Advisory ROSA-SA-2021-1905

Software: libxml2 2.9.1
OS: Cobalt 7.9

CVE-ID: CVE-2013-0339
CVE-Crit: HIGH
CVE-DESC: libxml2 before 2.9.1 does not handle external entity extension properly if the application developer does not use the xmlSAX2ResolveEntity or xmlSetExternalEntityLoader function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, also known as an XML External Entity (XXE) problem. NOTE: it could be argued that since libxml2 already provides the ability to disable external entity extensions, it is the responsibility of application developers to address this issue; according to this argument, this entry should be DISCLAIMED, and each affected application will need its own CVE.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2015-8241
CVE-Crit: HIGH
CVE-DESC: The xmlNextChar function in libxml2 2.9.2 incorrectly checks state, allowing context-dependent attackers to cause a denial of service (heap-based buffer overflow and application crash) or obtain sensitive information via generated XML. data.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2015-8710
CVE-Crit: CRITICAL
CVE-DESC: The htmlParseComment function in HTMLparser.c in libxml2 allows attackers to obtain sensitive information, cause a denial of service (accessing memory outside the heap and crashing the application), or possibly have unspecified other impact via an unopened HTML comment. .
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2015-8806
CVE-Crit: HIGH
CVE-DESC: dict.c in libxml2 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) with an unexpected character right after the substring "