Lucene search

K
suseSuseOPENSUSE-SU-2016:1594-1
HistoryJun 16, 2016 - 1:08 p.m.

Security update for libxml2 (important)

2016-06-1613:08:21
lists.opensuse.org
38

0.036 Low

EPSS

Percentile

91.7%

This update brings libxml2 to version 2.9.4.

These security issues were fixed:

  • CVE-2016-3627: The xmlStringGetNodeList function in tree.c, when used in
    recovery mode, allowed context-dependent attackers to cause a denial of
    service (infinite recursion, stack consumption, and application crash)
    via a crafted XML document (bsc#972335).
  • CVE-2016-1833: libxml2 allowed remote attackers to execute arbitrary
    code or cause a denial of service (memory corruption) via a crafted XML
    document, a different vulnerability than CVE-2016-1834, CVE-2016-1836,
    CVE-2016-1837, CVE-2016-1838, CVE-2016-1839, and CVE-2016-1840
    (bsc#981108).
  • CVE-2016-1835: libxml2 allowed remote attackers to execute arbitrary
    code or cause a denial of service (memory corruption) via a crafted XML
    document (bsc#981109).
  • CVE-2016-1837: libxml2 allowed remote attackers to execute arbitrary
    code or cause a denial of service (memory corruption) via a crafted XML
    document, a different vulnerability than CVE-2016-1833, CVE-2016-1834,
    CVE-2016-1836, CVE-2016-1838, CVE-2016-1839, and CVE-2016-1840
    (bsc#981111).
  • CVE-2016-1836: libxml2 allowed remote attackers to execute arbitrary
    code or cause a denial of service (memory corruption) via a crafted XML
    document, a different vulnerability than CVE-2016-1833, CVE-2016-1834,
    CVE-2016-1837, CVE-2016-1838, CVE-2016-1839, and CVE-2016-1840
    (bsc#981110).
  • CVE-2016-1839: libxml2 allowed remote attackers to execute arbitrary
    code or cause a denial of service (memory corruption) via a crafted XML
    document, a different vulnerability than CVE-2016-1833, CVE-2016-1834,
    CVE-2016-1836, CVE-2016-1837, CVE-2016-1838, and CVE-2016-1840
    (bsc#981114).
  • CVE-2016-1838: libxml2 allowed remote attackers to execute arbitrary
    code or cause a denial of service (memory corruption) via a crafted XML
    document, a different vulnerability than CVE-2016-1833, CVE-2016-1834,
    CVE-2016-1836, CVE-2016-1837, CVE-2016-1839, and CVE-2016-1840
    (bsc#981112).
  • CVE-2016-1840: libxml2 allowed remote attackers to execute arbitrary
    code or cause a denial of service (memory corruption) via a crafted XML
    document, a different vulnerability than CVE-2016-1833, CVE-2016-1834,
    CVE-2016-1836, CVE-2016-1837, CVE-2016-1838, and CVE-2016-1839
    (bsc#981115).
  • CVE-2016-4483: out-of-bounds read parsing an XML using recover mode
    (bnc#978395).
  • CVE-2016-1834: libxml2 allowed remote attackers to execute arbitrary
    code or cause a denial of service (memory corruption) via a crafted XML
    document, a different vulnerability than CVE-2016-1833, CVE-2016-1836,
    CVE-2016-1837, CVE-2016-1838, CVE-2016-1839, and CVE-2016-1840
    (bsc#981041).
  • CVE-2016-3705: The (1) xmlParserEntityCheck and (2)
    xmlParseAttValueComplex functions in parser.c in libxml2 did not
    properly keep track of the recursion depth, which allowed
    context-dependent attackers to cause a denial of service (stack
    consumption and application crash) via a crafted XML document containing
    a large number of nested entity references (bsc#975947).
  • CVE-2016-1762: libxml2 allowed remote attackers to execute arbitrary
    code or cause a denial of service (memory corruption) via a crafted XML
    document (bsc#981040).

This non-security issue was fixed:

  • bnc#983288: Fix attribute decoding during XML schema validation