Test ID:	1.3.6.1.4.1.25623.1.0.892369
Category:	Debian Local Security Checks
Title:	Debian: Security Advisory (DLA-2369-1)
Summary:	The remote host is missing an update for the Debian 'libxml2' package(s) announced via the DLA-2369-1 advisory.
Description:	Summary: The remote host is missing an update for the Debian 'libxml2' package(s) announced via the DLA-2369-1 advisory. Vulnerability Insight: Several security vulnerabilities were corrected in libxml2, the GNOME XML library. CVE-2017-8872 Global buffer-overflow in the htmlParseTryOrFinish function. CVE-2017-18258 The xz_head function in libxml2 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file. CVE-2018-14404 A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs may be vulnerable to a denial of service attack. CVE-2018-14567 If the option --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file. CVE-2019-19956 The xmlParseBalancedChunkMemoryRecover function has a memory leak related to newDoc->oldNs. CVE-2019-20388 A memory leak was found in the xmlSchemaValidateStream function of libxml2. Applications that use this library may be vulnerable to memory not being freed leading to a denial of service. CVE-2020-7595 Infinite loop in xmlStringLenDecodeEntities can cause a denial of service. CVE-2020-24977 Out-of-bounds read restricted to xmllint --htmlout. For Debian 9 stretch, these problems have been fixed in version 2.9.4+dfsg1-2.2+deb9u3. We recommend that you upgrade your libxml2 packages. For the detailed security status of libxml2 please refer to its security tracker page at: [link moved to references] Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: [link moved to references] Affected Software/OS: 'libxml2' package(s) on Debian 9. Solution: Please install the updated package(s). CVSS Score: 6.4 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2017-18258 https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html https://usn.ubuntu.com/3739-1/ Common Vulnerability Exposure (CVE) ID: CVE-2017-8872 https://bugzilla.gnome.org/show_bug.cgi?id=775200 Common Vulnerability Exposure (CVE) ID: CVE-2018-14404 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817 https://bugzilla.redhat.com/show_bug.cgi?id=1595985 https://gitlab.gnome.org/GNOME/libxml2/issues/10 RedHat Security Advisories: RHSA-2019:1543 https://access.redhat.com/errata/RHSA-2019:1543 https://usn.ubuntu.com/3739-2/ Common Vulnerability Exposure (CVE) ID: CVE-2018-14567 BugTraq ID: 105198 http://www.securityfocus.com/bid/105198 Common Vulnerability Exposure (CVE) ID: CVE-2019-19956 https://security.netapp.com/advisory/ntap-20200114-0002/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5R55ZR52RMBX24TQTWHCIWKJVRV6YAWI/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDPF3AAVKUAKDYFMFKSIQSVVS3EEFPQH/ https://gitlab.gnome.org/GNOME/libxml2/commit/5a02583c7e683896d84878bd90641d8d9b0d0549 https://www.oracle.com/security-alerts/cpujul2020.html https://lists.debian.org/debian-lts-announce/2019/12/msg00032.html SuSE Security Announcement: openSUSE-SU-2020:0681 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00047.html SuSE Security Announcement: openSUSE-SU-2020:0781 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00005.html https://usn.ubuntu.com/4274-1/ Common Vulnerability Exposure (CVE) ID: CVE-2019-20388 https://security.netapp.com/advisory/ntap-20200702-0005/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/545SPOI3ZPPNPX4TFRIVE4JVRTJRKULL/ https://security.gentoo.org/glsa/202010-04 https://gitlab.gnome.org/GNOME/libxml2/merge_requests/68 https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpujul2022.html https://www.oracle.com/security-alerts/cpuoct2021.html Common Vulnerability Exposure (CVE) ID: CVE-2020-24977 https://security.netapp.com/advisory/ntap-20200924-0001/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J3ICASXZI2UQYFJAOQWHSTNWGED3VXOE/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2NQ5GTDYOVH26PBCPYXXMGW5ZZXWMGZC/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RIQAMBA2IJUTQG5VOP5LZVIZRNCKXHEQ/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H3IQ7OQXBKWD3YP7HO6KCNOMLE5ZO2IR/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ENEHQIBMSI6TZVS35Y6I4FCTYUQDLJVP/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O7MEWYKIKMV2SKMGH4IDWVU3ZGJXBCPQ/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/674LQPJO2P2XTBTREFR5LOZMBTZ4PZAY/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7KQXOHIE3MNY3VQXEN7LDQUJNIHOVHAW/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JCHXIWR5DHYO3RSO7RAHEC6VJKXD2EH2/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5KTUAGDLEHTH6HU66HBFAFTSQ3OKRAN3/ https://security.gentoo.org/glsa/202107-05 https://gitlab.gnome.org/GNOME/libxml2/-/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2 https://gitlab.gnome.org/GNOME/libxml2/-/issues/178 https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E SuSE Security Announcement: openSUSE-SU-2020:1430 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00036.html SuSE Security Announcement: openSUSE-SU-2020:1465 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00061.html Common Vulnerability Exposure (CVE) ID: CVE-2020-7595 https://cert-portal.siemens.com/productcert/pdf/ssa-292794.pdf https://us-cert.cisa.gov/ics/advisories/icsa-21-103-08 https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c89076
Copyright	Copyright (C) 2020 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.