This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --kjL7jpu8poHKMsP3C58OWKhMFXbEgMuRH Content-Type: multipart/mixed; boundary="59kGCA2Wtu9meK7GXiOX6QiiX0BgSORpN" From: Aaron Bauman <bman@gentoo.org> To: gentoo-announce@lists.gentoo.org Message-ID: <ebe247b4-cba7-256c-1517-86f6c56b816f@gentoo.org> Subject: [ GLSA 201701-21 ] Expat: Multiple vulnerabilities
--59kGCA2Wtu9meK7GXiOX6QiiX0BgSORpN Content-Type: multipart/alternative; boundary="------------D4FE6E2CCD5EBB7687A51C92"
This is a multi-part message in MIME format. --------------D4FE6E2CCD5EBB7687A51C92 Content-Type: text/plain; charset=utf- Content-Transfer-Encoding: quoted-printable
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201701-21 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal Title: Expat: Multiple vulnerabilities Date: January 11, 2017 Bugs: #458742, #555642, #577928, #583268, #585510 ID: 201701-21
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis ========
Multiple vulnerabilities have been found in Expat, the worst of which may allow execution of arbitrary code.
Background ==========
Expat is a set of XML parsing libraries.
Affected packages =================
------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-libs/expat < 2.2.0-r1 >= 2.2.0-r1
Description ===========
Multiple vulnerabilities have been discovered in Expat. Please review the CVE identifiers referenced below for details.
Impact ======
A remote attacker, by enticing a user to process a specially crafted XML file, could execute arbitrary code with the privileges of the process or cause a Denial of Service condition. This attack could also be used against automated systems that arbitrarily process XML files.
Workaround ==========
There is no known workaround at this time.
Resolution ==========
All Expat users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/expat-2.2.0-r1"
References ==========
[ 1 ] CVE-2012-6702 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6702 [ 2 ] CVE-2013-0340 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0340 [ 3 ] CVE-2015-1283 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1283 [ 4 ] CVE-2016-0718 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0718 [ 5 ] CVE-2016-4472 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4472 [ 6 ] CVE-2016-5300 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5300
Availability ============
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/201701-21
Concerns? =========
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License =======
Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
--------------D4FE6E2CCD5EBB7687A51C92 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable
<html> <head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dutf= -8"> </head> <body bgcolor=3D"#FFFFFF" text=3D"#000000"> <p> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Du= tf-8"> </p> <pre style=3D"color: rgb(0, 0, 0); font-style: normal; font-variant-l= igatures: normal; font-variant-caps: normal; font-weight: normal; letter-= spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-tr= ansform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0= px; word-wrap: break-word; white-space: pre-wrap;">- - - - - - - - - - - = - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201701-21 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - <a class=3D"moz-txt-link-freet= ext" href=3D"https://security.gentoo.org/">https://security.gentoo.org/</= a> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal Title: Expat: Multiple vulnerabilities Date: January 11, 2017 Bugs: #458742, #555642, #577928, #583268, #585510 ID: 201701-21
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis =3D=3D=3D=3D=3D=3D=3D=3D
Multiple vulnerabilities have been found in Expat, the worst of which may allow execution of arbitrary code.
Background =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Expat is a set of XML parsing libraries.
Affected packages =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-libs/expat < 2.2.0-r1 >=3D 2.2.= 0-r1=20
Description =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Multiple vulnerabilities have been discovered in Expat. Please review the CVE identifiers referenced below for details.
Impact =3D=3D=3D=3D=3D=3D
A remote attacker, by enticing a user to process a specially crafted XML file, could execute arbitrary code with the privileges of the process or cause a Denial of Service condition. This attack could also be used against automated systems that arbitrarily process XML files.
Workaround =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
There is no known workaround at this time.
Resolution =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
All Expat users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=3Ddev-libs/expat-2.2.0-r1"
References =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
[ 1 ] CVE-2012-6702 <a class=3D"moz-txt-link-freetext" href=3D"http://nvd.nist.gov/nvd.= cfm?cvename=3DCVE-2012-6702">http://nvd.nist.gov/nvd.cfm?cvename=3DCVE-20= 12-6702</a> [ 2 ] CVE-2013-0340 <a class=3D"moz-txt-link-freetext" href=3D"http://nvd.nist.gov/nvd.= cfm?cvename=3DCVE-2013-0340">http://nvd.nist.gov/nvd.cfm?cvename=3DCVE-20= 13-0340</a> [ 3 ] CVE-2015-1283 <a class=3D"moz-txt-link-freetext" href=3D"http://nvd.nist.gov/nvd.= cfm?cvename=3DCVE-2015-1283">http://nvd.nist.gov/nvd.cfm?cvename=3DCVE-20= 15-1283</a> [ 4 ] CVE-2016-0718 <a class=3D"moz-txt-link-freetext" href=3D"http://nvd.nist.gov/nvd.= cfm?cvename=3DCVE-2016-0718">http://nvd.nist.gov/nvd.cfm?cvename=3DCVE-20= 16-0718</a> [ 5 ] CVE-2016-4472 <a class=3D"moz-txt-link-freetext" href=3D"http://nvd.nist.gov/nvd.= cfm?cvename=3DCVE-2016-4472">http://nvd.nist.gov/nvd.cfm?cvename=3DCVE-20= 16-4472</a> [ 6 ] CVE-2016-5300 <a class=3D"moz-txt-link-freetext" href=3D"http://nvd.nist.gov/nvd.= cfm?cvename=3DCVE-2016-5300">http://nvd.nist.gov/nvd.cfm?cvename=3DCVE-20= 16-5300</a>
Availability =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
<a class=3D"moz-txt-link-freetext" href=3D"https://security.gentoo.org/g= lsa/201701-21">https://security.gentoo.org/glsa/201701-21</a>
Concerns? =3D=3D=3D=3D=3D=3D=3D=3D=3D
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to <a class=3D"moz-txt-link-abbreviated" href=3D"mailto:security@gentoo.org"= >security@gentoo.org</a> or alternatively, you may file a bug at <a class=3D"moz-txt-link-freetext" href=3D"https://bugs.gentoo.org">https= ://bugs.gentoo.org</a>.
License =3D=3D=3D=3D=3D=3D=3D
Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
<a class=3D"moz-txt-link-freetext" href=3D"http://creativecommons.org/lic= enses/by-sa/2.5">http://creativecommons.org/licenses/by-sa/2.5</a></pre> </body> </html>
--------------D4FE6E2CCD5EBB7687A51C92--
--59kGCA2Wtu9meK7GXiOX6QiiX0BgSORpN--
--kjL7jpu8poHKMsP3C58OWKhMFXbEgMuRH Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2
iQJ8BAEBCgBmBQJYdiFlXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ1OTcyRDI4NDhFOEE0NDYwRTdERTY4QUM5 RjI4QkQ4QkQxRTM5NUZGAAoJEJ8ovYvR45X/k9wP/iuyxQWSbNYGE9ofrIk22YBP 1URBMxhkrMvfr7FuYWYinDj+3raNcP9OGlZpA9jenP9ENz/ZqaHwA7o7rgI9TEU0 Z66DxUgoDVS9VgH2tGiFlFwMyqvybxS9LdlswIcTQzVozI0ucv6xUMd9LkjbAcM3 pBMGK/JngXMp6SSnqi7dFMumoXRMgKMcO4E93SP9tvrZgb5ROFJ+F2po5QZ7NsLD sU99lgiKhw3jIq7IdSdF7Q0fTSRyr8WzRXpfmNBqppQ3b9b5uzxlVpDtZ31U3dOw GN4DrTyU0YREX+dOvCryNq4fgwmhL8eyFvr6GBeZ0Hk/wVgxVDNbTrBtOvGwSOqf m8Bs2P2faHF6/KrCcH9evfSSy9EPXCNYhQw9qnRKWoD6AQ4ELsi356JtB6n5+uTS LTcIYUJzz8hiOPLLXvpNGUhvEBiI0ps9Hk49moJiCwo+hDZiWMsFmBCswzYDq4ll uRrx1VNtceP7EyaXZtAYSNnQ8j/hnvP6vBYJ0hjs1zIHlY1zJ1pZ1WGnavdYrDmo MJaBbqc+VAuTrMlAawp/c6znpDYXzYBI9qhLWDNq3IPlB7PhlMRX6YepQP1VLwbD VNJn7mFGtjfnUfAskrgcyKGcgdZvtYk4pvYBTWOggHuvLAlGTbw5LqH4LN9z2XvU oSJecyBaJMIA/BRfdNFT =6U8F -----END PGP SIGNATURE-----
--kjL7jpu8poHKMsP3C58OWKhMFXbEgMuRH--
|