[security-announce] openSUSE-SU-2016:1594-1: important: Security update for libxml2

openSUSE Security Update: Security update for libxml2 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2016:1594-1 Rating: important References: #972335 #975947 #978395 #981040 #981041 #981108 #981109 #981110 #981111 #981112 #981114 #981115 #983288 Cross-References: CVE-2016-1762 CVE-2016-1833 CVE-2016-1834 CVE-2016-1835 CVE-2016-1836 CVE-2016-1837 CVE-2016-1838 CVE-2016-1839 CVE-2016-1840 CVE-2016-3627 CVE-2016-3705 CVE-2016-4483 Affected Products: openSUSE 13.2 ______________________________________________________________________________ An update that solves 12 vulnerabilities and has one errata is now available. Description: This update brings libxml2 to version 2.9.4. These security issues were fixed: - CVE-2016-3627: The xmlStringGetNodeList function in tree.c, when used in recovery mode, allowed context-dependent attackers to cause a denial of service (infinite recursion, stack consumption, and application crash) via a crafted XML document (bsc#972335). - CVE-2016-1833: libxml2 allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1834, CVE-2016-1836, CVE-2016-1837, CVE-2016-1838, CVE-2016-1839, and CVE-2016-1840 (bsc#981108). - CVE-2016-1835: libxml2 allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document (bsc#981109). - CVE-2016-1837: libxml2 allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1836, CVE-2016-1838, CVE-2016-1839, and CVE-2016-1840 (bsc#981111). - CVE-2016-1836: libxml2 allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1837, CVE-2016-1838, CVE-2016-1839, and CVE-2016-1840 (bsc#981110). - CVE-2016-1839: libxml2 allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1836, CVE-2016-1837, CVE-2016-1838, and CVE-2016-1840 (bsc#981114). - CVE-2016-1838: libxml2 allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1836, CVE-2016-1837, CVE-2016-1839, and CVE-2016-1840 (bsc#981112). - CVE-2016-1840: libxml2 allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1836, CVE-2016-1837, CVE-2016-1838, and CVE-2016-1839 (bsc#981115). - CVE-2016-4483: out-of-bounds read parsing an XML using recover mode (bnc#978395). - CVE-2016-1834: libxml2 allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1836, CVE-2016-1837, CVE-2016-1838, CVE-2016-1839, and CVE-2016-1840 (bsc#981041). - CVE-2016-3705: The (1) xmlParserEntityCheck and (2) xmlParseAttValueComplex functions in parser.c in libxml2 did not properly keep track of the recursion depth, which allowed context-dependent attackers to cause a denial of service (stack consumption and application crash) via a crafted XML document containing a large number of nested entity references (bsc#975947). - CVE-2016-1762: libxml2 allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document (bsc#981040). This non-security issue was fixed: - bnc#983288: Fix attribute decoding during XML schema validation Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.2: zypper in -t patch openSUSE-2016-734=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.2 (i586 x86_64): libxml2-2-2.9.4-7.17.1 libxml2-2-debuginfo-2.9.4-7.17.1 libxml2-debugsource-2.9.4-7.17.1 libxml2-devel-2.9.4-7.17.1 libxml2-tools-2.9.4-7.17.1 libxml2-tools-debuginfo-2.9.4-7.17.1 python-libxml2-2.9.4-7.17.1 python-libxml2-debuginfo-2.9.4-7.17.1 python-libxml2-debugsource-2.9.4-7.17.1 - openSUSE 13.2 (x86_64): libxml2-2-32bit-2.9.4-7.17.1 libxml2-2-debuginfo-32bit-2.9.4-7.17.1 libxml2-devel-32bit-2.9.4-7.17.1 - openSUSE 13.2 (noarch): libxml2-doc-2.9.4-7.17.1 References: https://www.suse.com/security/cve/CVE-2016-1762.html https://www.suse.com/security/cve/CVE-2016-1833.html https://www.suse.com/security/cve/CVE-2016-1834.html https://www.suse.com/security/cve/CVE-2016-1835.html https://www.suse.com/security/cve/CVE-2016-1836.html https://www.suse.com/security/cve/CVE-2016-1837.html https://www.suse.com/security/cve/CVE-2016-1838.html https://www.suse.com/security/cve/CVE-2016-1839.html https://www.suse.com/security/cve/CVE-2016-1840.html https://www.suse.com/security/cve/CVE-2016-3627.html https://www.suse.com/security/cve/CVE-2016-3705.html https://www.suse.com/security/cve/CVE-2016-4483.html https://bugzilla.suse.com/972335 https://bugzilla.suse.com/975947 https://bugzilla.suse.com/978395 https://bugzilla.suse.com/981040 https://bugzilla.suse.com/981041 https://bugzilla.suse.com/981108 https://bugzilla.suse.com/981109 https://bugzilla.suse.com/981110 https://bugzilla.suse.com/981111 https://bugzilla.suse.com/981112 https://bugzilla.suse.com/981114 https://bugzilla.suse.com/981115 https://bugzilla.suse.com/983288 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org