Sicherheit: Zwei Probleme in libxml2

Lesezeichen hinzufügen

This is a multi-part message in MIME format...

------------=_1221185437-11275-9089

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2008:192
http://www.mandriva.com/security/
_______________________________________________________________________

Package : libxml2
Date : September 11, 2008
Affected: 2007.1, 2008.0, 2008.1, Corporate 3.0, Corporate 4.0
_______________________________________________________________________

Problem Description:

A heap-based buffer overflow was found in how libxml2 handled long
XML entity names. If an application linked against libxml2 processed
untrusted malformed XML content, it could cause the application to
crash or possibly execute arbitrary code (CVE-2008-3529).

The updated packages have been patched to prevent this issue.
As well, the patch to fix CVE-2008-3281 has been updated to remove
the hard-coded entity limit that was set to 5M, instead using XML
entity density heuristics. Many thanks to Daniel Veillard of Red Hat
for his hard work in tracking down and dealing with the edge cases
discovered with the initial fix to this issue.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3281
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3529
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2007.1:
9250adec77a5118119d5000f2305540f
2007.1/i586/libxml2-2.6.27-3.4mdv2007.1.i586.rpm
103dba08606f0038f3a9f4107ceba442
2007.1/i586/libxml2-devel-2.6.27-3.4mdv2007.1.i586.rpm
a388bf596ef6725fb5baadb4e056a0bd
2007.1/i586/libxml2-python-2.6.27-3.4mdv2007.1.i586.rpm
d2333e42a538101e36eab7d12467e08b
2007.1/i586/libxml2-utils-2.6.27-3.4mdv2007.1.i586.rpm
94a25c63f54693b7ac289223a6a3a687
2007.1/SRPMS/libxml2-2.6.27-3.4mdv2007.1.src.rpm

Mandriva Linux 2007.1/X86_64:
343f8656039b69716fe712eeb2d1bf4e
2007.1/x86_64/lib64xml2-2.6.27-3.4mdv2007.1.x86_64.rpm
320d8dd8245f5ec6db46bedaf07afb3e
2007.1/x86_64/lib64xml2-devel-2.6.27-3.4mdv2007.1.x86_64.rpm
fb6f52df6831cda42db46502cc761475
2007.1/x86_64/lib64xml2-python-2.6.27-3.4mdv2007.1.x86_64.rpm
8440fc08fee99f18a81a32035fac166a
2007.1/x86_64/libxml2-utils-2.6.27-3.4mdv2007.1.x86_64.rpm
94a25c63f54693b7ac289223a6a3a687
2007.1/SRPMS/libxml2-2.6.27-3.4mdv2007.1.src.rpm

Mandriva Linux 2008.0:
c53b40d9c7ebec036f9175c8f4e87b3b
2008.0/i586/libxml2_2-2.6.30-1.4mdv2008.0.i586.rpm
4a4ed97086b52cab3bbd34fe4d7003a0
2008.0/i586/libxml2-devel-2.6.30-1.4mdv2008.0.i586.rpm
d3898465dc2797a2b20be8310dd4f484
2008.0/i586/libxml2-python-2.6.30-1.4mdv2008.0.i586.rpm
34c524fa03b470093bd0b0c679bcb9c4
2008.0/i586/libxml2-utils-2.6.30-1.4mdv2008.0.i586.rpm
2dc2f4732992e27aea4c5a098c631ae8
2008.0/SRPMS/libxml2-2.6.30-1.4mdv2008.0.src.rpm

Mandriva Linux 2008.0/X86_64:
20ac98b346a1f18b90504cb623c530d8
2008.0/x86_64/lib64xml2_2-2.6.30-1.4mdv2008.0.x86_64.rpm
fd5907e801bf4f64ee79d097fcaec2b6
2008.0/x86_64/lib64xml2-devel-2.6.30-1.4mdv2008.0.x86_64.rpm
20f45401e501b9639a9b53d82a4e031f
2008.0/x86_64/libxml2-python-2.6.30-1.4mdv2008.0.x86_64.rpm
22be20e194ba2177a47d831ee8c82f47
2008.0/x86_64/libxml2-utils-2.6.30-1.4mdv2008.0.x86_64.rpm
2dc2f4732992e27aea4c5a098c631ae8
2008.0/SRPMS/libxml2-2.6.30-1.4mdv2008.0.src.rpm

Mandriva Linux 2008.1:
61e96824adc6e61b2764bb3a85e2e76d
2008.1/i586/libxml2_2-2.6.31-1.3mdv2008.1.i586.rpm
6d0cc51d32c7b6ecd609250aad302034
2008.1/i586/libxml2-devel-2.6.31-1.3mdv2008.1.i586.rpm
1e7c4ddd30677789de05cc464dde9790
2008.1/i586/libxml2-python-2.6.31-1.3mdv2008.1.i586.rpm
edd477e34b08f94956eeedd387b5e509
2008.1/i586/libxml2-utils-2.6.31-1.3mdv2008.1.i586.rpm
b1078a83185c1c97fada7ea5e97df753
2008.1/SRPMS/libxml2-2.6.31-1.3mdv2008.1.src.rpm

Mandriva Linux 2008.1/X86_64:
9d25e809ad31decb111a38301b2a74c1
2008.1/x86_64/lib64xml2_2-2.6.31-1.3mdv2008.1.x86_64.rpm
f35af82dffc02628edb1ce03113c3ba0
2008.1/x86_64/lib64xml2-devel-2.6.31-1.3mdv2008.1.x86_64.rpm
5819b393de9ff05be4d670c8e5d36080
2008.1/x86_64/libxml2-python-2.6.31-1.3mdv2008.1.x86_64.rpm
fb670bfb1a1673f99f3c3fc3a72b7777
2008.1/x86_64/libxml2-utils-2.6.31-1.3mdv2008.1.x86_64.rpm
b1078a83185c1c97fada7ea5e97df753
2008.1/SRPMS/libxml2-2.6.31-1.3mdv2008.1.src.rpm

Corporate 3.0:
82e733037c09b4b7770f5325c7ed1325
corporate/3.0/i586/libxml2-2.6.6-1.5.C30mdk.i586.rpm
d66da7916f188883fd164cb250431bba
corporate/3.0/i586/libxml2-devel-2.6.6-1.5.C30mdk.i586.rpm
5df28181424b19132bbff6afa872475a
corporate/3.0/i586/libxml2-python-2.6.6-1.5.C30mdk.i586.rpm
f7a86c3be6e4926fa101386a9cbbcbdd
corporate/3.0/i586/libxml2-utils-2.6.6-1.5.C30mdk.i586.rpm
c64826e1b31ed0c5d4514780ecd52e2e
corporate/3.0/SRPMS/libxml2-2.6.6-1.5.C30mdk.src.rpm

Corporate 3.0/X86_64:
76e631bd88c68085dc2c5702235c2a99
corporate/3.0/x86_64/lib64xml2-2.6.6-1.5.C30mdk.x86_64.rpm
827f9f5bc3a1b869353e3c09879ea432
corporate/3.0/x86_64/lib64xml2-devel-2.6.6-1.5.C30mdk.x86_64.rpm
caafa3371f80f084e8a945b3114b4533
corporate/3.0/x86_64/lib64xml2-python-2.6.6-1.5.C30mdk.x86_64.rpm
e37a70f9cd13a7e00982387a9ba97726
corporate/3.0/x86_64/libxml2-utils-2.6.6-1.5.C30mdk.x86_64.rpm
c64826e1b31ed0c5d4514780ecd52e2e
corporate/3.0/SRPMS/libxml2-2.6.6-1.5.C30mdk.src.rpm

Corporate 4.0:
74eea161b5519eef6c16b2407126a847
corporate/4.0/i586/libxml2-2.6.21-3.4.20060mlcs4.i586.rpm
5d8d1e0e487022687c1c61fbaf91707e
corporate/4.0/i586/libxml2-devel-2.6.21-3.4.20060mlcs4.i586.rpm
d5aa677468c9e8baae074a12f6c63c00
corporate/4.0/i586/libxml2-python-2.6.21-3.4.20060mlcs4.i586.rpm
d51b4b902bb911be69f6a17aeb07d8cf
corporate/4.0/i586/libxml2-utils-2.6.21-3.4.20060mlcs4.i586.rpm
ce28651304236296e59d6d3be5525889
corporate/4.0/SRPMS/libxml2-2.6.21-3.4.20060mlcs4.src.rpm

Corporate 4.0/X86_64:
812f2ae0ffa7a72546b07bd7de174453
corporate/4.0/x86_64/lib64xml2-2.6.21-3.4.20060mlcs4.x86_64.rpm
23ae06098f957e46affa75220cac50af
corporate/4.0/x86_64/lib64xml2-devel-2.6.21-3.4.20060mlcs4.x86_64.rpm
93cb252dadfadd4249062f903e604f82
corporate/4.0/x86_64/lib64xml2-python-2.6.21-3.4.20060mlcs4.x86_64.rpm
aeff512a1b349108017e93633fabcf08
corporate/4.0/x86_64/libxml2-utils-2.6.21-3.4.20060mlcs4.x86_64.rpm
ce28651304236296e59d6d3be5525889
corporate/4.0/SRPMS/libxml2-2.6.21-3.4.20060mlcs4.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFIyaCLmqjQ0CJFipgRApioAJ9P7O5hzNQ4UuYvEIhTVLyyn9Tv9wCg4DSp
mZuI5mJOfDomJXN1l5E7NSw=
=tPwM
-----END PGP SIGNATURE-----

------------=_1221185437-11275-9089
Content-Type: text/plain; name="message-footer.txt"
Content-Disposition: inline; filename="message-footer.txt"
Content-Transfer-Encoding: 8bit

To unsubscribe, send a email to sympa@mandrivalinux.org
with this subject : unsubscribe security-announce
_______________________________________________________
Want to buy your Pack or Services from Mandriva?
Go to http://www.mandrivastore.com
Join the Club : http://www.mandrivaclub.com
_______________________________________________________

------------=_1221185437-11275-9089--