openSUSE Security Update: Security update for libxml2 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2016:1446-1 Rating: moderate References: #962796 #972335 #975947 Cross-References: CVE-2016-3627 CVE-2016-3705 Affected Products: openSUSE 13.2 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: libxml2 was updated to fix security issues and a regression from the last version update. Security issues fixed: - CVE-2016-3627: Fixed stack exhaustion while parsing certain XML files in recovery mode (bnc#972335). - CVE-2016-3705: Improved protection against the Billion Laughs Attack (bnc#975947). Regression fixed: - Fixed XML push parser that fails with bogus UTF-8 encoding error when multi-byte character in large CDATA section is split across buffer [bnc#962796] Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.2: zypper in -t patch openSUSE-2016-662=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.2 (i586 x86_64): libxml2-2-2.9.3-7.11.1 libxml2-2-debuginfo-2.9.3-7.11.1 libxml2-debugsource-2.9.3-7.11.1 libxml2-devel-2.9.3-7.11.1 libxml2-tools-2.9.3-7.11.1 libxml2-tools-debuginfo-2.9.3-7.11.1 python-libxml2-2.9.3-7.11.1 python-libxml2-debuginfo-2.9.3-7.11.1 python-libxml2-debugsource-2.9.3-7.11.1 - openSUSE 13.2 (x86_64): libxml2-2-32bit-2.9.3-7.11.1 libxml2-2-debuginfo-32bit-2.9.3-7.11.1 libxml2-devel-32bit-2.9.3-7.11.1 - openSUSE 13.2 (noarch): libxml2-doc-2.9.3-7.11.1 References: https://www.suse.com/security/cve/CVE-2016-3627.html https://www.suse.com/security/cve/CVE-2016-3705.html https://bugzilla.suse.com/962796 https://bugzilla.suse.com/972335 https://bugzilla.suse.com/975947