This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --===============4269773976963861255== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="wrGUDtsE57BVnwbrhJwGNFEcTwUARUjbj"
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --wrGUDtsE57BVnwbrhJwGNFEcTwUARUjbj Content-Type: multipart/mixed; boundary="GcCVrpn8VP3s63JD4xdWPXQGXpUC0eDkw" From: Marc Deslauriers <marc.deslauriers@canonical.com> Reply-To: Ubuntu Security <security@ubuntu.com> To: ubuntu-security-announce@lists.ubuntu.com Message-ID: <5755B7E3.5040103@canonical.com> Subject: [USN-2994-1] libxml2 vulnerabilities
--GcCVrpn8VP3s63JD4xdWPXQGXpUC0eDkw Content-Type: text/plain; charset=utf- Content-Transfer-Encoding: quoted-printable
========================================================================== Ubuntu Security Notice USN-2994-1 June 06, 2016
libxml2 vulnerabilities ==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS - Ubuntu 15.10 - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in libxml2.
Software Description: - libxml2: GNOME XML library
Details:
It was discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause libxml2 to crash, resulting in a denial of service. (CVE-2015-8806, CVE-2016-2073, CVE-2016-3627, CVE-2016-3705, CVE-2016-4447)
It was discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a specially crafted document, an attacker could cause libxml2 to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-1762, CVE-2016-1834)
Mateusz Jurczyk discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a specially crafted document, an attacker could cause libxml2 to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-1833, CVE-2016-1838, CVE-2016-1839)
Wei Lei and Liu Yang discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a specially crafted document, an attacker could cause libxml2 to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-1835, CVE-2016-1837)
Wei Lei and Liu Yang discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a specially crafted document, an attacker could cause libxml2 to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 15.10 and Ubuntu 16.04 LTS. (CVE-2016-1836)
Kostya Serebryany discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a specially crafted document, an attacker could cause libxml2 to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-1840)
It was discovered that libxml2 would load certain XML external entities. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly obtain access to arbitrary files or cause resource consumption. (CVE-2016-4449)
Gustavo Grieco discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause libxml2 to crash, resulting in a denial of service. (CVE-2016-4483)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 16.04 LTS: libxml2 2.9.3+dfsg1-1ubuntu0.1
Ubuntu 15.10: libxml2 2.9.2+zdfsg1-4ubuntu0.4
Ubuntu 14.04 LTS: libxml2 2.9.1+dfsg1-3ubuntu4.8
Ubuntu 12.04 LTS: libxml2 2.7.8.dfsg-5.1ubuntu4.15
After a standard system update you need to reboot your computer to make all the necessary changes.
References: http://www.ubuntu.com/usn/usn-2994-1 CVE-2015-8806, CVE-2016-1762, CVE-2016-1833, CVE-2016-1834, CVE-2016-1835, CVE-2016-1836, CVE-2016-1837, CVE-2016-1838, CVE-2016-1839, CVE-2016-1840, CVE-2016-2073, CVE-2016-3627, CVE-2016-3705, CVE-2016-4447, CVE-2016-4449, CVE-2016-4483
Package Information: https://launchpad.net/ubuntu/+source/libxml2/2.9.3+dfsg1-1ubuntu0.1 https://launchpad.net/ubuntu/+source/libxml2/2.9.2+zdfsg1-4ubuntu0.4 https://launchpad.net/ubuntu/+source/libxml2/2.9.1+dfsg1-3ubuntu4.8 https://launchpad.net/ubuntu/+source/libxml2/2.7.8.dfsg-5.1ubuntu4.15
--GcCVrpn8VP3s63JD4xdWPXQGXpUC0eDkw--
--wrGUDtsE57BVnwbrhJwGNFEcTwUARUjbj Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2
iQIcBAEBCgAGBQJXVbfmAAoJEGVp2FWnRL6TMGAP/1Ouz3CwxCVKrxAETopcvzT5 4ozan1DJorPwr3p1KKhWLUWK5oack2PtvIeLQ4Pf0Cj4hhfwO0gobF+crbyRR6mQ TjgHXUc96s7kIpZn5O9E+VeIo6a2iK2UQYDMQm7SGDKJX8mmb7gzxrb9m+Z7If/Z WS2QU6fEXByPEUMgQG2bgY33Ppniltxxi640WK4qvLlWOLBNUT9Y5sDzzSHNA5Tb rGKfZVV2vHYOFG0oyCx24hL7aca/Tak7+iIQS/9xBpodr+bCHJphjXRJXN9oyca7 lLvW2X18t/bnVef8lPTXOcowH1zliVBXuuVCUBUdht3nZsQEmtykQ1GIFuJCJm4/ wymYYZ/zHy5memTp+uTf8keKmhz0s5UV421pK4zkAo2wXX2NW6uczUa4b6s68+Dw rEHDbbQeVbxBlMr9RS54J3mWdLyV9J4tijPU4e4MmSi8udkBWBBc6y+4vnAB7kSo r/cgQd1ULuJLiEv/L4nrzMqa3O7taQNwSHlvY5xHYWWPCuph/DVsjXPTavmIMaiF InLZFV86FHFkyEYEknW1vxpt9dJfU+TswzBuQLDi+KqbO/OAzAARmY6ajU2FJNR7 s14D7tNIvPIjFkuUX50sSfLBoRCaxolRr3G5kBNJ51SH7/TKOLgVOwS2Pw3CTp+Y NOwPPV2xjxb6LwStUgh1 =OT5F -----END PGP SIGNATURE-----
--wrGUDtsE57BVnwbrhJwGNFEcTwUARUjbj--
--===============4269773976963861255== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline
-- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
--===============4269773976963861255==--
|