Vulnerability   
Search   
    Search 219043 CVE descriptions
and 99761 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.870741
Category:Red Hat Local Security Checks
Title:RedHat Update for libxml2 RHSA-2011:1749-03
Summary:The remote host is missing an update for the 'libxml2'; package(s) announced via the referenced advisory.
Description:Summary:
The remote host is missing an update for the 'libxml2'
package(s) announced via the referenced advisory.

Vulnerability Insight:
The libxml2 library is a development toolbox providing the implementation
of various XML standards. One of those standards is the XML Path Language
(XPath), which is a language for addressing parts of an XML document.

An off-by-one error, leading to a heap-based buffer overflow, was found in
the way libxml2 parsed certain XML files. A remote attacker could provide
a specially-crafted XML file that, when opened in an application linked
against libxml2, would cause the application to crash or, potentially,
execute arbitrary code with the privileges of the user running the
application. (CVE-2011-0216)

An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the way libxml2 parsed certain XPath expressions. If an attacker
were able to supply a specially-crafted XML file to an application using
libxml2, as well as an XPath expression for that application to run against
the crafted file, it could cause the application to crash or, possibly,
execute arbitrary code. (CVE-2011-1944)

Multiple flaws were found in the way libxml2 parsed certain XPath
expressions. If an attacker were able to supply a specially-crafted XML
file to an application using libxml2, as well as an XPath expression for
that application to run against the crafted file, it could cause the
application to crash. (CVE-2010-4008, CVE-2010-4494, CVE-2011-2821,
CVE-2011-2834)

Note: Red Hat does not ship any applications that use libxml2 in a way that
would allow the CVE-2011-1944, CVE-2010-4008, CVE-2010-4494, CVE-2011-2821,
and CVE-2011-2834 flaws to be exploited. However, third-party applications
may allow XPath expressions to be passed which could trigger these flaws.

Red Hat would like to thank the Google Security Team for reporting the
CVE-2010-4008 issue. Upstream acknowledges Bui Quang Minh from Bkis as the
original reporter of CVE-2010-4008.

This update also fixes the following bugs:

* A number of patches have been applied to harden the XPath processing code
in libxml2, such as fixing memory leaks, rounding errors, XPath numbers
evaluations, and a potential error in encoding conversion. (BZ#732335)

All users of libxml2 are advised to upgrade to these updated packages,
which contain backported patches to correct these issues. The desktop must
be restarted (log out, then log back in) for this update to take effect.

Affected Software/OS:
libxml2 on Red Hat Enterprise Linux Desktop (v. 6),
Red Hat Enterprise Linux Server (v. 6),
Red Hat Enterprise Linux Workstation (v. 6)

Solution:
Please Install the Updated Packages.

CVSS Score:
9.3

CVSS Vector:
AV:N/AC:M/Au:N/C:C/I:C/A:C

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2010-4008
http://lists.apple.com/archives/security-announce/2010//Nov/msg00003.html
http://lists.apple.com/archives/security-announce/2011/Mar/msg00000.html
http://lists.apple.com/archives/security-announce/2011//Mar/msg00004.html
http://lists.apple.com/archives/security-announce/2011/Mar/msg00006.html
BugTraq ID: 44779
http://www.securityfocus.com/bid/44779
Debian Security Information: DSA-2128 (Google Search)
http://www.debian.org/security/2010/dsa-2128
HPdes Security Advisory: HPSBGN02970
http://marc.info/?l=bugtraq&m=139447903326211&w=2
HPdes Security Advisory: HPSBMA02662
http://marc.info/?l=bugtraq&m=130331363227777&w=2
HPdes Security Advisory: SSRT100409
http://www.mandriva.com/security/advisories?name=MDVSA-2010:243
http://blog.bkis.com/en/libxml2-vulnerability-in-google-chrome-and-apple-safari/
http://mail.gnome.org/archives/xml/2010-November/msg00015.html
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12148
http://www.redhat.com/support/errata/RHSA-2011-1749.html
RedHat Security Advisories: RHSA-2013:0217
http://rhn.redhat.com/errata/RHSA-2013-0217.html
http://secunia.com/advisories/40775
http://secunia.com/advisories/42109
http://secunia.com/advisories/42175
http://secunia.com/advisories/42314
http://secunia.com/advisories/42429
SuSE Security Announcement: SUSE-SR:2010:023 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00000.html
http://www.ubuntu.com/usn/USN-1016-1
http://www.vupen.com/english/advisories/2010/3046
http://www.vupen.com/english/advisories/2010/3076
http://www.vupen.com/english/advisories/2010/3100
http://www.vupen.com/english/advisories/2011/0230
Common Vulnerability Exposure (CVE) ID: CVE-2010-4494
http://lists.apple.com/archives/security-announce/2011//Mar/msg00003.html
Debian Security Information: DSA-2137 (Google Search)
http://www.debian.org/security/2010/dsa-2137
http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055775.html
http://www.mandriva.com/security/advisories?name=MDVSA-2010:260
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11916
http://secunia.com/advisories/42472
http://secunia.com/advisories/42721
http://secunia.com/advisories/42762
SuSE Security Announcement: SUSE-SR:2011:005 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html
http://www.vupen.com/english/advisories/2010/3319
http://www.vupen.com/english/advisories/2010/3336
Common Vulnerability Exposure (CVE) ID: CVE-2011-0216
http://lists.apple.com/archives/security-announce/2011//Jul/msg00002.html
http://lists.apple.com/archives/Security-announce/2011//Oct/msg00001.html
http://lists.apple.com/archives/Security-announce/2011//Oct/msg00002.html
Debian Security Information: DSA-2394 (Google Search)
http://www.debian.org/security/2012/dsa-2394
http://www.mandriva.com/security/advisories?name=MDVSA-2011:188
Common Vulnerability Exposure (CVE) ID: CVE-2011-1944
http://lists.apple.com/archives/security-announce/2012/May/msg00001.html
http://lists.apple.com/archives/security-announce/2012/Sep/msg00003.html
BugTraq ID: 48056
http://www.securityfocus.com/bid/48056
Debian Security Information: DSA-2255 (Google Search)
http://www.debian.org/security/2011/dsa-2255
http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062238.html
HPdes Security Advisory: HPSBMU02786
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041
HPdes Security Advisory: SSRT100877
http://www.mandriva.com/security/advisories?name=MDVSA-2011:131
http://scarybeastsecurity.blogspot.com/2011/05/libxml-vulnerability-and-interesting.html
http://www.openwall.com/lists/oss-security/2011/05/31/8
http://www.osvdb.org/73248
http://secunia.com/advisories/44711
SuSE Security Announcement: openSUSE-SU-2011:0839 (Google Search)
http://lists.opensuse.org/opensuse-updates/2011-07/msg00035.html
http://ubuntu.com/usn/usn-1153-1
Common Vulnerability Exposure (CVE) ID: CVE-2011-2821
http://www.mandriva.com/security/advisories?name=MDVSA-2011:145
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13840
Common Vulnerability Exposure (CVE) ID: CVE-2011-2834
http://osvdb.org/75560
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14410
XForce ISS Database: chrome-libxml-code-execution(69885)
https://exchange.xforce.ibmcloud.com/vulnerabilities/69885
CopyrightCopyright (C) 2012 Greenbone Networks GmbH

This is only one of 99761 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.




© 1998-2021 E-Soft Inc. All rights reserved.