r\naffected devices using Handoff and logged into the same iCloud\r\naccount. This issue was resolved by revoking access to the Apple\r\nNotification Center Service.\r\nCVE-ID\r\nCVE-2015-3786 : Xiaolong Bai &#40;Tsinghua University&#41;, System Security\r\nLab &#40;Indiana University&#41;, Tongxin Li &#40;Peking University&#41;, XiaoFeng\r\nWang &#40;Indiana University&#41;\r\n\r\nBluetooth\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: An attacker with privileged network position may be able to\r\nperform denial of service attack using malformed Bluetooth packets\r\nDescription: An input validation issue existed in parsing of\r\nBluetooth ACL packets. This issue was addressed through improved\r\ninput validation.\r\nCVE-ID\r\nCVE-2015-3787 : Trend Micro\r\n\r\nBluetooth\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A local attacker may be able to cause unexpected application\r\ntermination or arbitrary code execution\r\nDescription: Multiple buffer overflow issues existed in blued&#39;s\r\nhandling of XPC messages. These issues were addressed through\r\nimproved bounds checking.\r\nCVE-ID\r\nCVE-2015-3777 : mitp0sh of [PDX]\r\n\r\nbootp\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A malicious Wi-Fi network may be able to determine networks\r\na device has previously accessed\r\nDescription: Upon connecting to a Wi-Fi network, iOS may have\r\nbroadcast MAC addresses of previously accessed networks via the DNAv4\r\nprotocol. This issue was addressed through disabling DNAv4 on\r\nunencrypted Wi-Fi networks.\r\nCVE-ID\r\nCVE-2015-3778 : Piers O&#39;Hanlon of Oxford Internet Institute,\r\nUniversity of Oxford &#40;on the EPSRC Being There project&#41;\r\n\r\nCloudKit\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A malicious application may be able to access the iCloud\r\nuser record of a previously signed in user\r\nDescription: A state inconsistency existed in CloudKit when signing\r\nout users. This issue was addressed through improved state handling.\r\nCVE-ID\r\nCVE-2015-3782 : Deepkanwal Plaha of University of Toronto\r\n\r\nCoreMedia Playback\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Viewing a maliciously crafted movie file may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: Memory corruption issues existed in CoreMedia Playback.\r\nThese were addressed through improved memory handling.\r\nCVE-ID\r\nCVE-2015-5777 : Apple\r\nCVE-2015-5778 : Apple\r\n\r\nCoreText\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.4\r\nImpact: Processing a maliciously crafted font file may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: A memory corruption issue existed in the processing of\r\nfont files. This issue was addressed through improved input\r\nvalidation.\r\nCVE-ID\r\nCVE-2015-5761 : John Villamil &#40;@day6reak&#41;, Yahoo Pentest Team\r\n\r\nCoreText\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Processing a maliciously crafted font file may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: A memory corruption issue existed in the processing of\r\nfont files. This issue was addressed through improved input\r\nvalidation.\r\nCVE-ID\r\nCVE-2015-5755 : John Villamil &#40;@day6reak&#41;, Yahoo Pentest Team\r\n\r\ncurl\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Multiple vulnerabilities in cURL and libcurl prior to\r\n7.38.0, one of which may allow remote attackers to bypass the Same\r\nOrigin Policy.\r\nDescription: Multiple vulnerabilities existed in cURL and libcurl\r\nprior to 7.38.0. These issues were addressed by updating cURL to\r\nversion 7.43.0.\r\nCVE-ID\r\nCVE-2014-3613\r\nCVE-2014-3620\r\nCVE-2014-3707\r\nCVE-2014-8150\r\nCVE-2014-8151\r\nCVE-2015-3143\r\nCVE-2015-3144\r\nCVE-2015-3145\r\nCVE-2015-3148\r\nCVE-2015-3153\r\n\r\nData Detectors Engine\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Processing a sequence of unicode characters can lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: Memory corruption issues existed in processing of\r\nUnicode characters. These issues were addressed through improved\r\nmemory handling.\r\nCVE-ID\r\nCVE-2015-5750 : M1x7e1 of Safeye Team &#40;www.safeye.org&#41;\r\n\r\nDate &amp; Time pref pane\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Applications that rely on system time may have unexpected\r\nbehavior\r\nDescription: An authorization issue existed when modifying the\r\nsystem date and time preferences. This issue was addressed with\r\nadditional authorization checks.\r\nCVE-ID\r\nCVE-2015-3757 : Mark S C Smith\r\n\r\nDictionary Application\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: An attacker with a privileged network position may be able\r\nto intercept users&#39; Dictionary app queries\r\nDescription: An issue existed in the Dictionary app, which did not\r\nproperly secure user communications. This issue was addressed by\r\nmoving Dictionary queries to HTTPS.\r\nCVE-ID\r\nCVE-2015-3774 : Jeffrey Paul of EEQJ, Jan Bee of the Google Security\r\nTeam\r\n\r\nDiskImages\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Processing a maliciously crafted DMG file may lead to an\r\nunexpected application termination or arbitrary code execution with\r\nsystem privileges\r\nDescription: A memory corruption issue existed in parsing of\r\nmalformed DMG images. This issue was addressed through improved\r\nmemory handling.\r\nCVE-ID\r\nCVE-2015-3800 : Frank Graziano of the Yahoo Pentest Team\r\n\r\ndyld\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A local user may be able to execute arbitrary code with\r\nsystem privileges\r\nDescription: A path validation issue existed in dyld. This was\r\naddressed through improved environment sanitization.\r\nCVE-ID\r\nCVE-2015-3760 : beist of grayhash, Stefan Esser\r\n\r\nFontParser\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.4\r\nImpact: Processing a maliciously crafted font file may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: A memory corruption issue existed in the processing of\r\nfont files. This issue was addressed through improved input\r\nvalidation.\r\nCVE-ID\r\nCVE-2015-3804 : Apple\r\nCVE-2015-5775 : Apple\r\n\r\nFontParser\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.4\r\nImpact: Processing a maliciously crafted font file may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: A memory corruption issue existed in the processing of\r\nfont files. This issue was addressed through improved input\r\nvalidation.\r\nCVE-ID\r\nCVE-2015-5756 : John Villamil &#40;@day6reak&#41;, Yahoo Pentest Team\r\n\r\ngroff\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Multiple issues in pdfroff\r\nDescription: Multiple issues existed in pdfroff, the most serious of\r\nwhich may allow arbitrary filesystem modification. These issues were\r\naddressed by removing pdfroff.\r\nCVE-ID\r\nCVE-2009-5044\r\nCVE-2009-5078\r\n\r\nImageIO\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Processing a maliciously crafted TIFF image may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: A memory corruption issue existed in the processing of\r\nTIFF images. This issue was addressed through improved bounds\r\nchecking.\r\nCVE-ID\r\nCVE-2015-5758 : Apple\r\n\r\nImageIO\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Visiting a maliciously crafted website may result in the\r\ndisclosure of process memory\r\nDescription: An uninitialized memory access issue existed in\r\nImageIO&#39;s handling of PNG and TIFF images. Visiting a malicious\r\nwebsite may result in sending data from process memory to the\r\nwebsite. This issue is addressed through improved memory\r\ninitialization and additional validation of PNG and TIFF images.\r\nCVE-ID\r\nCVE-2015-5781 : Michal Zalewski\r\nCVE-2015-5782 : Michal Zalewski\r\n\r\nInstall Framework Legacy\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A malicious application may be able to execute arbitrary\r\ncode with root privileges\r\nDescription: An issue existed in how Install.framework&#39;s &#39;runner&#39;\r\nbinary dropped privileges. This issue was addressed through improved\r\nprivilege management.\r\nCVE-ID\r\nCVE-2015-5784 : Ian Beer of Google Project Zero\r\n\r\nInstall Framework Legacy\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A malicious application may be able to execute arbitrary\r\ncode with system privileges\r\nDescription: A race condition existed in\r\nInstall.framework&#39;s &#39;runner&#39; binary that resulted in\r\nprivileges being incorrectly dropped. This issue was addressed\r\nthrough improved object locking.\r\nCVE-ID\r\nCVE-2015-5754 : Ian Beer of Google Project Zero\r\n\r\nIOFireWireFamily\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A local user may be able to execute arbitrary code with\r\nsystem privileges\r\nDescription: Memory corruption issues existed in IOFireWireFamily.\r\nThese issues were addressed through additional type input validation.\r\nCVE-ID\r\nCVE-2015-3769 : Ilja van Sprundel\r\nCVE-2015-3771 : Ilja van Sprundel\r\nCVE-2015-3772 : Ilja van Sprundel\r\n\r\nIOGraphics\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A malicious application may be able to execute arbitrary\r\ncode with system privileges\r\nDescription: A memory corruption issue existed in IOGraphics. This\r\nissue was addressed through additional type input validation.\r\nCVE-ID\r\nCVE-2015-3770 : Ilja van Sprundel\r\nCVE-2015-5783 : Ilja van Sprundel\r\n\r\nIOHIDFamily\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A local user may be able to execute arbitrary code with\r\nsystem privileges\r\nDescription: A buffer overflow issue existed in IOHIDFamily. This\r\nissue was addressed through improved memory handling.\r\nCVE-ID\r\nCVE-2015-5774 : TaiG Jailbreak Team\r\n\r\nKernel\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A malicious application may be able to determine kernel\r\nmemory layout\r\nDescription: An issue existed in the mach_port_space_info interface,\r\nwhich could have led to the disclosure of kernel memory layout. This\r\nwas addressed by disabling the mach_port_space_info interface.\r\nCVE-ID\r\nCVE-2015-3766 : Cererdlong of Alibaba Mobile Security Team,\r\n@PanguTeam\r\n\r\nKernel\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A malicious application may be able to execute arbitrary\r\ncode with system privileges\r\nDescription: An integer overflow existed in the handling of IOKit\r\nfunctions. This issue was addressed through improved validation of\r\nIOKit API arguments.\r\nCVE-ID\r\nCVE-2015-3768 : Ilja van Sprundel\r\n\r\nKernel\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A local user may be able to cause a system denial of service\r\nDescription: A resource exhaustion issue existed in the fasttrap\r\ndriver. This was addressed through improved memory handling.\r\nCVE-ID\r\nCVE-2015-5747 : Maxime VILLARD of m00nbsd\r\n\r\nKernel\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A local user may be able to cause a system denial of service\r\nDescription: A validation issue existed in the mounting of HFS\r\nvolumes. This was addressed by adding additional checks.\r\nCVE-ID\r\nCVE-2015-5748 : Maxime VILLARD of m00nbsd\r\n\r\nKernel\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A malicious application may be able to execute unsigned code\r\nDescription: An issue existed that allowed unsigned code to be\r\nappended to signed code in a specially crafted executable file. This\r\nissue was addressed through improved code signature validation.\r\nCVE-ID\r\nCVE-2015-3806 : TaiG Jailbreak Team\r\n\r\nKernel\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A specially crafted executable file could allow unsigned,\r\nmalicious code to execute\r\nDescription: An issue existed in the way multi-architecture\r\nexecutable files were evaluated that could have allowed unsigned code\r\nto be executed. This issue was addressed through improved validation\r\nof executable files.\r\nCVE-ID\r\nCVE-2015-3803 : TaiG Jailbreak Team\r\n\r\nKernel\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A local user may be able to execute unsigned code\r\nDescription: A validation issue existed in the handling of Mach-O\r\nfiles. This was addressed by adding additional checks.\r\nCVE-ID\r\nCVE-2015-3802 : TaiG Jailbreak Team\r\nCVE-2015-3805 : TaiG Jailbreak Team\r\n\r\nKernel\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Parsing a maliciously crafted plist may lead to an\r\nunexpected application termination or arbitrary code execution with\r\nsystem privileges\r\nDescription: A memory corruption existed in processing of malformed\r\nplists. This issue was addressed through improved memory handling.\r\nCVE-ID\r\nCVE-2015-3776 : Teddy Reed of Facebook Security, Patrick Stein\r\n&#40;@jollyjinx&#41; of Jinx Germany\r\n\r\nKernel\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A local user may be able to execute arbitrary code with\r\nsystem privileges\r\nDescription: A path validation issue existed. This was addressed\r\nthrough improved environment sanitization.\r\nCVE-ID\r\nCVE-2015-3761 : Apple\r\n\r\nLibc\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Processing a maliciously crafted regular expression may lead\r\nto an unexpected application termination or arbitrary code execution\r\nDescription: Memory corruption issues existed in the TRE library.\r\nThese were addressed through improved memory handling.\r\nCVE-ID\r\nCVE-2015-3796 : Ian Beer of Google Project Zero\r\nCVE-2015-3797 : Ian Beer of Google Project Zero\r\nCVE-2015-3798 : Ian Beer of Google Project Zero\r\n\r\nLibinfo\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.4\r\nImpact: A remote attacker may be able to cause unexpected\r\napplication termination or arbitrary code execution\r\nDescription: Memory corruption issues existed in handling AF_INET6\r\nsockets. These were addressed by improved memory handling.\r\nCVE-ID\r\nCVE-2015-5776 : Apple\r\n\r\nlibpthread\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A malicious application may be able to execute arbitrary\r\ncode with system privileges\r\nDescription: A memory corruption issue existed in handling syscalls.\r\nThis issue was addressed through improved lock state checking.\r\nCVE-ID\r\nCVE-2015-5757 : Lufeng Li of Qihoo 360\r\n\r\nlibxml2\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.4\r\nImpact: Multiple vulnerabilities existed in libxml2 versions prior\r\nto 2.9.2, the most serious of which may allow a remote attacker to\r\ncause a denial of service\r\nDescription: Multiple vulnerabilities existed in libxml2 versions\r\nprior to 2.9.2. These were addressed by updating libxml2 to version\r\n2.9.2.\r\nCVE-ID\r\nCVE-2012-6685 : Felix Groebert of Google\r\nCVE-2014-0191 : Felix Groebert of Google\r\n\r\nlibxml2\r\nAvailable for: OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.4\r\nImpact: Parsing a maliciously crafted XML document may lead to\r\ndisclosure of user information\r\nDescription: A memory access issue existed in libxml2. This was\r\naddressed by improved memory handling\r\nCVE-ID\r\nCVE-2014-3660 : Felix Groebert of Google\r\n\r\nlibxml2\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.4\r\nImpact: Parsing a maliciously crafted XML document may lead to\r\ndisclosure of user information\r\nDescription: A memory corruption issue existed in parsing of XML\r\nfiles. This issue was addressed through improved memory handling.\r\nCVE-ID\r\nCVE-2015-3807 : Apple\r\n\r\nlibxpc\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A malicious application may be able to execute arbitrary\r\ncode with system privileges\r\nDescription: A memory corruption issue existed in handling of\r\nmalformed XPC messages. This issue was improved through improved\r\nbounds checking.\r\nCVE-ID\r\nCVE-2015-3795 : Mathew Rowley\r\n\r\nmail_cmds\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A local user may be able to execute arbitrary shell commands\r\nDescription: A validation issue existed in the mailx parsing of\r\nemail addresses. This was addressed by improved sanitization.\r\nCVE-ID\r\nCVE-2014-7844\r\n\r\nNotification Center OSX\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A malicious application may be able to access all\r\nnotifications previously displayed to users\r\nDescription: An issue existed in Notification Center, which did not\r\nproperly delete user notifications. This issue was addressed by\r\ncorrectly deleting notifications dismissed by users.\r\nCVE-ID\r\nCVE-2015-3764 : Jonathan Zdziarski\r\n\r\nntfs\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A local user may be able to execute arbitrary code with\r\nsystem privileges\r\nDescription: A memory corruption issue existed in NTFS. This issue\r\nwas addressed through improved memory handling.\r\nCVE-ID\r\nCVE-2015-5763 : Roberto Paleari and Aristide Fattori of Emaze\r\nNetworks\r\n\r\nOpenSSH\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Remote attackers may be able to circumvent a time delay for\r\nfailed login attempts and conduct brute-force attacks\r\nDescription: An issue existed when processing keyboard-interactive\r\ndevices. This issue was addressed through improved authentication\r\nrequest validation.\r\nCVE-ID\r\nCVE-2015-5600\r\n\r\nOpenSSL\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.4\r\nImpact: Multiple vulnerabilities existed in OpenSSL versions prior\r\nto 0.9.8zg, the most serious of which may allow a remote attacker to\r\ncause a denial of service.\r\nDescription: Multiple vulnerabilities existed in OpenSSL versions\r\nprior to 0.9.8zg. These were addressed by updating OpenSSL to version\r\n0.9.8zg.\r\nCVE-ID\r\nCVE-2015-1788\r\nCVE-2015-1789\r\nCVE-2015-1790\r\nCVE-2015-1791\r\nCVE-2015-1792\r\n\r\nperl\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Parsing a maliciously crafted regular expression may lead to\r\ndisclosure of unexpected application termination or arbitrary code\r\nexecution\r\nDescription: An integer underflow issue existed in the way Perl\r\nparsed regular expressions. This issue was addressed through improved\r\nmemory handling.\r\nCVE-ID\r\nCVE-2013-7422\r\n\r\nPostgreSQL\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.4\r\nImpact: An attacker may be able to cause unexpected application\r\ntermination or gain access to data without proper authentication\r\nDescription: Multiple issues existed in PostgreSQL 9.2.4. These\r\nissues were addressed by updating PostgreSQL to 9.2.13.\r\nCVE-ID\r\nCVE-2014-0067\r\nCVE-2014-8161\r\nCVE-2015-0241\r\nCVE-2015-0242\r\nCVE-2015-0243\r\nCVE-2015-0244\r\n\r\npython\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Multiple vulnerabilities existed in Python 2.7.6, the most\r\nserious of which may lead to arbitrary code execution\r\nDescription: Multiple vulnerabilities existed in Python versions\r\nprior to 2.7.6. These were addressed by updating Python to version\r\n2.7.10.\r\nCVE-ID\r\nCVE-2013-7040\r\nCVE-2013-7338\r\nCVE-2014-1912\r\nCVE-2014-7185\r\nCVE-2014-9365\r\n\r\nQL Office\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.4\r\nImpact: Parsing a maliciously crafted Office document may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: A memory corruption issue existed in parsing of Office\r\ndocuments. This issue was addressed through improved memory handling.\r\nCVE-ID\r\nCVE-2015-5773 : Apple\r\n\r\nQL Office\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Parsing a maliciously crafted XML file may lead to\r\ndisclosure of user information\r\nDescription: An external entity reference issue existed in XML file\r\nparsing. This issue was addressed through improved parsing.\r\nCVE-ID\r\nCVE-2015-3784 : Bruno Morisson of INTEGRITY S.A.\r\n\r\nQuartz Composer Framework\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.4\r\nImpact: Parsing a maliciously crafted QuickTime file may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: A memory corruption issue existed in parsing of\r\nQuickTime files. This issue was addressed through improved memory\r\nhandling.\r\nCVE-ID\r\nCVE-2015-5771 : Apple\r\n\r\nQuick Look\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Searching for a previously viewed website may launch the web\r\nbrowser and render that website\r\nDescription: An issue existed where QuickLook had the capability to\r\nexecute JavaScript. The issue was addressed by disallowing execution\r\nof JavaScript.\r\nCVE-ID\r\nCVE-2015-3781 : Andrew Pouliot of Facebook, Anto Loyola of Qubole\r\n\r\nQuickTime 7\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.4\r\nImpact: Processing a maliciously crafted file may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: Multiple memory corruption issues existed in QuickTime.\r\nThese issues were addressed through improved memory handling.\r\nCVE-ID\r\nCVE-2015-3772\r\nCVE-2015-3779\r\nCVE-2015-5753 : Apple\r\nCVE-2015-5779 : Apple\r\n\r\nQuickTime 7\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.4\r\nImpact: Processing a maliciously crafted file may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: Multiple memory corruption issues existed in QuickTime.\r\nThese issues were addressed through improved memory handling.\r\nCVE-ID\r\nCVE-2015-3765 : Joe Burnett of Audio Poison\r\nCVE-2015-3788 : Ryan Pentney and Richard Johnson of Cisco Talos\r\nCVE-2015-3789 : Ryan Pentney and Richard Johnson of Cisco Talos\r\nCVE-2015-3790 : Ryan Pentney and Richard Johnson of Cisco Talos\r\nCVE-2015-3791 : Ryan Pentney and Richard Johnson of Cisco Talos\r\nCVE-2015-3792 : Ryan Pentney and Richard Johnson of Cisco Talos\r\nCVE-2015-5751 : WalkerFuz\r\n\r\nSceneKit\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Viewing a maliciously crafted Collada file may lead to\r\narbitrary code execution\r\nDescription: A heap buffer overflow existed in SceneKit&#39;s handling\r\nof Collada files. This issue was addressed through improved input\r\nvalidation.\r\nCVE-ID\r\nCVE-2015-5772 : Apple\r\n\r\nSceneKit\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.4\r\nImpact: A remote attacker may be able to cause unexpected\r\napplication termination or arbitrary code execution\r\nDescription: A memory corruption issue existed in SceneKit. This\r\nissue was addressed through improved memory handling.\r\nCVE-ID\r\nCVE-2015-3783 : Haris Andrianakis of Google Security Team\r\n\r\nSecurity\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A standard user may be able to gain access to admin\r\nprivileges without proper authentication\r\nDescription: An issue existed in handling of user authentication.\r\nThis issue was addressed through improved authentication checks.\r\nCVE-ID\r\nCVE-2015-3775 : [Eldon Ahrold]\r\n\r\nSMBClient\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A remote attacker may be able to cause unexpected\r\napplication termination or arbitrary code execution\r\nDescription: A memory corruption issue existed in the SMB client.\r\nThis issue was addressed through improved memory handling.\r\nCVE-ID\r\nCVE-2015-3773 : Ilja van Sprundel\r\n\r\nSpeech UI\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Parsing a maliciously crafted unicode string with speech\r\nalerts enabled may lead to an unexpected application termination or\r\narbitrary code execution\r\nDescription: A memory corruption issue existed in handling of\r\nUnicode strings. This issue was addressed by improved memory\r\nhandling.\r\nCVE-ID\r\nCVE-2015-3794 : Adam Greenbaum of Refinitive\r\n\r\nsudo\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Multiple vulnerabilities existed in sudo versions prior to\r\n1.7.10p9, the most serious of which may allow an attacker access to\r\narbitrary files\r\nDescription: Multiple vulnerabilities existed in sudo versions prior\r\nto 1.7.10p9. These were addressed by updating sudo to version\r\n1.7.10p9.\r\nCVE-ID\r\nCVE-2013-1775\r\nCVE-2013-1776\r\nCVE-2013-2776\r\nCVE-2013-2777\r\nCVE-2014-0106\r\nCVE-2014-9680\r\n\r\ntcpdump\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Multiple vulnerabilities existed in tcpdump 4.7.3, the most\r\nserious of which may allow a remote attacker to cause a denial of\r\nservice.\r\nDescription: Multiple vulnerabilities existed in tcpdump versions\r\nprior to 4.7.3. These were addressed by updating tcpdump to version\r\n4.7.3.\r\nCVE-ID\r\nCVE-2014-8767\r\nCVE-2014-8769\r\nCVE-2014-9140\r\n\r\nText Formats\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Parsing a maliciously crafted text file may lead to\r\ndisclosure of user information\r\nDescription: An XML external entity reference issue existed with\r\nTextEdit parsing. This issue was addressed through improved parsing.\r\nCVE-ID\r\nCVE-2015-3762 : Xiaoyong Wu of the Evernote Security Team\r\n\r\nudf\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Processing a maliciously crafted DMG file may lead to an\r\nunexpected application termination or arbitrary code execution with\r\nsystem privileges\r\nDescription: A memory corruption issue existed in parsing of\r\nmalformed DMG images. This issue was addressed through improved\r\nmemory handling.\r\nCVE-ID\r\nCVE-2015-3767 : beist of grayhash\r\n\r\nOS X Yosemite v10.10.5 includes the security content of Safari 8.0.8:\r\nhttps://support.apple.com/en-us/HT205033\r\n\r\nOS X Yosemite 10.10.5 and Security Update 2015-006 may be obtained\r\nfrom the Mac App Store or Apple&#39;s Software Downloads web site:\r\nhttp://www.apple.com/support/downloads/\r\n\r\nInformation will also be posted to the Apple Security Updates\r\nweb site: https://support.apple.com/kb/HT201222\r\n\r\nThis message is signed with Apple&#39;s Product Security PGP key,\r\nand details are available at:\r\nhttps://www.apple.com/support/security/pgp/\r\n\r\n\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2015-08-17T00:00:00", "title": "APPLE-SA-2015-08-13-2 OS X Yosemite v10.10.5 and Security Update 2015-006", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:11:00", "vector": "NONE", "value": 9.3}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2015-5768", "CVE-2015-5600", "CVE-2015-2787", "CVE-2015-5779", "CVE-2013-1775", "CVE-2015-3185", "CVE-2015-3786", "CVE-2015-1792", "CVE-2015-3761", "CVE-2014-7844", "CVE-2015-3781", "CVE-2015-3776", "CVE-2015-2783", "CVE-2015-5748", "CVE-2014-1912", "CVE-2015-3802", "CVE-2015-3797", "CVE-2014-0191", "CVE-2015-3762", "CVE-2015-3329", "CVE-2009-5078", "CVE-2015-5754", "CVE-2015-3783", "CVE-2015-3330", "CVE-2014-3613", "CVE-2015-1789", "CVE-2015-3789", "CVE-2014-8150", "CVE-2014-3583", "CVE-2015-3779", "CVE-2015-3788", "CVE-2015-3778", "CVE-2015-0241", "CVE-2013-1776", "CVE-2015-5776", "CVE-2015-3766", "CVE-2015-3775", "CVE-2013-7338", "CVE-2015-3798", "CVE-2015-5777", "CVE-2015-3765", "CVE-2015-3782", "CVE-2015-0242", "CVE-2015-0253", "CVE-2015-3784", "CVE-2015-3787", "CVE-2015-3799", "CVE-2015-3153", "CVE-2015-3768", "CVE-2015-3760", "CVE-2015-4148", "CVE-2015-5781", "CVE-2015-3805", "CVE-2015-3790", "CVE-2015-5774", "CVE-2015-3792", "CVE-2015-3803", "CVE-2015-3307", "CVE-2015-4025", "CVE-2015-5784", "CVE-2015-5751", "CVE-2015-4024", "CVE-2015-3795", "CVE-2015-5750", "CVE-2015-5747", "CVE-2015-4021", "CVE-2015-3144", "CVE-2014-7185", "CVE-2015-5761", "CVE-2013-2777", "CVE-2015-3794", "CVE-2015-5773", "CVE-2015-3769", "CVE-2014-3707", "CVE-2015-3800", "CVE-2015-0228", "CVE-2015-3807", "CVE-2015-0244", "CVE-2015-4026", "CVE-2014-8769", "CVE-2015-5756", "CVE-2014-3660", "CVE-2015-1788", "CVE-2015-4147", "CVE-2014-8161", "CVE-2012-6685", "CVE-2015-5753", "CVE-2015-3183", "CVE-2015-3772", "CVE-2014-3620", "CVE-2014-9140", "CVE-2013-2776", "CVE-2015-4022", "CVE-2015-3770", "CVE-2015-3777", "CVE-2015-5771", "CVE-2015-5775", "CVE-2015-3780", "CVE-2013-7422", "CVE-2015-5755", "CVE-2015-3145", "CVE-2015-1790", "CVE-2015-5758", "CVE-2014-0106", "CVE-2015-0243", "CVE-2015-3804", "CVE-2015-3773", "CVE-2014-3581", "CVE-2015-3774", "CVE-2015-5782", "CVE-2014-8109", "CVE-2015-5778", "CVE-2013-7040", "CVE-2015-3757", "CVE-2015-3764", "CVE-2015-3143", "CVE-2014-0067", "CVE-2015-5772", "CVE-2015-3791", "CVE-2014-9365", "CVE-2014-8151", "CVE-2015-5757", "CVE-2015-3796", "CVE-2009-5044", "CVE-2015-5783", "CVE-2014-9680", "CVE-2015-5763", "CVE-2014-8767", "CVE-2015-3767", "CVE-2015-3806", "CVE-2015-1791", "CVE-2015-3771", "CVE-2015-3148"], "modified": "2015-08-17T00:00:00", "id": "SECURITYVULNS:DOC:32390", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32390", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:58", "references": [], "description": "Over 150 vulnerabilities in different applications are closed in auqrterly update.", "edition": 1, "reporter": "BUGTRAQ", "published": "2015-01-25T00:00:00", "title": "Oracle / Sun / PeopleSoft / MySQL multiple security vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:09:58", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Oracle Enterprise Asset Management", "version": "8.2", "operator": "eq"}, {"name": "Wavese", "version": "8.1", "operator": "eq"}, {"name": "Java SE", "version": "8", "operator": "eq"}, {"name": "Oracle Forms", "version": "11.1", "operator": "eq"}, {"name": "MICROS Retail", "version": "3.5", "operator": "eq"}, {"name": "Fusion Middleware", "version": "11.1", "operator": "eq"}, {"name": "MICROS Retail", "version": "5.5", "operator": "eq"}, {"name": "Healthcare Master Person Index", "version": "2", "operator": "eq"}, {"name": "Oracle", "version": "12.1", "operator": "eq"}, {"name": "MICROS Retail", "version": "6.5", "operator": "eq"}, {"name": "Oracle HTTP Server", "version": "10.1", "operator": "eq"}, {"name": "SOA Suite", "version": "11.1", "operator": "eq"}, {"name": "Java SE Embedded", "version": "8", "operator": "eq"}, {"name": "Communications Diameter Signaling Router", "version": "5.0", "operator": "eq"}, {"name": "Exalogic Infrastructure", "version": "2.0", "operator": "eq"}, {"name": "Siebel Applications", "version": "8.2", "operator": "eq"}, {"name": "WebLogic Portal", "version": "10.3", "operator": "eq"}, {"name": "BI Publisher", "version": "10.1", "operator": "eq"}, {"name": "RTD Platform", "version": "3.0", "operator": "eq"}, {"name": "Oracle Adaptive Access Manager", "version": "11.1", "operator": "eq"}, {"name": "Oracle Real-Time Decision Server", "version": "11.1", "operator": "eq"}, {"name": "Oracle E-Business Suite", "version": "12.2", "operator": "eq"}, {"name": "Oracle Transportation Management", "version": "6.3", "operator": "eq"}, {"name": "Oracle E-Business Suite", "version": "11.5", "operator": "eq"}, {"name": "Solaris Cluster", "version": "3.3", "operator": "eq"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.54", "operator": "eq"}, {"name": "SOA Suite", "version": "12.1", "operator": "eq"}, {"name": "Solaris Cluster", "version": "4.1", "operator": "eq"}, {"name": "Enterprise Manager Ops Center", "version": "11.1", "operator": "eq"}, {"name": "Enterprise Manager Base Platform", "version": "12.1", "operator": "eq"}, {"name": "Integrated Lights Out Manager", "version": "3.2", "operator": "eq"}, {"name": "WebLogic Server", "version": "12.1", "operator": "eq"}, {"name": "OpenSSO", "version": "8.0", "operator": "eq"}, {"name": "WebLogic Server", "version": "10.3", "operator": "eq"}, {"name": "MICROS Retail", "version": "4.8", "operator": "eq"}, {"name": "Oracle Containers for J2EE", "version": "10.1", "operator": "eq"}, {"name": "MySQL Server", "version": "5.6", "operator": "eq"}, {"name": "GlassFish Server", "version": "3.1", "operator": "eq"}, {"name": "Agile PLM for Process", "version": "6.1", "operator": "eq"}, {"name": "Oracle Directory Server", "version": "11.1", "operator": "eq"}, {"name": "Oracle Reports", "version": "11.1", "operator": "eq"}, {"name": "WebCenter Content", "version": "11.1", "operator": "eq"}, {"name": "VirtualBox", "version": "4.3", "operator": "eq"}, {"name": "Oracle Directory Server", "version": "7.0", "operator": "eq"}, {"name": "MySQL Server", "version": "5.5", "operator": "eq"}, {"name": "Oracle Access Manager", "version": "11.1", "operator": "eq"}, {"name": "Fusion Middleware", "version": "10.1", "operator": "eq"}, {"name": "Solaris", "version": "11", "operator": "eq"}, {"name": "Oracle", "version": "11.1", "operator": "eq"}, {"name": "BI Publisher", "version": "11.1", "operator": "eq"}, {"name": "Fusion Middleware", "version": "12.1", "operator": "eq"}, {"name": "Solaris", "version": "10", "operator": "eq"}, {"name": "Oracle HTTP Server", "version": "11.1", "operator": "eq"}, {"name": "Oracle HTTP Server", "version": "12.1", "operator": "eq"}, {"name": "Fusion Applications", "version": "11.1", "operator": "eq"}, {"name": "Agile PLM", "version": "9.3", "operator": "eq"}, {"name": "JD Edwards EnterpriseOne Tool", "version": "9.1", "operator": "eq"}, {"name": "Oracle Secure Global Desktop", "version": "5.1", "operator": "eq"}, {"name": "Enterprise Manager Ops Center", "version": "12.2", "operator": "eq"}, {"name": "PeopleSoft Enterprise HRMS", "version": "9.1", "operator": "eq"}, {"name": "JRockit", "version": "28.3", "operator": "eq"}, {"name": "GlassFish Server", "version": "3.0", "operator": "eq"}, {"name": "Oracle Secure Global Desktop", "version": "4.71", "operator": "eq"}, {"name": "Oracle iLearning", "version": "6.1", "operator": "eq"}, {"name": "Communications Messaging Server", "version": "7.0", "operator": "eq"}], "cvelist": ["CVE-2015-0388", "CVE-2014-6574", "CVE-2015-0390", "CVE-2014-6592", "CVE-2014-3566", "CVE-2011-4461", "CVE-2015-0386", "CVE-2015-0425", "CVE-2014-6566", "CVE-2013-4784", "CVE-2014-0191", "CVE-2015-0365", "CVE-2014-6579", "CVE-2014-6556", "CVE-2014-6571", "CVE-2015-0427", "CVE-2014-6578", "CVE-2015-0398", "CVE-2014-6510", "CVE-2014-6595", "CVE-2011-3607", "CVE-2014-6518", "CVE-2015-0385", "CVE-2015-0395", "CVE-2015-0368", "CVE-2014-6575", "CVE-2015-0380", "CVE-2015-0424", "CVE-2003-0001", "CVE-2014-6565", "CVE-2015-0407", "CVE-2015-0362", "CVE-2015-0430", "CVE-2014-6585", "CVE-2015-0410", "CVE-2013-5704", "CVE-2015-0402", "CVE-2015-0379", "CVE-2014-6548", "CVE-2015-0396", "CVE-2015-0422", "CVE-2015-0435", "CVE-2014-6584", "CVE-2014-0224", "CVE-2014-4259", "CVE-2015-0391", "CVE-2014-6567", "CVE-2015-0418", "CVE-2013-0338", "CVE-2014-6480", "CVE-2014-6576", "CVE-2015-0428", "CVE-2015-0431", "CVE-2014-0098", "CVE-2014-6549", "CVE-2015-0420", "CVE-2015-0432", "CVE-2015-0383", "CVE-2011-3389", "CVE-2013-1741", "CVE-2014-6583", "CVE-2014-6597", "CVE-2014-4279", "CVE-2004-0230", "CVE-2015-0369", "CVE-2014-6525", "CVE-2015-0372", "CVE-2014-6582", "CVE-2015-0378", "CVE-2015-0392", "CVE-2015-0416", "CVE-2014-6587", "CVE-2013-6438", "CVE-2015-0406", "CVE-2015-0401", "CVE-2014-6569", "CVE-2014-6599", "CVE-2013-2877", "CVE-2015-0417", "CVE-2015-0404", "CVE-2013-6450", "CVE-2014-0114", "CVE-2015-0364", "CVE-2010-5107", "CVE-2011-3368", "CVE-2014-6573", "CVE-2013-4286", "CVE-2015-0371", "CVE-2014-6526", "CVE-2015-0382", "CVE-2014-1568", "CVE-2015-0363", "CVE-2014-6600", "CVE-2014-6580", "CVE-2014-6509", "CVE-2015-0375", "CVE-2015-0414", "CVE-2015-0413", "CVE-2014-6593", "CVE-2014-6601", "CVE-2014-6594", "CVE-2015-0373", "CVE-2015-0421", "CVE-2013-2186", "CVE-2014-3567", "CVE-2014-6581", "CVE-2015-0403", "CVE-2014-6570", "CVE-2015-0408", "CVE-2015-0429", "CVE-2014-6596", "CVE-2014-6521", "CVE-2015-0374", "CVE-2014-6591", "CVE-2014-6586", "CVE-2014-6524", "CVE-2014-6572", "CVE-2015-0370", "CVE-2015-0412", "CVE-2015-0400", "CVE-2015-0409", "CVE-2015-0387", "CVE-2015-0389", "CVE-2015-0399", "CVE-2015-0415", "CVE-2014-6590", "CVE-2015-0376", "CVE-2014-6481", "CVE-2015-0393", "CVE-2015-0366", "CVE-2015-0419", "CVE-2014-6568", "CVE-2015-0377", "CVE-2015-0394", "CVE-2015-0397", "CVE-2015-0384", "CVE-2014-6589", "CVE-2014-6528", "CVE-2014-6588", "CVE-2014-6541", "CVE-2011-1944", "CVE-2015-0437", "CVE-2014-6514", "CVE-2014-4212", "CVE-2015-0436", "CVE-2014-6598", "CVE-2015-0367", "CVE-2014-0226", "CVE-2013-1620", "CVE-2013-4545", "CVE-2015-0426", "CVE-2015-0434", "CVE-2015-0411", "CVE-2015-0381", "CVE-2014-6577"], "modified": "2015-01-25T00:00:00", "id": "SECURITYVULNS:VULN:14233", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14233", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "redhat": [{"lastseen": "2018-12-11T17:46:07", "_object_types": ["robots.models.redhat.RedHatBulletin", "robots.models.base.Bulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "7", "packageVersion": "2.9.1-5.el7_1.2", "arch": "x86_64", "packageName": "libxml2-debuginfo", "packageFilename": "libxml2-debuginfo-2.9.1-5.el7_1.2.x86_64.rpm", "operator": "lt"}], "description": "The libxml2 library is a development toolbox providing the implementation\nof various XML standards.\n\nIt was discovered that libxml2 loaded external parameter entities even when\nentity substitution was disabled. A remote attacker able to provide a\nspecially crafted XML file to an application linked against libxml2 could\nuse this flaw to conduct XML External Entity (XXE) attacks, possibly\nresulting in a denial of service or an information leak on the system.\n(CVE-2014-0191)\n\nThe CVE-2014-0191 issue was discovered by Daniel P. Berrange of Red Hat.\n\nAll libxml2 users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. The desktop must be\nrestarted (log out, then log back in) for this update to take effect.\n", "reporter": "RedHat", "published": "2015-03-30T04:00:00", "type": "redhat", "title": "(RHSA-2015:0749) Moderate: libxml2 security update", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-0191"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-04-12T03:33:29", "id": "RHSA-2015:0749", "href": "https://access.redhat.com/errata/RHSA-2015:0749", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-12-11T19:41:46", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.7.6-14.el6_5.1", "arch": "i686", "packageName": "libxml2-debuginfo", "packageFilename": "libxml2-debuginfo-2.7.6-14.el6_5.1.i686.rpm", "operator": "lt"}], "description": "The libxml2 library is a development toolbox providing the implementation\nof various XML standards.\n\nIt was discovered that libxml2 loaded external parameter entities even when\nentity substitution was disabled. A remote attacker able to provide a\nspecially crafted XML file to an application linked against libxml2 could\nuse this flaw to conduct XML External Entity (XXE) attacks, possibly\nresulting in a denial of service or an information leak on the system.\n(CVE-2014-0191)\n\nAn out-of-bounds read flaw was found in the way libxml2 detected the end of\nan XML file. A remote attacker could provide a specially crafted XML file\nthat, when processed by an application linked against libxml2, could cause\nthe application to crash. (CVE-2013-2877)\n\nThe CVE-2014-0191 issue was discovered by Daniel P. Berrange of Red Hat.\n\nAll libxml2 users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. The desktop must be\nrestarted (log out, then log back in) for this update to take effect.\n", "reporter": "RedHat", "published": "2014-05-19T04:00:00", "type": "redhat", "title": "(RHSA-2014:0513) Moderate: libxml2 security update", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "unix", "cvelist": ["CVE-2013-2877", "CVE-2014-0191"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-06-06T20:24:12", "id": "RHSA-2014:0513", "href": "https://access.redhat.com/errata/RHSA-2014:0513", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "centos": [{"lastseen": "2017-10-03T18:25:05", "references": ["https://rhn.redhat.com/errata/RHSA-2015-0749.html"], "affectedPackage": [{"OS": "CentOS", "OSVersion": "7", "packageVersion": "2.9.1-5.el7_1.2", "arch": "x86_64", "packageName": "libxml2-static", "packageFilename": "libxml2-static-2.9.1-5.el7_1.2.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "2.9.1-5.el7_1.2", "arch": "x86_64", "packageName": "libxml2-devel", "packageFilename": "libxml2-devel-2.9.1-5.el7_1.2.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "2.9.1-5.el7_1.2", "arch": "i686", "packageName": "libxml2-static", "packageFilename": "libxml2-static-2.9.1-5.el7_1.2.i686.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "2.9.1-5.el7_1.2", "arch": "x86_64", "packageName": "libxml2", "packageFilename": "libxml2-2.9.1-5.el7_1.2.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "2.9.1-5.el7_1.2", "arch": "i686", "packageName": "libxml2", "packageFilename": "libxml2-2.9.1-5.el7_1.2.i686.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "2.9.1-5.el7_1.2", "arch": "x86_64", "packageName": "libxml2-python", "packageFilename": "libxml2-python-2.9.1-5.el7_1.2.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "2.9.1-5.el7_1.2", "arch": "i686", "packageName": "libxml2-devel", "packageFilename": "libxml2-devel-2.9.1-5.el7_1.2.i686.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "2.9.1-5.el7_1.2", "arch": "any", "packageName": "libxml2", "packageFilename": "libxml2-2.9.1-5.el7_1.2.src.rpm", "operator": "lt"}], "description": "**CentOS Errata and Security Advisory** CESA-2015:0749\n\n\nThe libxml2 library is a development toolbox providing the implementation\nof various XML standards.\n\nIt was discovered that libxml2 loaded external parameter entities even when\nentity substitution was disabled. A remote attacker able to provide a\nspecially crafted XML file to an application linked against libxml2 could\nuse this flaw to conduct XML External Entity (XXE) attacks, possibly\nresulting in a denial of service or an information leak on the system.\n(CVE-2014-0191)\n\nThe CVE-2014-0191 issue was discovered by Daniel P. Berrange of Red Hat.\n\nAll libxml2 users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. The desktop must be\nrestarted (log out, then log back in) for this update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-April/021029.html\n\n**Affected packages:**\nlibxml2\nlibxml2-devel\nlibxml2-python\nlibxml2-static\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-0749.html", "edition": 1, "reporter": "CentOS Project", "published": "2015-04-01T03:26:34", "title": "libxml2 security update", "type": "centos", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-0191"], "modified": "2015-04-01T03:26:34", "href": "http://lists.centos.org/pipermail/centos-announce/2015-April/021029.html", "id": "CESA-2015:0749", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-10-03T18:25:43", "references": ["https://rhn.redhat.com/errata/RHSA-2014-0513.html"], "affectedPackage": [{"OS": "CentOS", "OSVersion": "6", "packageVersion": "2.7.6-14.el6_5.1", "packageFilename": "libxml2-devel-2.7.6-14.el6_5.1.i686.rpm", "packageName": "libxml2-devel", "arch": "i686", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "2.7.6-14.el6_5.1", "packageFilename": "libxml2-devel-2.7.6-14.el6_5.1.i686.rpm", "packageName": "libxml2-devel", "arch": "i686", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "2.7.6-14.el6_5.1", "packageFilename": "libxml2-python-2.7.6-14.el6_5.1.i686.rpm", "packageName": "libxml2-python", "arch": "i686", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "2.7.6-14.el6_5.1", "packageFilename": "libxml2-2.7.6-14.el6_5.1.x86_64.rpm", "packageName": "libxml2", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "2.7.6-14.el6_5.1", "packageFilename": "libxml2-static-2.7.6-14.el6_5.1.x86_64.rpm", "packageName": "libxml2-static", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "2.7.6-14.el6_5.1", "packageFilename": "libxml2-static-2.7.6-14.el6_5.1.i686.rpm", "packageName": "libxml2-static", "arch": "i686", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "2.7.6-14.el6_5.1", "packageFilename": "libxml2-devel-2.7.6-14.el6_5.1.x86_64.rpm", "packageName": "libxml2-devel", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "2.7.6-14.el6_5.1", "packageFilename": "libxml2-2.7.6-14.el6_5.1.src.rpm", "packageName": "libxml2", "arch": "any", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "2.7.6-14.el6_5.1", "packageFilename": "libxml2-python-2.7.6-14.el6_5.1.x86_64.rpm", "packageName": "libxml2-python", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "2.7.6-14.el6_5.1", "packageFilename": "libxml2-2.7.6-14.el6_5.1.i686.rpm", "packageName": "libxml2", "arch": "i686", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "2.7.6-14.el6_5.1", "packageFilename": "libxml2-2.7.6-14.el6_5.1.i686.rpm", "packageName": "libxml2", "arch": "i686", "operator": "lt"}], "description": "**CentOS Errata and Security Advisory** CESA-2014:0513\n\n\nThe libxml2 library is a development toolbox providing the implementation\nof various XML standards.\n\nIt was discovered that libxml2 loaded external parameter entities even when\nentity substitution was disabled. A remote attacker able to provide a\nspecially crafted XML file to an application linked against libxml2 could\nuse this flaw to conduct XML External Entity (XXE) attacks, possibly\nresulting in a denial of service or an information leak on the system.\n(CVE-2014-0191)\n\nAn out-of-bounds read flaw was found in the way libxml2 detected the end of\nan XML file. A remote attacker could provide a specially crafted XML file\nthat, when processed by an application linked against libxml2, could cause\nthe application to crash. (CVE-2013-2877)\n\nThe CVE-2014-0191 issue was discovered by Daniel P. Berrange of Red Hat.\n\nAll libxml2 users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. The desktop must be\nrestarted (log out, then log back in) for this update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2014-May/020303.html\n\n**Affected packages:**\nlibxml2\nlibxml2-devel\nlibxml2-python\nlibxml2-static\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2014-0513.html", "edition": 1, "reporter": "CentOS Project", "published": "2014-05-19T13:08:11", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "title": "libxml2 security update", "type": "centos", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0191", "CVE-2013-2877"], "modified": "2014-05-19T13:08:11", "href": "http://lists.centos.org/pipermail/centos-announce/2014-May/020303.html", "id": "CESA-2014:0513", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "aix": [{"lastseen": "2018-08-31T00:08:38", "aixFileset": [{"productVersions": ["6100-08-02", "6100-08-01", "6100-08-03", "6100-08-00", "6100-08-04"], "versionGte": "6.1.8.0", "fileset": "bos.rte.control", "versionLte": "6.1.8.17", "productName": "aix"}, {"productVersions": ["6100-08-02", "6100-08-01", "6100-08-03", "6100-08-00", "6100-08-04"], "versionGte": "6.1.8.0", "fileset": "bos.rte.control", "versionLte": "6.1.8.17", "productName": "aix"}, {"productVersions": ["6100-08-02", "6100-08-01", "6100-08-03", "6100-08-00", "6100-08-04"], "versionGte": "6.1.8.0", "fileset": "bos.rte.control", "versionLte": "6.1.8.17", "productName": "aix"}, {"productVersions": ["6100-08-02", "6100-08-01", "6100-08-03", "6100-08-00", "6100-08-04"], "versionGte": "6.1.8.0", "fileset": "bos.rte.control", "versionLte": "6.1.8.17", "productName": "aix"}, {"productVersions": ["6100-08-02", "6100-08-01", "6100-08-03", "6100-08-00", "6100-08-04"], "versionGte": "6.1.8.0", "fileset": "bos.rte.control", "versionLte": "6.1.8.17", "productName": "aix"}, {"productVersions": ["7100-02-04", "7100-02-01", "7100-02-00", "7100-02-03", "7100-02-02"], "versionGte": "7.1.2.0", "fileset": "bos.rte.control", "versionLte": "7.1.2.17", "productName": "aix"}, {"productVersions": ["7100-02-04", "7100-02-01", "7100-02-00", "7100-02-03", "7100-02-02"], "versionGte": "7.1.2.0", "fileset": "bos.rte.control", "versionLte": "7.1.2.17", "productName": "aix"}, {"productVersions": ["7100-02-04", "7100-02-01", "7100-02-00", "7100-02-03", "7100-02-02"], "versionGte": "7.1.2.0", "fileset": "bos.rte.control", "versionLte": "7.1.2.17", "productName": "aix"}, {"productVersions": ["7100-02-04", "7100-02-01", "7100-02-00", "7100-02-03", "7100-02-02"], "versionGte": "7.1.2.0", "fileset": "bos.rte.control", "versionLte": "7.1.2.17", "productName": "aix"}, {"productVersions": ["7100-02-04", "7100-02-01", "7100-02-00", "7100-02-03", "7100-02-02"], "versionGte": "7.1.2.0", "fileset": "bos.rte.control", "versionLte": "7.1.2.17", "productName": "aix"}, {"productVersions": ["any"], "versionGte": "6.1.9.0", "fileset": "bos.rte.control", "versionLte": "6.1.9.15", "productName": "vios"}, {"productVersions": ["any"], "versionGte": "6.1.9.0", "fileset": "bos.rte.control", "versionLte": "6.1.9.15", "productName": "vios"}, {"productVersions": ["any"], "versionGte": "6.1.9.0", "fileset": "bos.rte.control", "versionLte": "6.1.9.15", "productName": "vios"}, {"productVersions": ["any"], "versionGte": "6.1.8.0", "fileset": "bos.rte.control", "versionLte": "6.1.8.17", "productName": "vios"}, {"productVersions": ["any"], "versionGte": "6.1.8.0", "fileset": "bos.rte.control", "versionLte": "6.1.8.17", "productName": "vios"}, {"productVersions": ["any"], "versionGte": "6.1.8.0", "fileset": "bos.rte.control", "versionLte": "6.1.8.17", "productName": "vios"}, {"productVersions": ["any"], "versionGte": "6.1.8.0", "fileset": "bos.rte.control", "versionLte": "6.1.8.17", "productName": "vios"}, {"productVersions": ["7100-03-01", "7100-03-03", "7100-03-00", "7100-03-02"], "versionGte": "7.1.3.0", "fileset": "bos.rte.control", "versionLte": "7.1.3.15", "productName": "aix"}, {"productVersions": ["7100-03-01", "7100-03-03", "7100-03-00", "7100-03-02"], "versionGte": "7.1.3.0", "fileset": "bos.rte.control", "versionLte": "7.1.3.15", "productName": "aix"}, {"productVersions": ["7100-03-01", "7100-03-03", "7100-03-00", "7100-03-02"], "versionGte": "7.1.3.0", "fileset": "bos.rte.control", "versionLte": "7.1.3.15", "productName": "aix"}, {"productVersions": ["7100-03-01", "7100-03-03", "7100-03-00", "7100-03-02"], "versionGte": "7.1.3.0", "fileset": "bos.rte.control", "versionLte": "7.1.3.15", "productName": "aix"}, {"productVersions": ["6100-09-03", "6100-09-02", "6100-09-00", "6100-09-01"], "versionGte": "6.1.9.0", "fileset": "bos.rte.control", "versionLte": "6.1.9.15", "productName": "aix"}, {"productVersions": ["6100-09-03", "6100-09-02", "6100-09-00", "6100-09-01"], "versionGte": "6.1.9.0", "fileset": "bos.rte.control", "versionLte": "6.1.9.15", "productName": "aix"}, {"productVersions": ["6100-09-03", "6100-09-02", "6100-09-00", "6100-09-01"], "versionGte": "6.1.9.0", "fileset": "bos.rte.control", "versionLte": "6.1.9.15", "productName": "aix"}, {"productVersions": ["6100-09-03", "6100-09-02", "6100-09-00", "6100-09-01"], "versionGte": "6.1.9.0", "fileset": "bos.rte.control", "versionLte": "6.1.9.15", "productName": "aix"}], "references": [], "description": "IBM SECURITY ADVISORY\n\nFirst Issued: Fri Aug 15 10:26:30 CDT 2014\nUpdated: Fri Aug 22 08:17:41 CDT 2014\nUpdate: fixed APAR availability dates\n|Update: Mon Aug 25 15:18:37 CDT 2014\n|Update Corrected a couple Service Pack level#s\n\nThe most recent version of this document is available here:\n\nhttp://aix.software.ibm.com/aix/efixes/security/libxml2_advisory.asc\nhttps://aix.software.ibm.com/aix/efixes/security/libxml2_advisory.asc\nftp://aix.software.ibm.com/aix/efixes/security/libxml2_advisory.asc\n\n===============================================================================\n VULNERABILITY SUMMARY\n\nVULNERABILITY: AIX libxml2 vulnerability\n\nPLATFORMS: AIX 6.1 and 7.1 releases\n VIOS 2.2.*\n\nSOLUTION: Apply the fix as described below\n\nTHREAT: A remote attacker could exploit this vulnerability using a\n specially-crafted XML document containing malicious attributes\n to consume all available CPU resources.\n\nCVE Number: CVE-2014-0191 CVSS=5.0\n\nReboot required? NO \nWorkarounds? NO\nProtected by FPM? NO\nProtected by SED? NO\n===============================================================================\n DETAILED INFORMATION\n\nI. DESCRIPTION\n\n Libxml2 is vulnerable to a denial of service, caused by the expansion of \n internal entities within the xmlParserHandlePEReference().\n\nII. CVSS\n\n CVSS Base Score: 5\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93092\n for more information\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\nIII. PLATFORM VULNERABILITY ASSESSMENT\n\n Note: To use the following commands on VIOS you must first\n execute:\n\n oem_setup_env\n\n To determine if your system is vulnerable, execute the following\n command:\n\n lslpp -L bos.rte.control\n\n The following fileset levels are vulnerable:\n\n AIX Fileset Lower Level Upper Level KEY\n --------------------------------------------------------\n bos.rte.control 6.1.8.0 6.1.8.17 key_w_fix\n bos.rte.control 6.1.9.0 6.1.9.15 key_w_fix\n bos.rte.control 7.1.2.0 7.1.2.17 key_w_fix\n bos.rte.control 7.1.3.0 7.1.3.15 key_w_fix\n\n AIX Fileset (VIOS) Lower Level Upper Level\n ----------------------------------------------------------------\n bos.rte.control 6.1.8.0(2.2.2.0) 6.1.8.17(2.2.2.4)\n bos.rte.control 6.1.9.0(2.2.3.0) 6.1.9.15(2.2.3.3)\n\nIV. SOLUTIONS\n\n A. APARS\n\n IBM has assigned the following APARs to this problem:\n\n AIX Level APAR number Availability KEY\n ------------------------------------------------------------\n| 6.1.8 IV62447 12/31/2014 SP6 key_w_apar\n 6.1.9 IV62448 10/24/2014 SP4 key_w_apar\n| 7.1.2 IV62449 12/31/2014 SP6 key_w_apar\n 7.1.3 IV62450 10/24/2014 SP4 key_w_apar\n \n Subscribe to the APARs here:\n\n http://www.ibm.com/support/docview.wss?uid=isg1IV62447\n http://www.ibm.com/support/docview.wss?uid=isg1IV62448\n http://www.ibm.com/support/docview.wss?uid=isg1IV62449\n http://www.ibm.com/support/docview.wss?uid=isg1IV62450\n\n By subscribing, you will receive periodic email alerting you\n to the status of the APAR, and a link to download the fix once\n it becomes available.\n\n B. FIXES\n\n Fixes are available. The fixes can be downloaded via ftp\n from:\n\n ftp://aix.software.ibm.com/aix/efixes/security/libxml2_fix.tar\n\n The link above is to a tar file containing this signed\n advisory, fix packages, and OpenSSL signatures for each package.\n The fixes below include prerequisite checking. This will\n enforce the correct mapping between the fixes and AIX\n Technology Levels.\n\n AIX Level Interim Fix (*.Z) KEY\n ---------------------------------------------------\n 6.1.8.4 IV62447s4a.140715.epkg.Z key_w_fix\n 6.1.9.3 IV62448s3a.140715.epkg.Z key_w_fix\n 7.1.2.4 IV62449s4a.140715.epkg.Z key_w_fix\n 7.1.3.3 IV62450s3a.140715.epkg.Z key_w_fix\n\n VIOS Level Interim Fix (*.Z)\n -------------------------------------\n 2.2.2.4 IV62447s4a.140715.epkg.Z\n 2.2.3.3 IV62448s3a.140715.epkg.Z\n\n To extract the fixes from the tar file:\n\n tar xvf libxml2_fix.tar\n cd libxml2_fix\n\n Verify you have retrieved the fixes intact:\n\n The checksums below were generated using the\n \"openssl dgst -sha256 file\" command is the following:\n\n openssl dgst -sha256 filename KEY\n ----------------------------------------------------------------------------------------------------\n c3b02f8faf29386056616d4ec015acc47d5b8849e84a6f10912db62082fd8a23 IV62447s4a.140715.epkg.Z key_w_csum\n d0beae655b28178f13952fb0da831e028a28b9ed25d3cfe267e61cbcf08ff5aa IV62448s3a.140715.epkg.Z key_w_csum\n 2ce78311783f31c76abc8fba4d8f4ebeb376c64e23c268f954b0b9356d431755 IV62449s4a.140715.epkg.Z key_w_csum\n 3b414db115af1f4d32879474d14d8aaed276f149db6bc022e398f2c58a6da0a2 IV62450s3a.140715.epkg.Z key_w_csum\n\n These sums should match exactly. The OpenSSL signatures in the tar\n file and on this advisory can also be used to verify the\n integrity of the fixes. If the sums or signatures cannot be\n confirmed, contact IBM AIX Security at\n security-alert@austin.ibm.com and describe the discrepancy.\n\n openssl dgst -sha1 -verify <pubkey_file> -signature <advisory_file>.sig <advisory_file>\n\n openssl dgst -sha1 -verify <pubkey_file> -signature <ifix_file>.sig <ifix_file>\n\n Published advisory OpenSSL signature file location:\n\n http://aix.software.ibm.com/aix/efixes/security/libxml2_advisory.asc.sig\n https://aix.software.ibm.com/aix/efixes/security/libxml2_advisory.asc.sig\n ftp://aix.software.ibm.com/aix/efixes/security/libxml2_advisory.asc.sig\n\n C. FIX AND INTERIM FIX INSTALLATION\n\n IMPORTANT: If possible, it is recommended that a mksysb backup\n of the system be created. Verify it is both bootable and\n readable before proceeding.\n\n Ti preview a fix installation:\n\n installp -a -d fix_name -p all # where fix_name is the name of the\n # fix package being previewed.\n To install a fix package:\n\n installp -a -d fix_name -X all # where fix_name is the name of the\n # fix package being installed.\n\n Interim fixes have had limited functional and regression\n testing but not the full regression testing that takes place\n for Service Packs; thus, IBM does not warrant the fully\n correct functionality of an interim fix.\n\n Interim fix management documentation can be found at:\n\n http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html\n\n To preview an interim fix installation:\n\n emgr -e ipkg_name -p # where ipkg_name is the name of the\n # interim fix package being previewed.\n\n To install an interim fix package:\n\n emgr -e ipkg_name -X # where ipkg_name is the name of the\n # interim fix package being installed.\n\nV. WORKAROUNDS\n\n None\n\nVI. OBTAINING FIXES\n\n AIX security fixes can be downloaded from:\n\n ftp://aix.software.ibm.com/aix/efixes/security\n\n AIX fixes can be downloaded from:\n\n http://www.ibm.com/eserver/support/fixes/fixcentral/main/pseries/aix\n\n NOTE: Affected customers are urged to upgrade to the latest\n applicable Technology Level and Service Pack.\n\nVII. CONTACT INFORMATION\n\n If you would like to receive AIX Security Advisories via email,\n please visit \"My Notifications\":\n\n http://www.ibm.com/support/mynotifications\n \n To view previously issued advisories, please visit:\n \n http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq\n\n Comments regarding the content of this announcement can be\n directed to:\n\n security-alert@austin.ibm.com\n\n\tTo obtain the OpenSSL public key that can be used to verify the\n signed advisories and ifixes:\n\n Download the key from our web page:\n\n http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt\n\n To request the PGP public key that can be used to communicate\n securely with the AIX Security Team you can either:\n\n A. Send an email with \"get key\" in the subject line to:\n\n security-alert@austin.ibm.com\n\n B. Download the key from a PGP Public Key Server. The key ID is:\n\n 0x28BFAA12\n\n Please contact your local IBM AIX support center for any\n assistance.\n\nVIII. ACKNOWLEDGMENTS\n\n IBM discovered and fixed this vulnerability as part of its\n commitment to secure the AIX operating system.\n\nIX. REFERENCES:\n\n Complete CVSS Guide: http://www.first.org/cvss/cvss-guide.html\n On-line Calculator V2: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2\n X-Force Vulnerability Database: http://xforce.iss.net/xforce/xfdb/75510\n CVE-2014-0191: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0191\n\n *The CVSS Environment Score is customer environment specific and will\n ultimately impact the Overall CVSS Score. Customers can evaluate the\n impact of this vulnerability in their environments by accessing the links\n in the Reference section of this Flash.\n\n Note: According to the Forum of Incident Response and Security Teams\n (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry\n open standard designed to convey vulnerability severity and help to\n determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES\n \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF\n MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE\n RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY\n VULNERABILITY.\n", "edition": 3, "reporter": "CentOS Project", "published": "2014-08-15T10:26:30", "title": "AIX libxml2 vulnerability", "type": "aix", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "aix": {"apars": []}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-0191"], "modified": "2014-08-22T08:17:41", "id": "LIBXML2_ADVISORY.ASC", "href": "https://aix.software.ibm.com/aix/efixes/security/libxml2_advisory.asc", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "oraclelinux": [{"lastseen": "2018-08-31T01:49:00", "references": [], "affectedPackage": [{"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.7.6-14.0.1.el6_5.1", "arch": "i686", "packageFilename": "libxml2-static-2.7.6-14.0.1.el6_5.1.i686.rpm", "packageName": "libxml2-static", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.7.6-14.0.1.el6_5.1", "arch": "x86_64", "packageFilename": "libxml2-devel-2.7.6-14.0.1.el6_5.1.x86_64.rpm", "packageName": "libxml2-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.7.6-14.0.1.el6_5.1", "arch": "i686", "packageFilename": "libxml2-devel-2.7.6-14.0.1.el6_5.1.i686.rpm", "packageName": "libxml2-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.7.6-14.0.1.el6_5.1", "arch": "i686", "packageFilename": "libxml2-devel-2.7.6-14.0.1.el6_5.1.i686.rpm", "packageName": "libxml2-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.7.6-14.0.1.el6_5.1", "arch": "i686", "packageFilename": "libxml2-python-2.7.6-14.0.1.el6_5.1.i686.rpm", "packageName": "libxml2-python", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.7.6-14.0.1.el6_5.1", "arch": "x86_64", "packageFilename": "libxml2-python-2.7.6-14.0.1.el6_5.1.x86_64.rpm", "packageName": "libxml2-python", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.7.6-14.0.1.el6_5.1", "arch": "i686", "packageFilename": "libxml2-2.7.6-14.0.1.el6_5.1.i686.rpm", "packageName": "libxml2", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.7.6-14.0.1.el6_5.1", "arch": "i686", "packageFilename": "libxml2-2.7.6-14.0.1.el6_5.1.i686.rpm", "packageName": "libxml2", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.7.6-14.0.1.el6_5.1", "arch": "x86_64", "packageFilename": "libxml2-static-2.7.6-14.0.1.el6_5.1.x86_64.rpm", "packageName": "libxml2-static", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.7.6-14.0.1.el6_5.1", "arch": "x86_64", "packageFilename": "libxml2-2.7.6-14.0.1.el6_5.1.x86_64.rpm", "packageName": "libxml2", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.7.6-14.0.1.el6_5.1", "arch": "src", "packageFilename": "libxml2-2.7.6-14.0.1.el6_5.1.src.rpm", "packageName": "libxml2", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.7.6-14.0.1.el6_5.1", "arch": "src", "packageFilename": "libxml2-2.7.6-14.0.1.el6_5.1.src.rpm", "packageName": "libxml2", "operator": "lt"}], "description": "[2.7.6-14.0.1.el6_5.1]\n- Update doc/redhat.gif in tarball\n- Add libxml2-oracle-enterprise.patch and update logos in tarball\n[2-2.7.6-14.el6_5.1]\n- Improve handling of xmlStopParser(CVE-2013-2877)\n- Do not fetch external parameter entities (CVE-2014-0191)", "edition": 3, "reporter": "Oracle", "published": "2014-05-19T00:00:00", "title": "libxml2 security update", "type": "oraclelinux", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-0191", "CVE-2013-2877"], "modified": "2014-05-19T00:00:00", "id": "ELSA-2014-0513", "href": "http://linux.oracle.com/errata/ELSA-2014-0513.html", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T01:42:51", "references": [], "affectedPackage": [{"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "2.9.1-5.0.1.el7_1.2", "arch": "i686", "packageFilename": "libxml2-2.9.1-5.0.1.el7_1.2.i686.rpm", "packageName": "libxml2", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "2.9.1-5.0.1.el7_1.2", "arch": "i686", "packageFilename": "libxml2-devel-2.9.1-5.0.1.el7_1.2.i686.rpm", "packageName": "libxml2-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "2.9.1-5.0.1.el7_1.2", "arch": "x86_64", "packageFilename": "libxml2-static-2.9.1-5.0.1.el7_1.2.x86_64.rpm", "packageName": "libxml2-static", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "2.9.1-5.0.1.el7_1.2", "arch": "x86_64", "packageFilename": "libxml2-python-2.9.1-5.0.1.el7_1.2.x86_64.rpm", "packageName": "libxml2-python", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "2.9.1-5.0.1.el7_1.2", "arch": "x86_64", "packageFilename": "libxml2-2.9.1-5.0.1.el7_1.2.x86_64.rpm", "packageName": "libxml2", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "2.9.1-5.0.1.el7_1.2", "arch": "x86_64", "packageFilename": "libxml2-devel-2.9.1-5.0.1.el7_1.2.x86_64.rpm", "packageName": "libxml2-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "2.9.1-5.0.1.el7_1.2", "arch": "src", "packageFilename": "libxml2-2.9.1-5.0.1.el7_1.2.src.rpm", "packageName": "libxml2", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "2.9.1-5.0.1.el7_1.2", "arch": "i686", "packageFilename": "libxml2-static-2.9.1-5.0.1.el7_1.2.i686.rpm", "packageName": "libxml2-static", "operator": "lt"}], "description": "[2.9.1-5.0.1.el7_1.2]\n- Update doc/redhat.gif in tarball\n- Add libxml2-oracle-enterprise.patch and update logos in tarball\n[2.9.1-5.2]\n- Fix missing entities after CVE-2014-3660 fix\n- CVE-2014-0191 Do not fetch external parameter entities (rhbz#1195649)\n- Fix regressions introduced by CVE-2014-0191 patch", "edition": 3, "reporter": "Oracle", "published": "2015-03-30T00:00:00", "title": "libxml2 security update", "type": "oraclelinux", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-0191", "CVE-2014-3660"], "modified": "2015-03-30T00:00:00", "id": "ELSA-2015-0749", "href": "http://linux.oracle.com/errata/ELSA-2015-0749.html", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T01:39:43", "references": [], "affectedPackage": [{"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "2.9.1-6.0.1.el7_2.2", "arch": "i686", "packageFilename": "libxml2-static-2.9.1-6.0.1.el7_2.2.i686.rpm", "packageName": "libxml2-static", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "2.9.1-6.0.1.el7_2.2", "arch": "x86_64", "packageFilename": "libxml2-static-2.9.1-6.0.1.el7_2.2.x86_64.rpm", "packageName": "libxml2-static", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "2.9.1-6.0.1.el7_2.2", "arch": "src", "packageFilename": "libxml2-2.9.1-6.0.1.el7_2.2.src.rpm", "packageName": "libxml2", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "2.9.1-6.0.1.el7_2.2", "arch": "x86_64", "packageFilename": "libxml2-python-2.9.1-6.0.1.el7_2.2.x86_64.rpm", "packageName": "libxml2-python", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "2.9.1-6.0.1.el7_2.2", "arch": "x86_64", "packageFilename": "libxml2-devel-2.9.1-6.0.1.el7_2.2.x86_64.rpm", "packageName": "libxml2-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "2.9.1-6.0.1.el7_2.2", "arch": "i686", "packageFilename": "libxml2-2.9.1-6.0.1.el7_2.2.i686.rpm", "packageName": "libxml2", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "2.9.1-6.0.1.el7_2.2", "arch": "i686", "packageFilename": "libxml2-devel-2.9.1-6.0.1.el7_2.2.i686.rpm", "packageName": "libxml2-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "2.9.1-6.0.1.el7_2.2", "arch": "x86_64", "packageFilename": "libxml2-2.9.1-6.0.1.el7_2.2.x86_64.rpm", "packageName": "libxml2", "operator": "lt"}], "description": "[2.9.1-6.0.1.el7_1.2]\n- Update doc/redhat.gif in tarball\n- Add libxml2-oracle-enterprise.patch and update logos in tarball\n[2.9.1-6.2]\n- Fix a series of CVEs (rhbz#1286496)\n- CVE-2015-7941 Stop parsing on entities boundaries errors\n- CVE-2015-7941 Cleanup conditional section error handling\n- CVE-2015-8317 Fail parsing early on if encoding conversion failed\n- CVE-2015-7942 Another variation of overflow in Conditional sections\n- CVE-2015-7942 Fix an error in previous Conditional section patch\n- Fix parsing short unclosed comment uninitialized access\n- CVE-2015-7498 Avoid processing entities after encoding conversion failures\n- CVE-2015-7497 Avoid an heap buffer overflow in xmlDictComputeFastQKey\n- CVE-2015-5312 Another entity expansion issue\n- CVE-2015-7499 Add xmlHaltParser() to stop the parser\n- CVE-2015-7499 Detect incoherency on GROW\n- CVE-2015-7500 Fix memory access error due to incorrect entities boundaries\n- CVE-2015-8242 Buffer overead with HTML parser in push mode\n- CVE-2015-1819 Enforce the reader to run in constant memory\n[2.9.1-6]\n- Fix missing entities after CVE-2014-3660 fix\n- CVE-2014-0191 Do not fetch external parameter entities (rhbz#1195650)\n- Fix regressions introduced by CVE-2014-0191 patch\n[2.9.1-5.1]\n- CVE-2014-3660 denial of service via recursive entity expansion (rhbz#1149087)", "edition": 3, "reporter": "Oracle", "published": "2015-12-07T00:00:00", "title": "libxml2 security update", "type": "oraclelinux", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2015-7497", "CVE-2015-7941", "CVE-2014-0191", "CVE-2015-8317", "CVE-2015-7498", "CVE-2015-8241", "CVE-2015-5312", "CVE-2015-7500", "CVE-2015-8242", "CVE-2015-1819", "CVE-2015-7499", "CVE-2014-3660", "CVE-2015-7942"], "modified": "2015-12-07T00:00:00", "id": "ELSA-2015-2550", "href": "http://linux.oracle.com/errata/ELSA-2015-2550.html", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "archlinux": [{"lastseen": "2016-09-02T18:44:42", "references": ["http://www.openwall.com/lists/oss-security/2014/05/06/4", "https://git.gnome.org/browse/libxml2/commit/?id=be2a7", "https://access.redhat.com/security/cve/CVE-2014-0191", "https://bugs.archlinux.org/task/40790", "https://git.gnome.org/browse/libxml2/commit/?id=9cd1c", "https://access.redhat.com/security/cve/CVE-2014-3660"], "affectedPackage": [{"OS": "any", "OSVersion": "any", "packageVersion": "2.9.2-1", "packageFilename": "UNKNOWN", "packageName": "libxml2", "arch": "any", "operator": "lt"}], "edition": 1, "description": "Daniel Berrange discovered that libxml2 incorrectly performs entity\nsubstitution in the doctype prolog, even if the application using\nlibxml2 disabled any entity substitution. A remote attacker could\nprovide a specially crafted XML file that, when processed, leads to the\nexhaustion of CPU and memory resources or file descriptors.", "reporter": "Arch Linux", "published": "2014-10-24T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "title": "libxml2: Denial of service", "type": "archlinux", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0191", "CVE-2014-3660"], "modified": "2014-10-24T00:00:00", "href": "https://lists.archlinux.org/pipermail/arch-security/2014-October/000123.html", "id": "ASA-201410-12", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "vmware": [{"lastseen": "2018-09-02T02:40:28", "references": [], "affectedPackage": [{"OS": "any", "OSVersion": "any", "packageVersion": "ESXi550-201509101-SG", "arch": "any", "packageFilename": "UNKNOWN", "packageName": "ESXi", "operator": "lt"}, {"OS": "any", "OSVersion": "any", "packageVersion": "5.5 Update 2", "arch": "any", "packageFilename": "UNKNOWN", "packageName": "vCenter Server", "operator": "lt"}, {"OS": "any", "OSVersion": "any", "packageVersion": "ESXi510-201412101-SG", "arch": "any", "packageFilename": "UNKNOWN", "packageName": "ESXi", "operator": "lt"}, {"OS": "any", "OSVersion": "any", "packageVersion": "5.1 Update 3", "arch": "any", "packageFilename": "UNKNOWN", "packageName": "vCenter Server", "operator": "lt"}, {"OS": "any", "OSVersion": "any", "packageVersion": "5.1 Update 3", "arch": "any", "packageFilename": "UNKNOWN", "packageName": "vCSA", "operator": "lt"}, {"OS": "any", "OSVersion": "any", "packageVersion": "5.0", "arch": "any", "packageFilename": "UNKNOWN", "packageName": "vCenter Update Manager", "operator": "eq"}, {"OS": "any", "OSVersion": "any", "packageVersion": "5.0", "arch": "any", "packageFilename": "UNKNOWN", "packageName": "ESXi", "operator": "eq"}, {"OS": "any", "OSVersion": "any", "packageVersion": "5.1 Update 3", "arch": "any", "packageFilename": "UNKNOWN", "packageName": "vCenter Update Manager", "operator": "lt"}, {"OS": "any", "OSVersion": "any", "packageVersion": "ESXi550-201505101-SG", "arch": "any", "packageFilename": "UNKNOWN", "packageName": "ESXi", "operator": "lt"}, {"OS": "any", "OSVersion": "any", "packageVersion": "5.0", "arch": "any", "packageFilename": "UNKNOWN", "packageName": "vCenter Server", "operator": "eq"}, {"OS": "any", "OSVersion": "any", "packageVersion": "5.0 Update 3c", "arch": "any", "packageFilename": "UNKNOWN", "packageName": "vCenter Server", "operator": "lt"}], "description": "**a. VMware vCSA cross-site scripting vulnerability** \nVMware vCenter Server Appliance (vCSA) contains a vulnerability that may allow for Cross Site Scripting. Exploitation of this vulnerability in vCenter Server requires tricking a user to click on a malicious link or to open a malicious web page. \nVMware would like to thank Tanya Secker of Trustwave SpiderLabs for reporting this issue to us. \nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-3797 to this issue. \nColumn 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. \n\n", "edition": 3, "reporter": "VMware", "published": "2014-12-04T00:00:00", "title": "VMware vSphere product updates address security vulnerabilities", "type": "vmware", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-3797", "CVE-2014-0191", "CVE-2013-4238", "CVE-2013-2877", "CVE-2014-0015", "CVE-2013-1752", "CVE-2014-8371", "CVE-2014-0138"], "modified": "2015-01-27T00:00:00", "id": "VMSA-2014-0012", "href": "https://www.vmware.com/security/advisories/VMSA-2014-0012.html", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}], "suse": [{"lastseen": "2017-10-11T05:54:19", "references": ["https://bugzilla.suse.com/975726", "https://bugzilla.suse.com/1056193"], "affectedPackage": [{"OS": "SUSE Linux Enterprise Module for Containers", "OSVersion": "12", "packageVersion": "20171002", "packageFilename": "sles12-docker-image-1.1.4-20171002.x86_64.rpm", "packageName": "sles12-docker-image-1.1.4", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Containers", "OSVersion": "12", "packageVersion": "20171002", "packageFilename": "sles12-docker-image-1.1.4-20171002.ppc64le.rpm", "packageName": "sles12-docker-image-1.1.4", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Containers", "OSVersion": "12", "packageVersion": "20171002", "packageFilename": "sles12-docker-image-1.1.4-20171002.s390x.rpm", "packageName": "sles12-docker-image-1.1.4", "arch": "s390x", "operator": "lt"}], "description": "The SUSE Linux Enterprise Server 12 container image has been updated to\n include security and stability fixes.\n\n The following issues related to building of the container images have been\n fixed:\n\n - Included krb5 package to avoid the inclusion of krb5-mini which gets\n selected as a dependency by the Build Service solver. (bsc#1056193)\n - Do not install recommended packages when building container images.\n (bsc#975726)\n\n A number of security issues that have been already fixed by updates\n released for SUSE Linux Enterprise Server 12 are now included in the base\n image. A package/CVE cross-reference is available below.\n\n pam:\n\n - CVE-2015-3238\n\n libtasn1:\n\n - CVE-2015-3622\n - CVE-2016-4008\n\n libidn:\n\n - CVE-2015-2059\n - CVE-2015-8948\n - CVE-2016-6261\n - CVE-2016-6262\n - CVE-2016-6263\n\n zlib:\n\n - CVE-2016-9840\n - CVE-2016-9841\n - CVE-2016-9842\n - CVE-2016-9843\n\n curl:\n\n - CVE-2016-5419\n - CVE-2016-5420\n - CVE-2016-5421\n - CVE-2016-7141\n - CVE-2016-7167\n - CVE-2016-8615\n - CVE-2016-8616\n - CVE-2016-8617\n - CVE-2016-8618\n - CVE-2016-8619\n - CVE-2016-8620\n - CVE-2016-8621\n - CVE-2016-8622\n - CVE-2016-8623\n - CVE-2016-8624\n - CVE-2016-9586\n - CVE-2017-1000100\n - CVE-2017-1000101\n - CVE-2017-7407\n\n openssl:\n\n - CVE-2016-2105\n - CVE-2016-2106\n - CVE-2016-2107\n - CVE-2016-2108\n - CVE-2016-2109\n - CVE-2016-2177\n - CVE-2016-2178\n - CVE-2016-2179\n - CVE-2016-2180\n - CVE-2016-2181\n - CVE-2016-2182\n - CVE-2016-2183\n - CVE-2016-6302\n - CVE-2016-6303\n - CVE-2016-6304\n - CVE-2016-6306\n\n libxml2:\n\n - CVE-2014-0191\n - CVE-2015-8806\n - CVE-2016-1762\n - CVE-2016-1833\n - CVE-2016-1834\n - CVE-2016-1835\n - CVE-2016-1837\n - CVE-2016-1838\n - CVE-2016-1839\n - CVE-2016-1840\n - CVE-2016-2073\n - CVE-2016-3627\n - CVE-2016-3705\n - CVE-2016-4447\n - CVE-2016-4448\n - CVE-2016-4449\n - CVE-2016-4483\n - CVE-2016-4658\n - CVE-2016-9318\n - CVE-2016-9597\n - CVE-2017-9047\n - CVE-2017-9048\n - CVE-2017-9049\n - CVE-2017-9050\n\n util-linux:\n\n - CVE-2015-5218\n - CVE-2016-5011\n - CVE-2017-2616\n\n cracklib:\n\n - CVE-2016-6318\n\n systemd:\n\n - CVE-2014-9770\n - CVE-2015-8842\n - CVE-2016-7796\n\n pcre:\n\n - CVE-2014-8964\n - CVE-2015-2325\n - CVE-2015-2327\n - CVE-2015-2328\n - CVE-2015-3210\n - CVE-2015-3217\n - CVE-2015-5073\n - CVE-2015-8380\n - CVE-2015-8381\n - CVE-2015-8382\n - CVE-2015-8383\n - CVE-2015-8384\n - CVE-2015-8385\n - CVE-2015-8386\n - CVE-2015-8387\n - CVE-2015-8388\n - CVE-2015-8389\n - CVE-2015-8390\n - CVE-2015-8391\n - CVE-2015-8392\n - CVE-2015-8393\n - CVE-2015-8394\n - CVE-2015-8395\n - CVE-2016-1283\n - CVE-2016-3191\n\n appamor:\n\n - CVE-2017-6507\n\n bash:\n\n - CVE-2014-6277\n - CVE-2014-6278\n - CVE-2016-0634\n - CVE-2016-7543\n\n cpio:\n\n - CVE-2016-2037\n\n glibc:\n\n - CVE-2016-1234\n - CVE-2016-3075\n - CVE-2016-3706\n - CVE-2016-4429\n - CVE-2017-1000366\n\n perl:\n\n - CVE-2015-8853\n - CVE-2016-1238\n - CVE-2016-2381\n - CVE-2016-6185\n\n libssh2_org:\n\n - CVE-2016-0787\n\n expat:\n\n - CVE-2012-6702\n - CVE-2015-1283\n - CVE-2016-0718\n - CVE-2016-5300\n - CVE-2016-9063\n - CVE-2017-9233\n\n ncurses:\n\n - CVE-2017-10684\n - CVE-2017-10685\n - CVE-2017-11112\n - CVE-2017-11113\n\n libksba:\n\n - CVE-2016-4574\n - CVE-2016-4579\n\n libgcrypt:\n\n - CVE-2015-7511\n - CVE-2016-6313\n - CVE-2017-7526\n\n dbus-1:\n\n - CVE-2014-7824\n - CVE-2015-0245\n\n Finally, the following packages received non-security fixes:\n\n - augeas\n - bzip2\n - ca-certificates-mozilla\n - coreutils\n - cryptsetup\n - cyrus-sasl\n - dirmngr\n - e2fsprogs\n - findutils\n - gpg2\n - insserv-compat\n - kmod\n - libcap\n - libsolv\n - libzypp\n - openldap2\n - p11-kit\n - permissions\n - procps\n - rpm\n - sed\n - shadow\n - zypper\n\n", "edition": 1, "reporter": "Suse", "published": "2017-10-11T03:06:53", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "title": "Security update for SLES 12 Docker image (important)", "type": "suse", "bulletinFamily": "unix", "cvelist": ["CVE-2016-6262", "CVE-2017-7407", "CVE-2015-8388", "CVE-2016-8620", "CVE-2016-8623", "CVE-2017-9233", "CVE-2016-5420", "CVE-2016-9840", "CVE-2016-3705", "CVE-2016-1840", "CVE-2014-0191", "CVE-2016-8615", "CVE-2016-8616", "CVE-2015-5276", "CVE-2015-3210", "CVE-2015-2325", "CVE-2016-6261", "CVE-2016-8619", "CVE-2017-10685", "CVE-2016-6306", "CVE-2016-2183", "CVE-2016-2178", "CVE-2015-8391", "CVE-2016-6263", "CVE-2016-2108", "CVE-2016-9063", "CVE-2016-8618", "CVE-2016-1762", "CVE-2016-6302", "CVE-2016-5300", "CVE-2015-8395", "CVE-2016-7141", "CVE-2016-1834", "CVE-2017-11112", "CVE-2016-2177", "CVE-2014-7169", "CVE-2015-8382", "CVE-2016-3627", "CVE-2015-1283", "CVE-2014-6277", "CVE-2016-2105", "CVE-2016-9318", "CVE-2016-4483", "CVE-2016-2107", "CVE-2015-8386", "CVE-2014-6278", "CVE-2015-2327", "CVE-2017-9049", "CVE-2016-3075", "CVE-2016-8617", "CVE-2016-9842", "CVE-2016-7796", "CVE-2017-2616", "CVE-2016-0634", "CVE-2012-6702", "CVE-2015-3238", "CVE-2016-2180", "CVE-2016-1835", "CVE-2016-0787", "CVE-2016-1234", "CVE-2016-0718", "CVE-2016-6185", "CVE-2015-8392", "CVE-2016-4574", "CVE-2015-8389", "CVE-2016-2109", "CVE-2015-8380", "CVE-2016-2181", "CVE-2016-6304", "CVE-2016-4449", "CVE-2017-9048", "CVE-2014-8964", "CVE-2015-2059", "CVE-2017-11113", "CVE-2016-1283", "CVE-2016-6313", "CVE-2016-1837", "CVE-2016-6318", "CVE-2015-3622", "CVE-2016-4448", "CVE-2016-1238", "CVE-2015-8393", "CVE-2016-1838", "CVE-2016-3706", "CVE-2016-4429", "CVE-2016-2381", "CVE-2016-7543", "CVE-2017-1000101", "CVE-2016-8622", "CVE-2015-8853", "CVE-2014-7187", "CVE-2015-8394", "CVE-2016-4008", "CVE-2014-9770", "CVE-2015-3217", "CVE-2014-6271", "CVE-2017-7526", "CVE-2016-3191", "CVE-2017-1000366", "CVE-2016-1839", "CVE-2016-8624", "CVE-2015-8384", "CVE-2016-9843", "CVE-2017-9047", "CVE-2015-8948", "CVE-2014-7824", "CVE-2015-8842", "CVE-2016-9597", "CVE-2015-5218", "CVE-2016-6303", "CVE-2015-8383", "CVE-2017-1000100", "CVE-2015-8381", "CVE-2016-2182", "CVE-2016-5421", "CVE-2016-9586", "CVE-2015-5073", "CVE-2016-4447", "CVE-2016-5011", "CVE-2015-7511", "CVE-2015-8385", "CVE-2015-8806", "CVE-2016-9841", "CVE-2016-4579", "CVE-2015-0245", "CVE-2016-2037", "CVE-2016-2073", "CVE-2016-5419", "CVE-2015-2328", "CVE-2017-6507", "CVE-2016-4658", "CVE-2016-7167", "CVE-2017-10684", "CVE-2016-2179", "CVE-2016-2106", "CVE-2016-1833", "CVE-2015-8387", "CVE-2016-8621", "CVE-2015-8390", "CVE-2017-9050"], "modified": "2017-10-11T03:06:53", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00010.html", "id": "SUSE-SU-2017:2699-1", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-10-11T05:54:20", "references": ["https://bugzilla.suse.com/975726", "https://bugzilla.suse.com/1056193"], "affectedPackage": [{"OS": "SUSE Linux Enterprise Module for Containers", "OSVersion": "12", "packageVersion": "20171002", "packageFilename": "sles12sp1-docker-image-1.0.7-20171002.s390x.rpm", "packageName": "sles12sp1-docker-image-1.0.7", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Containers", "OSVersion": "12", "packageVersion": "20171002", "packageFilename": "sles12sp1-docker-image-1.0.7-20171002.x86_64.rpm", "packageName": "sles12sp1-docker-image-1.0.7", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Containers", "OSVersion": "12", "packageVersion": "20171002", "packageFilename": "sles12sp1-docker-image-1.0.7-20171002.ppc64le.rpm", "packageName": "sles12sp1-docker-image-1.0.7", "arch": "ppc64le", "operator": "lt"}], "description": "The SUSE Linux Enterprise Server 12 SP1 container image has been updated\n to include security and stability fixes.\n\n The following issues related to building of the container images have been\n fixed:\n\n - Included krb5 package to avoid the inclusion of krb5-mini which gets\n selected as a dependency by the Build Service solver. (bsc#1056193)\n - Do not install recommended packages when building container images.\n (bsc#975726)\n\n A number of security issues that have been already fixed by updates\n released for SUSE Linux Enterprise Server 12 SP1 are now included in the\n base image. A package/CVE cross-reference is available below.\n\n pam:\n\n - CVE-2015-3238\n\n libtasn1:\n\n - CVE-2015-3622\n - CVE-2016-4008\n\n expat:\n\n expat:\n\n - CVE-2012-6702\n - CVE-2015-1283\n - CVE-2016-0718\n - CVE-2016-5300\n - CVE-2016-9063\n - CVE-2017-9233\n\n libidn:\n\n - CVE-2015-2059\n - CVE-2015-8948\n - CVE-2016-6261\n - CVE-2016-6262\n - CVE-2016-6263\n\n\n zlib:\n\n - CVE-2016-9840\n - CVE-2016-9841\n - CVE-2016-9842\n - CVE-2016-9843\n\n curl:\n\n - CVE-2016-5419\n - CVE-2016-5420\n - CVE-2016-5421\n - CVE-2016-7141\n - CVE-2016-7167\n - CVE-2016-8615\n - CVE-2016-8616\n - CVE-2016-8617\n - CVE-2016-8618\n - CVE-2016-8619\n - CVE-2016-8620\n - CVE-2016-8621\n - CVE-2016-8622\n - CVE-2016-8623\n - CVE-2016-8624\n - CVE-2016-9586\n - CVE-2017-1000100\n - CVE-2017-1000101\n - CVE-2017-7407\n\n openssl:\n\n - CVE-2016-2105\n - CVE-2016-2106\n - CVE-2016-2107\n - CVE-2016-2108\n - CVE-2016-2109\n - CVE-2016-2177\n - CVE-2016-2178\n - CVE-2016-2179\n - CVE-2016-2180\n - CVE-2016-2181\n - CVE-2016-2182\n - CVE-2016-2183\n - CVE-2016-6302\n - CVE-2016-6303\n - CVE-2016-6304\n - CVE-2016-6306\n - CVE-2016-7056\n - CVE-2016-8610\n - CVE-2017-3731\n\n cracklib:\n\n - CVE-2016-6318\n\n pcre:\n\n - CVE-2014-8964\n - CVE-2015-2325\n - CVE-2015-2327\n - CVE-2015-2328\n - CVE-2015-3210\n - CVE-2015-3217\n - CVE-2015-5073\n - CVE-2015-8380\n - CVE-2015-8381\n - CVE-2015-8382\n - CVE-2015-8383\n - CVE-2015-8384\n - CVE-2015-8385\n - CVE-2015-8386\n - CVE-2015-8387\n - CVE-2015-8388\n - CVE-2015-8389\n - CVE-2015-8390\n - CVE-2015-8391\n - CVE-2015-8392\n - CVE-2015-8393\n - CVE-2015-8394\n - CVE-2015-8395\n - CVE-2016-1283\n - CVE-2016-3191\n\n appamor:\n\n - CVE-2017-6507\n\n bash:\n\n - CVE-2014-6277\n - CVE-2014-6278\n - CVE-2016-0634\n - CVE-2016-7543\n\n cpio:\n\n - CVE-2016-2037\n\n glibc:\n\n - CVE-2016-1234\n - CVE-2016-3075\n - CVE-2016-3706\n - CVE-2016-4429\n - CVE-2017-1000366\n\n perl:\n\n - CVE-2015-8853\n - CVE-2016-1238\n - CVE-2016-2381\n - CVE-2016-6185\n\n libssh2_org:\n\n - CVE-2016-0787\n\n util-linux:\n\n - CVE-2016-5011\n - CVE-2017-2616\n\n ncurses:\n\n - CVE-2017-10684\n - CVE-2017-10685\n - CVE-2017-11112\n - CVE-2017-11113\n\n libksba:\n\n - CVE-2016-4574\n - CVE-2016-4579\n\n libxml2:\n\n - CVE-2014-0191\n - CVE-2015-8806\n - CVE-2016-1762\n - CVE-2016-1833\n - CVE-2016-1834\n - CVE-2016-1835\n - CVE-2016-1837\n - CVE-2016-1838\n - CVE-2016-1839\n - CVE-2016-1840\n - CVE-2016-2073\n - CVE-2016-3627\n - CVE-2016-3705\n - CVE-2016-4447\n - CVE-2016-4448\n - CVE-2016-4449\n - CVE-2016-4483\n - CVE-2016-4658\n - CVE-2016-9318\n - CVE-2016-9597\n - CVE-2017-9047\n - CVE-2017-9048\n - CVE-2017-9049\n - CVE-2017-9050\n\n libgcrypt:\n\n - CVE-2015-7511\n - CVE-2016-6313\n - CVE-2017-7526\n\n update-alternatives:\n\n - CVE-2015-0860\n\n systemd:\n\n - CVE-2014-9770\n - CVE-2015-8842\n - CVE-2016-7796\n\n dbus-1:\n\n - CVE-2014-7824\n - CVE-2015-0245\n\n Finally, the following packages received non-security fixes:\n\n - augeas\n - bzip2\n - ca-certificates-mozilla\n - coreutils\n - cryptsetup\n - cyrus-sasl\n - dirmngr\n - e2fsprogs\n - findutils\n - gpg2\n - insserv-compat\n - kmod\n - libcap\n - libsolv\n - libzypp\n - lua51\n - lvm2\n - netcfg\n - p11-kit\n - permissions\n - procps\n - rpm\n - sed\n - sg3_utils\n - shadow\n - zypper\n\n", "edition": 1, "reporter": "Suse", "published": "2017-10-11T03:07:32", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "title": "Security update for SLES 12-SP1 Docker image (important)", "type": "suse", "bulletinFamily": "unix", "cvelist": ["CVE-2016-6262", "CVE-2016-7056", "CVE-2017-7407", "CVE-2015-8388", "CVE-2016-8620", "CVE-2016-8623", "CVE-2017-9233", "CVE-2016-5420", "CVE-2016-9840", "CVE-2016-3705", "CVE-2016-1840", "CVE-2014-0191", "CVE-2016-8615", "CVE-2016-8616", "CVE-2015-5276", "CVE-2015-3210", "CVE-2015-2325", "CVE-2016-6261", "CVE-2016-8619", "CVE-2017-10685", "CVE-2016-6306", "CVE-2016-2183", "CVE-2015-0860", "CVE-2016-2178", "CVE-2015-8391", "CVE-2016-6263", "CVE-2016-2108", "CVE-2016-9063", "CVE-2016-8618", "CVE-2016-1762", "CVE-2016-6302", "CVE-2016-5300", "CVE-2015-8395", "CVE-2016-7141", "CVE-2016-1834", "CVE-2017-11112", "CVE-2016-2177", "CVE-2014-7169", "CVE-2015-8382", "CVE-2016-3627", "CVE-2015-1283", "CVE-2014-6277", "CVE-2016-2105", "CVE-2016-9318", "CVE-2016-4483", "CVE-2016-2107", "CVE-2017-3731", "CVE-2015-8386", "CVE-2014-6278", "CVE-2015-2327", "CVE-2017-9049", "CVE-2016-3075", "CVE-2016-8617", "CVE-2016-9842", "CVE-2016-7796", "CVE-2017-2616", "CVE-2016-0634", "CVE-2012-6702", "CVE-2015-3238", "CVE-2016-2180", "CVE-2016-1835", "CVE-2016-0787", "CVE-2016-8610", "CVE-2016-1234", "CVE-2016-0718", "CVE-2016-6185", "CVE-2015-8392", "CVE-2016-4574", "CVE-2015-8389", "CVE-2016-2109", "CVE-2015-8380", "CVE-2016-2181", "CVE-2016-6304", "CVE-2016-4449", "CVE-2017-9048", "CVE-2014-8964", "CVE-2015-2059", "CVE-2017-11113", "CVE-2016-1283", "CVE-2016-6313", "CVE-2016-1837", "CVE-2016-6318", "CVE-2015-3622", "CVE-2016-4448", "CVE-2016-1238", "CVE-2015-8393", "CVE-2016-1838", "CVE-2016-3706", "CVE-2016-4429", "CVE-2016-2381", "CVE-2016-7543", "CVE-2017-1000101", "CVE-2016-8622", "CVE-2015-8853", "CVE-2014-7187", "CVE-2015-8394", "CVE-2016-4008", "CVE-2014-9770", "CVE-2015-3217", "CVE-2014-6271", "CVE-2017-7526", "CVE-2016-3191", "CVE-2017-1000366", "CVE-2016-1839", "CVE-2016-8624", "CVE-2015-8384", "CVE-2016-9843", "CVE-2017-9047", "CVE-2015-8948", "CVE-2014-7824", "CVE-2015-8842", "CVE-2016-9597", "CVE-2016-6303", "CVE-2015-8383", "CVE-2017-1000100", "CVE-2015-8381", "CVE-2016-2182", "CVE-2016-5421", "CVE-2016-9586", "CVE-2015-5073", "CVE-2016-4447", "CVE-2016-5011", "CVE-2015-7511", "CVE-2015-8385", "CVE-2015-8806", "CVE-2016-9841", "CVE-2016-4579", "CVE-2015-0245", "CVE-2016-2037", "CVE-2016-2073", "CVE-2016-5419", "CVE-2015-2328", "CVE-2017-6507", "CVE-2016-4658", "CVE-2016-7167", "CVE-2017-10684", "CVE-2016-2179", "CVE-2016-2106", "CVE-2016-1833", "CVE-2015-8387", "CVE-2016-8621", "CVE-2015-8390", "CVE-2017-9050"], "modified": "2017-10-11T03:07:32", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00011.html", "id": "SUSE-SU-2017:2700-1", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "oracle": [{"lastseen": "2018-08-31T04:13:47", "references": [], "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n \n\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n \n\n\n**Oracle has received specific reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply these Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\n \n\n\nThis Critical Patch Update contains 169 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\n \n\n\nPlease note that on October 16, 2014, Oracle released information for [CVE-2014-3566 \"POODLE\"](<http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html>). Customers of affected Oracle products are strongly advised to apply the fixes and/or configuration steps that were announced for CVE-2014-3566 in addition to the fixes announced in this CPU.\n\n \n\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n\n \n\n", "edition": 3, "reporter": "Oracle", "published": "2015-03-10T00:00:00", "title": "Oracle Critical Patch Update - January 2015", "type": "oracle", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Oracle HCM Configuration Workbench", "version": "12.0.5", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.1.3", "operator": "le"}, {"name": "Oracle iLearning", "version": "6.1", "operator": "le"}, {"name": "MICROS Retail", "version": "3.4.2", "operator": "le"}, {"name": "OJVM", "version": "12.1.0.2", "operator": "le"}, {"name": "Siebel Core EAI", "version": "8.2.2", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.4", "operator": "le"}, {"name": "Siebel Public Sector", "version": "8.1.1", "operator": "le"}, {"name": "OJVM", "version": "11.1.0.7", "operator": "le"}, {"name": "Oracle Access Manager", "version": "11.1.2.1", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Forms", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Telecommunications Billing Integrator", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.2", "operator": "le"}, {"name": "Workspace Manager", "version": "12.1.0.1", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "7u72", "operator": "le"}, {"name": "Oracle Adaptive Access Manager", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.2.2", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.2.3", "operator": "le"}, {"name": "Java SE", "version": "5.0u75", "operator": "le"}, {"name": "Oracle HCM Configuration Workbench", "version": "12.1.3", "operator": "le"}, {"name": "Workspace Manager", "version": "11.1.0.7", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle OpenSSO", "version": "8.0", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Secure Global Desktop", "version": "5.1", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.1.1", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.3.20", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.4", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "12.1.2.0", "operator": "le"}, {"name": "Oracle RDBMS", "version": "11.1.0.7", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "27.8.4", "operator": "le"}, {"name": "Oracle Forms", "version": "11.1.2.2", "operator": "le"}, {"name": "SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers", "version": "1118", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.3", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "6u85", "operator": "le"}, {"name": "Java SE", "version": "8u25", "operator": "le"}, {"name": "Oracle Enterprise Asset Management", "version": "8.2.2", "operator": "le"}, {"name": "Oracle Enterprise Asset Management", "version": "8.1.1", "operator": "le"}, {"name": "Fujitsu M10-1, M10-4, M10-4S Servers", "version": "2240", "operator": "le"}, {"name": "Oracle Reports Developer", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.1.3", "operator": "le"}, {"name": "Oracle RDBMS", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle HCM Configuration Workbench", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Telecommunications Billing Integrator", "version": "12.0.6", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "7u71", "operator": "le"}, {"name": "Oracle Healthcare Master Person Index", "version": "1.x", "operator": "le"}, {"name": "Oracle Telecommunications Billing Integrator", "version": "12.2.2", "operator": "le"}, {"name": "Oracle Adaptive Access Manager", "version": "11.1.1.5", "operator": "le"}, {"name": "Siebel Core - Server OM Services", "version": "8.2.2", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.2", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "10.1.3.5.0", "operator": "le"}, {"name": "MICROS Retail", "version": "6.0.6", "operator": "le"}, {"name": "Oracle Real-Time Decision Server", "version": "11.1.1.7", "operator": "le"}, {"name": "XML Developer's Kit for C", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.1.3.", "operator": "le"}, {"name": "Oracle Marketing", "version": "11.5.10.2", "operator": "le"}, {"name": "Java SE", "version": "6u85", "operator": "le"}, {"name": "Oracle HCM Configuration Workbench", "version": "12.2.4", "operator": "le"}, {"name": "Enterprise Manager Ops Center", "version": "12.1", "operator": "le"}, {"name": "Oracle Real-Time Decision Server", "version": "3.0.x", "operator": "le"}, {"name": "Oracle HCM Configuration Workbench", "version": "12.2.3", "operator": "le"}, {"name": "Solaris", "version": "11", "operator": "le"}, {"name": "Recovery", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Secure Global Desktop", "version": "4.63", "operator": "le"}, {"name": "Oracle WebCenter Content", "version": "11.1.1.8.0", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.1.34", "operator": "le"}, {"name": "Siebel Core - Common Components", "version": "8.2.2", "operator": "le"}, {"name": "Enterprise Manager Ops Center", "version": "11.1", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.2.28", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Telecommunications Billing Integrator", "version": "11.5.10.2", "operator": "le"}, {"name": "Siebel Core - Server BizLogic Script", "version": "8.1.1", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "8u25", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.1", "operator": "le"}, {"name": "XML Developer's Kit for C", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.5", "operator": "le"}, {"name": "Workspace Manager", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.3.0", "operator": "le"}, {"name": "MICROS Retail", "version": "5.5.3", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.0.4", "operator": "le"}, {"name": "Enterprise Manager Base Platform", "version": "12.1.0.4", "operator": "le"}, {"name": "Siebel Core - Common Components", "version": "8.1.1", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.0.5", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.54", "operator": "le"}, {"name": "BI Publisher (formerly XML Publisher)", "version": "10.1.3.4.2", "operator": "le"}, {"name": "OJVM", "version": "11.2.0.3", "operator": "le"}, {"name": "Oracle Access Manager", "version": "11.1.2.2", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "10.1.3.4.2", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.0.5", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3", "operator": "le"}, {"name": "Siebel UI Framework", "version": "8.2.2", "operator": "le"}, {"name": "Oracle HCM Configuration Workbench", "version": "12.1.2", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.2.26", "operator": "le"}, {"name": "Siebel Public Sector", "version": "8.2.2", "operator": "le"}, {"name": "Recovery", "version": "12.1.0.1", "operator": "le"}, {"name": "MICROS Retail", "version": "3.5.0", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "28.3.4", "operator": "le"}, {"name": "XML Developer's Kit for C", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Communications Diameter Signaling Router", "version": "4.x", "operator": "le"}, {"name": "Oracle SOA Suite", "version": "11.1.1.7", "operator": "le"}, {"name": "PeopleSoft Enterprise HRMS", "version": "9.1", "operator": "le"}, {"name": "Oracle RDBMS", "version": "12.1.0.1", "operator": "le"}, {"name": "Solaris", "version": "10", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "3.2.26", "operator": "le"}, {"name": "Siebel Core - System Management", "version": "8.2.2", "operator": "le"}, {"name": "Oracle Containers for J2EE", "version": "10.1.3.5", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.0.6", "operator": "le"}, {"name": "Enterprise Manager Ops Center", "version": "12.1.4", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.38", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.0.28", "operator": "le"}, {"name": "Oracle Adaptive Access Manager", "version": "11.1.2.2", "operator": "le"}, {"name": "Oracle Exalogic Infrastructure", "version": "3", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.2.4", "operator": "le"}, {"name": "Recovery", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Telecommunications Billing Integrator", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.2.2", "operator": "le"}, {"name": "Oracle SOA Suite", "version": "12.1.3.0", "operator": "le"}, {"name": "Oracle Exalogic Infrastructure", "version": "4", "operator": "le"}, {"name": "OJVM", "version": "11.2.0.4", "operator": "le"}, {"name": "Enterprise Manager Base Platform", "version": "12.1.0.3", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "5.0u75", "operator": "le"}, {"name": "Oracle Telecommunications Billing Integrator", "version": "12.0.4", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.2.3", "operator": "le"}, {"name": "MICROS Retail", "version": "4.5.1", "operator": "le"}, {"name": "Oracle Agile PLM", "version": "9.3.3", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.2.2", "operator": "le"}, {"name": "Oracle Communications Diameter Signaling Router", "version": "5.0", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.1.0", "operator": "le"}, {"name": "Java SE", "version": "7u72", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.3", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.0.26", "operator": "le"}, {"name": "Oracle Reports Developer", "version": "11.1.2.2", "operator": "le"}, {"name": "Siebel Core - Server Infrastructure", "version": "8.2.2", "operator": "le"}, {"name": "MICROS Retail", "version": "3.2.1", "operator": "le"}, {"name": "Oracle Communications Messaging Server", "version": "7.0.5.33.0", "operator": "le"}, {"name": "PL/SQL", "version": "11.2.0.3", "operator": "le"}, {"name": "Oracle iLearning", "version": "6.0", "operator": "le"}, {"name": "Oracle RDBMS", "version": "11.2.0.4", "operator": "le"}, {"name": "Siebel Life Sciences", "version": "8.1.1", "operator": "le"}, {"name": "SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers", "version": "1119", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.1.2", "operator": "le"}, {"name": "Siebel UI Framework", "version": "8.1.1", "operator": "le"}, {"name": "OJVM", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.3.14", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.1.2", "operator": "le"}, {"name": "MICROS Retail", "version": "6.5.2", "operator": "le"}, {"name": "PL/SQL", "version": "11.1.0.7", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.2.0", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.0.4", "operator": "le"}, {"name": "Oracle Adaptive Access Manager", "version": "11.1.2.1", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.0.4", "operator": "le"}, {"name": "Workspace Manager", "version": "11.2.0.3", "operator": "le"}, {"name": "Oracle Access Manager", "version": "11.1.1.5", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.40", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.53", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "8u6", "operator": "le"}, {"name": "Siebel Life Sciences", "version": "8.2.2", "operator": "le"}, {"name": "Integrated Lights Out Manager(ILOM)", "version": "3.2.4", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "10.0.2.0", "operator": "le"}, {"name": "Oracle WebLogic Portal", "version": "10.0.1.0", "operator": "le"}, {"name": "Oracle Directory Server Enterprise Edition", "version": "7.0", "operator": "le"}, {"name": "Enterprise Manager Ops Center", "version": "11.1.3", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.19", "operator": "le"}, {"name": "BI Publisher (formerly XML Publisher)", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.2.2", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "10.3.6.0", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "3.0.1", "operator": "le"}, {"name": "Fujitsu M10-1, M10-4, M10-4S Servers", "version": "2232", "operator": "le"}, {"name": "Oracle Secure Global Desktop", "version": "5.0", "operator": "le"}, {"name": "Oracle HCM Configuration Workbench", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.1.36", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.52", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.1", "operator": "le"}, {"name": "Oracle Communications Diameter Signaling Router", "version": "3.x", "operator": "le"}, {"name": "Siebel Core - Server Infrastructure", "version": "8.1.1", "operator": "le"}, {"name": "Siebel Core - EAI", "version": "8.2.2", "operator": "le"}, {"name": "Oracle Agile PLM for Process", "version": "6.1.0.3", "operator": "le"}, {"name": "Oracle HCM Configuration Workbench", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.0", "operator": "le"}, {"name": "Oracle Security Service", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Telecommunications Billing Integrator", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Telecommunications Billing Integrator", "version": "12.1.2", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.21", "operator": "le"}, {"name": "Oracle HCM Configuration Workbench", "version": "12.2.2", "operator": "le"}, {"name": "Solaris Cluster", "version": "3.3", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Telecommunications Billing Integrator", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Telecommunications Billing Integrator", "version": "12.0.5", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Directory Server Enterprise Edition", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle Access Manager", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle HCM Configuration Workbench", "version": "12.0.4", "operator": "le"}, {"name": "PL/SQL", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "12.1.3.0", "operator": "le"}, {"name": "Oracle Security Service", "version": "12.1.2", "operator": "le"}, {"name": "Recovery", "version": "11.1.0.7", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Healthcare Master Person Index", "version": "2.x", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.0.5", "operator": "le"}, {"name": "Oracle WebLogic Portal", "version": "10.2.1.0", "operator": "le"}, {"name": "Siebel Core - Server BizLogic Script", "version": "8.2.2", "operator": "le"}, {"name": "PL/SQL", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "3.2.24", "operator": "le"}, {"name": "Solaris Cluster", "version": "4.1", "operator": "le"}, {"name": "Siebel Core - EAI", "version": "8.1.1", "operator": "le"}, {"name": "Siebel Core EAI", "version": "8.1.1", "operator": "le"}, {"name": "MICROS Retail", "version": "4.0.1", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.1.1", "operator": "le"}, {"name": "MICROS Retail", "version": "5.0.3", "operator": "le"}, {"name": "Oracle Exalogic Infrastructure", "version": "2.0.6.2.0", "operator": "le"}, {"name": "XML Developer's Kit for C", "version": "11.2.0.3", "operator": "le"}, {"name": "JD Edwards EnterpriseOne Tools", "version": "9.1.5", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.2.4", "operator": "le"}, {"name": "Oracle RDBMS", "version": "11.2.0.3", "operator": "le"}, {"name": "Siebel Core - System Management", "version": "8.1.1", "operator": "le"}, {"name": "Siebel Core - Server OM Services", "version": "8.1.1", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "3.1.2", "operator": "le"}, {"name": "Enterprise Manager Ops Center", "version": "12.2", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.0.6", "operator": "le"}, {"name": "Oracle WebLogic Portal", "version": "10.3.6.0", "operator": "le"}, {"name": "MICROS Retail", "version": "4.8.0", "operator": "le"}, {"name": "Oracle Secure Global Desktop", "version": "4.71", "operator": "le"}, {"name": "Recovery", "version": "11.2.0.3", "operator": "le"}, {"name": "Oracle Waveset", "version": "8.1.1", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.2", "operator": "le"}], "cvelist": ["CVE-2015-0388", "CVE-2014-6574", "CVE-2015-0390", "CVE-2011-4317", "CVE-2014-6592", "CVE-2014-3566", "CVE-2011-4461", "CVE-2015-0386", "CVE-2015-0425", "CVE-2014-6566", "CVE-2013-4784", "CVE-2014-0191", "CVE-2015-0365", "CVE-2014-6579", "CVE-2014-6556", "CVE-2014-0231", "CVE-2014-6571", "CVE-2015-0427", "CVE-2014-6578", "CVE-2015-0398", "CVE-2014-6510", "CVE-2014-6595", "CVE-2011-3607", "CVE-2014-6518", "CVE-2015-0385", "CVE-2015-0395", "CVE-2015-0368", "CVE-2013-6449", "CVE-2014-6575", "CVE-2015-0380", "CVE-2015-0424", "CVE-2003-0001", "CVE-2014-6565", "CVE-2015-0407", "CVE-2014-0076", "CVE-2015-0362", "CVE-2015-0430", "CVE-2014-6585", "CVE-2015-0410", "CVE-2013-5704", "CVE-2015-0402", "CVE-2015-0379", "CVE-2014-6548", "CVE-2015-0396", "CVE-2015-0422", "CVE-2015-0435", "CVE-2014-5704", "CVE-2013-5605", "CVE-2014-6584", "CVE-2014-0224", "CVE-2014-4259", "CVE-2015-0391", "CVE-2014-6567", "CVE-2015-0418", "CVE-2013-0338", "CVE-2014-6480", "CVE-2014-6576", "CVE-2015-0428", "CVE-2015-0431", "CVE-2014-0098", "CVE-2014-6549", "CVE-2015-0420", "CVE-2015-0432", "CVE-2015-0383", "CVE-2011-3389", "CVE-2013-1741", "CVE-2014-6583", "CVE-2014-6597", "CVE-2014-4279", "CVE-2004-0230", "CVE-2015-0369", "CVE-2014-6525", "CVE-2015-0372", "CVE-2014-6582", "CVE-2015-0378", "CVE-2015-0392", "CVE-2015-0416", "CVE-2014-6587", "CVE-2013-1740", "CVE-2013-6438", "CVE-2015-0406", "CVE-2015-0401", "CVE-2014-6569", "CVE-2014-3470", "CVE-2012-0053", "CVE-2013-1739", "CVE-2014-6599", "CVE-2014-1492", "CVE-2013-2877", "CVE-2015-0417", "CVE-2015-0404", "CVE-2013-6450", "CVE-2013-5606", "CVE-2014-0114", "CVE-2015-0364", "CVE-2014-0050", "CVE-2010-5107", "CVE-2011-3368", "CVE-2014-6573", "CVE-2014-1490", "CVE-2010-5298", "CVE-2013-4286", "CVE-2015-0371", "CVE-2014-6526", "CVE-2015-0382", "CVE-2014-1568", "CVE-2015-0363", "CVE-2014-6600", "CVE-2014-6580", "CVE-2014-6509", "CVE-2015-0375", "CVE-2015-0414", "CVE-2014-0195", "CVE-2015-0413", "CVE-2014-6593", "CVE-2014-0198", "CVE-2014-6601", "CVE-2014-6594", "CVE-2015-0373", "CVE-2015-0421", "CVE-2013-2186", "CVE-2014-3567", "CVE-2014-6581", "CVE-2014-0015", "CVE-2015-0403", "CVE-2014-6570", "CVE-2015-0408", "CVE-2015-0429", "CVE-2014-6596", "CVE-2014-6521", "CVE-2015-0374", "CVE-2014-6591", "CVE-2014-6586", "CVE-2014-6524", "CVE-2014-6572", "CVE-2015-0370", "CVE-2015-0412", "CVE-2015-0400", "CVE-2015-0409", "CVE-2015-0387", "CVE-2015-0389", "CVE-2015-0399", "CVE-2014-0118", "CVE-2015-0415", "CVE-2014-6590", "CVE-2015-0376", "CVE-2014-6481", "CVE-2015-0393", "CVE-2015-0366", "CVE-2015-0419", "CVE-2014-6568", "CVE-2015-0377", "CVE-2015-0394", "CVE-2015-0397", "CVE-2015-0384", "CVE-2014-6589", "CVE-2014-1491", "CVE-2014-6528", "CVE-2014-6588", "CVE-2014-6541", "CVE-2011-1944", "CVE-2015-0437", "CVE-2014-6514", "CVE-2014-0117", "CVE-2014-4212", "CVE-2015-0436", "CVE-2014-6598", "CVE-2015-0367", "CVE-2014-0226", "CVE-2013-1620", "CVE-2013-4545", "CVE-2015-0426", "CVE-2015-0434", "CVE-2014-0221", "CVE-2015-0411", "CVE-2015-0381", "CVE-2014-6577"], "modified": "2015-01-20T00:00:00", "id": "ORACLE:CPUJAN2015-1972971", "href": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T04:13:56", "references": [], "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n \n\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n \n\n\n**Oracle continues to periodically receive reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply available Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\n \n\n\nThis Critical Patch Update contains 153 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\n \n\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n\n \n\n", "edition": 3, "reporter": "Oracle", "published": "2015-10-20T00:00:00", "title": "Oracle Critical Patch Update - October 2015", "type": "oracle", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Oracle Access Manager", "version": "11.1.2.3", "operator": "le"}, {"name": "Oracle Configurator", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Endeca Server", "version": "7.3.0.0", "operator": "le"}, {"name": "Oracle WebCenter Sites", "version": "7.6.2", "operator": "le"}, {"name": "Enterprise Manager Ops Center", "version": "12.2.2", "operator": "le"}, {"name": "Database Scheduler", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Retail Open Commerce Platform", "version": "3.0", "operator": "le"}, {"name": "Java SE, JavaFX", "version": "2.2.85", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.4", "operator": "le"}, {"name": "Java SE", "version": "6u101", "operator": "le"}, {"name": "Oracle Endeca Server", "version": "7.6.1.0.0", "operator": "le"}, {"name": "Oracle Outside In Technology", "version": "8.5.1", "operator": "le"}, {"name": "Mobile Server", "version": "12.1.0.0", "operator": "le"}, {"name": "XDB - XML Database", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "12.1.3.0.0", "operator": "le"}, {"name": "Oracle WebCenter Sites", "version": "11.1.1.8.0", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.3", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.0", "operator": "le"}, {"name": "Oracle Utilities Work and Asset Management", "version": "1.9.1.1.2", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.1", "operator": "le"}, {"name": "Siebel Core - Server Framework", "version": "2015", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle Communications Diameter Signaling Router (DSR)", "version": "4.1.6", "operator": "le"}, {"name": "Oracle Payments", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Communications Diameter Signaling Router (DSR)", "version": "6.0.2", "operator": "le"}, {"name": "Siebel Core - Server Framework", "version": "2014", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "8u51", "operator": "le"}, {"name": "Oracle iSupplier Portal", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Retail Returns Management:", "version": "2.0", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "12.0", "operator": "le"}, {"name": "Java VM", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle FS1-2 Flash Storage System", "version": "6.2", "operator": "le"}, {"name": "Oracle Outside In Technology", "version": "8.5.2", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "12.1.2.0", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Configurator", "version": "12.0.6", "operator": "le"}, {"name": "Mobile Server", "version": "11.3.0.2", "operator": "le"}, {"name": "Oracle Configurator", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Applications Manager", "version": "12.2.4", "operator": "le"}, {"name": "Oracle FS1-2 Flash Storage System", "version": "6.3", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.20", "operator": "le"}, {"name": "Oracle Identity Manager", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle Enterprise Data Quality", "version": "8.1", "operator": "le"}, {"name": "Java SE", "version": "8u60", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "12.0IN", "operator": "le"}, {"name": "Oracle Endeca Server", "version": "7.4.0.0", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.2", "operator": "le"}, {"name": "Oracle Report Manager", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Retail Returns Management:", "version": "14.0.", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "6u101", "operator": "le"}, {"name": "Oracle Communications Policy Management", "version": "12.1.0", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.0.30", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.3", "operator": "le"}, {"name": "Oracle Applications Manager", "version": "12.0.6", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "5.0.8", "operator": "le"}, {"name": "Oracle Exalogic Infrastructure", "version": "2.0.6.2.3", "operator": "le"}, {"name": "Oracle Communications LSMS", "version": "13.1", "operator": "le"}, {"name": "Oracle Communications Diameter Signaling Router (DSR)", "version": "5.1.0", "operator": "le"}, {"name": "XDB - XML Database", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Report Manager", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Endeca Server", "version": "7.5.1.1", "operator": "le"}, {"name": "RDBMS", "version": "12.1.0.2", "operator": "le"}, {"name": "Portable Clusterware", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle iSupplier Portal", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.1", "operator": "le"}, {"name": "Oracle Agile Engineering Data Management", "version": "6.2.0.0", "operator": "le"}, {"name": "Oracle Payments", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Communications Policy Management", "version": "10.5.0", "operator": "le"}, {"name": "Enterprise Manager Base Platform", "version": "12.1.0.4", "operator": "le"}, {"name": "Oracle Report Manager", "version": "12.2.3", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.54", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "5.0.0", "operator": "le"}, {"name": "Oracle Communications Policy Management", "version": "9.9.0", "operator": "le"}, {"name": "Oracle Access Manager", "version": "11.1.2.2", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.44", "operator": "le"}, {"name": "Java VM", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Agile PLM", "version": "9.3.4", "operator": "le"}, {"name": "Oracle Traffic Director", "version": "11.1.1.9.0", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "11.1.2.4.0", "operator": "le"}, {"name": "Oracle Communications Performance Intelligence Center Software", "version": "10.1.5", "operator": "le"}, {"name": "Oracle Agile Engineering Data Management", "version": "6.1.2.2", "operator": "le"}, {"name": "Oracle Communications Diameter Signaling Router (DSR)", "version": "7.1.0", "operator": "le"}, {"name": "Oracle iSupplier Portal", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "2.0", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "28.3.7", "operator": "le"}, {"name": "Oracle Communications Messaging Server", "version": "7.0.5", "operator": "le"}, {"name": "Oracle Applications Manager", "version": "12.1.3", "operator": "le"}, {"name": "Solaris", "version": "10", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.1.38", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.1.42", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.2.34", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.0.6", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "8u60", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.3.32", "operator": "le"}, {"name": "Oracle Identity Manager", "version": "11.1.2.3", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Payments", "version": "12.1.3", "operator": "le"}, {"name": "PeopleSoft Enterprise HCM Talent Acquistion Managment", "version": "9.2", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "12.0IN", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.23", "operator": "le"}, {"name": "Integrated Lights Out Manager (ILOM)", "version": "3.1", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.24", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.25", "operator": "le"}, {"name": "Portable Clusterware", "version": "12.1.0.1", "operator": "le"}, {"name": "Integrated Lights Out Manager (ILOM)", "version": "3.2", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.0.34", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "2.0", "operator": "le"}, {"name": "Oracle WebCenter Sites", "version": "11.1.1.6.1", "operator": "le"}, {"name": "Oracle Enterprise Data Quality", "version": "12.1.3.0.0", "operator": "le"}, {"name": "Oracle Traffic Director", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Fujitsu M10-1, M10-4, M10-4S Servers", "version": "2271", "operator": "le"}, {"name": "Oracle Enterprise Data Quality", "version": "11.1.1.7.4", "operator": "le"}, {"name": "Oracle Communications Messaging Server", "version": "8.0", "operator": "le"}, {"name": "Oracle Agile PLM", "version": "9.3.3", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "8u60", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.4", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.2", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "12.1.2.0.0", "operator": "le"}, {"name": "PeopleSoft Enterprise FIN Expenses", "version": "9.2", "operator": "le"}, {"name": "Oracle WebCenter Content", "version": "10.1.3.5.1", "operator": "le"}, {"name": "Oracle Enterprise Data Quality", "version": "9.0", "operator": "le"}, {"name": "Solaris", "version": "11.2", "operator": "le"}, {"name": "Oracle Retail Returns Management:", "version": "13.0", "operator": "le"}, {"name": "Oracle Retail Returns Management:", "version": "13.1", "operator": "le"}, {"name": "Oracle Applications Manager", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Report Manager", "version": "12.2.4", "operator": "le"}, {"name": "RDBMS", "version": "12.1.0.1", "operator": "le"}, {"name": "OSS Support Tools", "version": "8.8.15.7.15", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.2.30", "operator": "le"}, {"name": "Oracle iSupplier Portal", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "14.0.", "operator": "le"}, {"name": "XDB - XML Database", "version": "12.1.0.2", "operator": "le"}, {"name": "Database Scheduler", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "11.1.1.9", "operator": "le"}, {"name": "Oracle Outside In Technology", "version": "8.5.0", "operator": "le"}, {"name": "Mobile Server", "version": "10.3.0.3", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.45", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "6u101", "operator": "le"}, {"name": "MySQL Enterprise Monitor", "version": "3.0.20", "operator": "le"}, {"name": "Oracle Retail Returns Management:", "version": "12.0", "operator": "le"}, {"name": "MySQL Enterprise Monitor", "version": "2.3.20", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.53", "operator": "le"}, {"name": "Oracle FS1-2 Flash Storage System", "version": "6.1", "operator": "le"}, {"name": "Oracle Mobile Security Suite", "version": "3.0", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.0.6", "operator": "le"}, {"name": "Portable Clusterware", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Retail Returns Management:", "version": "13.3", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "14.0.", "operator": "le"}, {"name": "Oracle Agile Engineering Data Management", "version": "6.1.3.0", "operator": "le"}, {"name": "Database Scheduler", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Applications Manager", "version": "12.2.3", "operator": "le"}, {"name": "PeopleSoft Enterprise HCM", "version": "9.2", "operator": "le"}, {"name": "Oracle Retail Returns Management:", "version": "13.4", "operator": "le"}, {"name": "Integrated Lights Out Manager (ILOM)", "version": "3.0", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.1", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "3.0.1", "operator": "le"}, {"name": "Oracle Retail Returns Management:", "version": "12.0IN", "operator": "le"}, {"name": "MySQL Enterprise Monitor", "version": "3.0.22", "operator": "le"}, {"name": "Enterprise Manager Ops Center", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.0", "operator": "le"}, {"name": "Oracle Communications Policy Management", "version": "11.5.0", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.1.3", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.26", "operator": "le"}, {"name": "Enterprise Manager Base Platform", "version": "12.1.0.5", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.2", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "8u51", "operator": "le"}, {"name": "Oracle Communications Convergence", "version": "2.0", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Payments", "version": "12.2.3", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "7u85", "operator": "le"}, {"name": "Oracle Communications Convergence", "version": "3.0.1", "operator": "le"}, {"name": "PeopleSoft Enterprise FSCM", "version": "9.2", "operator": "le"}, {"name": "Oracle Configurator", "version": "12.2.3", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "12.1.3.0", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.3.26", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "12.0", "operator": "le"}, {"name": "Oracle Retail Returns Management:", "version": "13.2", "operator": "le"}, {"name": "Oracle Payments", "version": "11.5.10.2", "operator": "le"}, {"name": "Java VM", "version": "12.1.0.1", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.43", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "10.1.3.5", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "11.5.10.2", "operator": "le"}, {"name": "Java SE, JavaFX", "version": "8u60", "operator": "le"}, {"name": "Java SE", "version": "7u85", "operator": "le"}, {"name": "Oracle Communications Tekelec HLR Router", "version": "4.0.0", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.2.4", "operator": "le"}, {"name": "Hyperion Installation Technology", "version": "11.1.2.3", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "7u85", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.2.4", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "3.1.2", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.4", "operator": "le"}, {"name": "Oracle Communications Performance Intelligence Center Software", "version": "9.0.3", "operator": "le"}, {"name": "Oracle Identity Manager", "version": "11.1.2.2", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle Report Manager", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "11.1.1.9", "operator": "le"}], "cvelist": ["CVE-2015-4894", "CVE-2015-4000", "CVE-2015-4851", "CVE-2015-4895", "CVE-2015-4905", "CVE-2015-4866", "CVE-2015-4832", "CVE-2015-4822", "CVE-2015-4830", "CVE-2015-1792", "CVE-2015-4804", "CVE-2015-4816", "CVE-2015-0235", "CVE-2015-1793", "CVE-2015-4793", "CVE-2015-4863", "CVE-2014-7923", "CVE-2015-4913", "CVE-2015-4892", "CVE-2014-0191", "CVE-2015-4796", "CVE-2015-4864", "CVE-2015-4794", "CVE-2015-4887", "CVE-2015-2642", "CVE-2015-4860", "CVE-2015-3236", "CVE-2015-4868", "CVE-2014-3572", "CVE-2015-0206", "CVE-1999-0377", "CVE-2015-1789", "CVE-2015-4820", "CVE-2015-4903", "CVE-2015-0286", "CVE-2015-4906", "CVE-2014-8150", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4910", "CVE-2015-4872", "CVE-2015-4846", "CVE-2014-3576", "CVE-2015-2522", "CVE-2015-4876", "CVE-2014-3571", "CVE-2015-4883", "CVE-2015-0288", "CVE-2014-7940", "CVE-2015-4858", "CVE-2015-4802", "CVE-2015-4882", "CVE-2015-4801", "CVE-2015-4878", "CVE-2015-4799", "CVE-2015-4811", "CVE-2015-4834", "CVE-2015-4762", "CVE-2015-0285", "CVE-2015-4815", "CVE-2015-4812", "CVE-2015-4839", "CVE-2015-4798", "CVE-2015-4891", "CVE-2015-4734", "CVE-2015-4899", "CVE-2015-3153", "CVE-2015-0207", "CVE-2015-4865", "CVE-2015-4915", "CVE-2015-4871", "CVE-2015-4800", "CVE-2014-8275", "CVE-2015-4869", "CVE-2015-0208", "CVE-2015-4828", "CVE-2015-4803", "CVE-2015-4875", "CVE-2015-4902", "CVE-2014-3570", "CVE-2015-4917", "CVE-2015-4909", "CVE-2015-4791", "CVE-2015-4805", "CVE-2015-4849", "CVE-2015-4879", "CVE-2015-4888", "CVE-2015-4838", "CVE-2015-4850", "CVE-2014-8147", "CVE-2015-4806", "CVE-2015-4825", "CVE-2015-3144", "CVE-2015-4797", "CVE-2015-4792", "CVE-2015-4837", "CVE-2015-4904", "CVE-2015-4810", "CVE-2015-4827", "CVE-2014-0050", "CVE-2015-4817", "CVE-2015-4908", "CVE-2014-3707", "CVE-2015-4912", "CVE-2015-0293", "CVE-2015-4833", "CVE-2015-4847", "CVE-2015-4848", "CVE-2015-4730", "CVE-2015-4819", "CVE-2015-4896", "CVE-2015-1788", "CVE-2015-2633", "CVE-2015-4807", "CVE-2014-8146", "CVE-2015-4901", "CVE-2015-4835", "CVE-2015-0209", "CVE-2015-3183", "CVE-2015-4873", "CVE-2015-4766", "CVE-2015-4795", "CVE-2015-4907", "CVE-2015-0204", "CVE-2014-7926", "CVE-2015-4859", "CVE-2015-1829", "CVE-2015-4898", "CVE-2015-4874", "CVE-2015-4836", "CVE-2015-4824", "CVE-2015-1790", "CVE-2015-4900", "CVE-2015-4831", "CVE-2015-4861", "CVE-2015-0291", "CVE-2015-4911", "CVE-2015-4886", "CVE-2015-2608", "CVE-2015-4809", "CVE-2015-4877", "CVE-2015-4844", "CVE-2015-4870", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4854", "CVE-2015-0287", "CVE-2015-4856", "CVE-2015-4845", "CVE-2015-4914", "CVE-2015-4893", "CVE-2015-0289", "CVE-2015-4916", "CVE-2015-4826", "CVE-2015-0292", "CVE-2014-1569", "CVE-2015-4862", "CVE-2010-1622", "CVE-2015-4857", "CVE-2015-4890", "CVE-2015-4867", "CVE-2015-0290", "CVE-2015-0205", "CVE-2015-4884", "CVE-2015-4813", "CVE-2015-4841", "CVE-2015-1787", "CVE-2014-3569", "CVE-2015-4818", "CVE-2015-4880", "CVE-2015-1791", "CVE-2015-4823", "CVE-2015-4821"], "modified": "2016-09-29T00:00:00", "id": "ORACLE:CPUOCT2015-2367953", "href": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}