Test ID:	1.3.6.1.4.1.25623.1.0.120618
Category:	Amazon Linux Local Security Checks
Title:	Amazon Linux: Security Advisory (ALAS-2015-628)
Summary:	The remote host is missing an update for the 'libxml2' package(s) announced via the ALAS-2015-628 advisory.
Description:	Summary: The remote host is missing an update for the 'libxml2' package(s) announced via the ALAS-2015-628 advisory. Vulnerability Insight: A denial of service flaw was found in the way the libxml2 library parsed certain XML files. An attacker could provide a specially crafted XML file that, when parsed by an application using libxml2, could cause that application to use an excessive amount of memory. The xmlParseConditionalSections function in parser.c in libxml2 does not properly skip intermediary entities when it stops parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via crafted XML data, a different vulnerability than CVE-2015-7941. libxml2 2.9.2 does not properly stop parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and libxml2 crash) via crafted XML data to the (1) xmlParseEntityDecl or (2) xmlParseConditionalSections function in parser.c, as demonstrated by non-terminated entities. A heap-based buffer overflow vulnerability was found in xmlDictComputeFastQKey in dict.c. A heap-based buffer overflow read in xmlParseMisc was found. A heap-based buffer overflow was found in xmlGROW allowing the attacker to read the memory out of bounds. A buffer overread in xmlNextChar was found, causing segmentation fault when compiled with ASAN. Heap-based buffer overflow was found in xmlParseXmlDecl. When conversion failure happens, parser continues to extract more errors which may lead to unexpected behaviour. Stack-based buffer overread vulnerability with HTML parser in push mode in xmlSAX2TextNode causing segmentation fault when compiled with ASAN. A vulnerability in libxml2 was found causing DoS by exhausting CPU when parsing specially crafted XML document. An out-of-bounds heap read in xmlParseXMLDecl happens when a file containing unfinished xml declaration. Affected Software/OS: 'libxml2' package(s) on Amazon Linux. Solution: Please install the updated package(s). CVSS Score: 7.1 CVSS Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2015-1819 1034243 http://www.securitytracker.com/id/1034243 75570 http://www.securityfocus.com/bid/75570 APPLE-SA-2016-03-21-1 http://lists.apple.com/archives/security-announce/2016/Mar/msg00000.html APPLE-SA-2016-03-21-2 http://lists.apple.com/archives/security-announce/2016/Mar/msg00001.html APPLE-SA-2016-03-21-3 http://lists.apple.com/archives/security-announce/2016/Mar/msg00002.html APPLE-SA-2016-03-21-5 http://lists.apple.com/archives/security-announce/2016/Mar/msg00004.html DSA-3430 http://www.debian.org/security/2015/dsa-3430 FEDORA-2015-037f844d3e http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172943.html FEDORA-2015-c24af963a2 http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172710.html GLSA-201507-08 https://security.gentoo.org/glsa/201507-08 GLSA-201701-37 https://security.gentoo.org/glsa/201701-37 RHSA-2015:1419 http://rhn.redhat.com/errata/RHSA-2015-1419.html RHSA-2015:2550 http://rhn.redhat.com/errata/RHSA-2015-2550.html USN-2812-1 http://www.ubuntu.com/usn/USN-2812-1 http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html http://xmlsoft.org/news.html https://git.gnome.org/browse/libxml2/commit/?id=213f1fe0d76d30eaed6e5853057defc43e6df2c9 https://support.apple.com/HT206166 https://support.apple.com/HT206167 https://support.apple.com/HT206168 https://support.apple.com/HT206169 openSUSE-SU-2015:2372 http://lists.opensuse.org/opensuse-updates/2015-12/msg00120.html openSUSE-SU-2016:0106 http://lists.opensuse.org/opensuse-updates/2016-01/msg00031.html Common Vulnerability Exposure (CVE) ID: CVE-2015-5312 79536 http://www.securityfocus.com/bid/79536 HPSBGN03537 http://marc.info/?l=bugtraq&m=145382616617563&w=2 RHSA-2015:2549 http://rhn.redhat.com/errata/RHSA-2015-2549.html RHSA-2016:1089 http://rhn.redhat.com/errata/RHSA-2016-1089.html USN-2834-1 http://www.ubuntu.com/usn/USN-2834-1 http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html https://bugzilla.redhat.com/show_bug.cgi?id=1276693 https://git.gnome.org/browse/libxml2/commit/?id=69030714cde66d525a8884bda01b9e8f0abf8e1e https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04944172 Common Vulnerability Exposure (CVE) ID: CVE-2015-7497 79508 http://www.securityfocus.com/bid/79508 https://bugzilla.redhat.com/show_bug.cgi?id=1281862 https://git.gnome.org/browse/libxml2/commit/?id=6360a31a84efe69d155ed96306b9a931a40beab9 Common Vulnerability Exposure (CVE) ID: CVE-2015-7498 79548 http://www.securityfocus.com/bid/79548 https://bugzilla.redhat.com/show_bug.cgi?id=1281879 https://git.gnome.org/browse/libxml2/commit/?id=afd27c21f6b36e22682b7da20d726bce2dcb2f43 Common Vulnerability Exposure (CVE) ID: CVE-2015-7499 79509 http://www.securityfocus.com/bid/79509 https://bugzilla.redhat.com/show_bug.cgi?id=1281925 https://git.gnome.org/browse/libxml2/commit/?id=28cd9cb747a94483f4aea7f0968d202c20bb4cfc https://git.gnome.org/browse/libxml2/commit/?id=35bcb1d758ed70aa7b257c9c3b3ff55e54e3d0da Common Vulnerability Exposure (CVE) ID: CVE-2015-7500 79562 http://www.securityfocus.com/bid/79562 https://bugzilla.redhat.com/show_bug.cgi?id=1281943 https://git.gnome.org/browse/libxml2/commit/?id=f1063fdbe7fa66332bbb76874101c2a7b51b519f Common Vulnerability Exposure (CVE) ID: CVE-2015-7941 BugTraq ID: 74241 http://www.securityfocus.com/bid/74241 Debian Security Information: DSA-3430 (Google Search) http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177341.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177381.html HPdes Security Advisory: HPSBGN03537 http://www.openwall.com/lists/oss-security/2015/10/22/5 http://www.openwall.com/lists/oss-security/2015/10/22/8 RedHat Security Advisories: RHSA-2015:2549 RedHat Security Advisories: RHSA-2015:2550 RedHat Security Advisories: RHSA-2016:1089 SuSE Security Announcement: openSUSE-SU-2015:2372 (Google Search) SuSE Security Announcement: openSUSE-SU-2016:0106 (Google Search) Common Vulnerability Exposure (CVE) ID: CVE-2015-7942 BugTraq ID: 79507 http://www.securityfocus.com/bid/79507 Common Vulnerability Exposure (CVE) ID: CVE-2015-8241 BugTraq ID: 77621 http://www.securityfocus.com/bid/77621 http://www.openwall.com/lists/oss-security/2015/11/17/5 http://www.openwall.com/lists/oss-security/2015/11/18/23 Common Vulnerability Exposure (CVE) ID: CVE-2015-8242 BugTraq ID: 77681 http://www.securityfocus.com/bid/77681 Common Vulnerability Exposure (CVE) ID: CVE-2015-8317 http://lists.apple.com/archives/security-announce/2016/Jul/msg00000.html http://lists.apple.com/archives/security-announce/2016/Jul/msg00001.html http://lists.apple.com/archives/security-announce/2016/Jul/msg00002.html http://lists.apple.com/archives/security-announce/2016/Jul/msg00003.html http://lists.apple.com/archives/security-announce/2016/Jul/msg00005.html BugTraq ID: 91826 http://www.securityfocus.com/bid/91826 https://blog.fuzzing-project.org/28-Libxml2-Several-out-of-bounds-reads.html http://www.openwall.com/lists/oss-security/2015/11/21/1 http://www.openwall.com/lists/oss-security/2015/11/22/3
Copyright	Copyright (C) 2015 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.