Security update for libxml2 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:1446-1 Final 1 1 2016-05-30T13:57:44Z current 2016-05-30T13:57:44Z 2016-05-30T13:57:44Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libxml2 libxml2 was updated to fix security issues and a regression from the last version update. Security issues fixed: - CVE-2016-3627: Fixed stack exhaustion while parsing certain XML files in recovery mode (bnc#972335). - CVE-2016-3705: Improved protection against the Billion Laughs Attack (bnc#975947). Regression fixed: - Fixed XML push parser that fails with bogus UTF-8 encoding error when multi-byte character in large CDATA section is split across buffer [bnc#962796] The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-updates/2016-05/msg00127.html E-Mail link for openSUSE-SU-2016:1446-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE 13.2 libxml2-2.9.3-7.11.1 libxml2-2-2.9.3-7.11.1 libxml2-2-32bit-2.9.3-7.11.1 libxml2-2-debuginfo-2.9.3-7.11.1 libxml2-2-debuginfo-32bit-2.9.3-7.11.1 libxml2-debugsource-2.9.3-7.11.1 libxml2-devel-2.9.3-7.11.1 libxml2-devel-32bit-2.9.3-7.11.1 libxml2-doc-2.9.3-7.11.1 libxml2-tools-2.9.3-7.11.1 libxml2-tools-debuginfo-2.9.3-7.11.1 python-libxml2-2.9.3-7.11.1 python-libxml2-debuginfo-2.9.3-7.11.1 python-libxml2-debugsource-2.9.3-7.11.1 libxml2-2.9.3-7.11.1 as a component of openSUSE 13.2 libxml2-2-2.9.3-7.11.1 as a component of openSUSE 13.2 libxml2-2-32bit-2.9.3-7.11.1 as a component of openSUSE 13.2 libxml2-2-debuginfo-2.9.3-7.11.1 as a component of openSUSE 13.2 libxml2-2-debuginfo-32bit-2.9.3-7.11.1 as a component of openSUSE 13.2 libxml2-debugsource-2.9.3-7.11.1 as a component of openSUSE 13.2 libxml2-devel-2.9.3-7.11.1 as a component of openSUSE 13.2 libxml2-devel-32bit-2.9.3-7.11.1 as a component of openSUSE 13.2 libxml2-doc-2.9.3-7.11.1 as a component of openSUSE 13.2 libxml2-tools-2.9.3-7.11.1 as a component of openSUSE 13.2 libxml2-tools-debuginfo-2.9.3-7.11.1 as a component of openSUSE 13.2 python-libxml2-2.9.3-7.11.1 as a component of openSUSE 13.2 python-libxml2-debuginfo-2.9.3-7.11.1 as a component of openSUSE 13.2 python-libxml2-debugsource-2.9.3-7.11.1 as a component of openSUSE 13.2 The xmlStringGetNodeList function in tree.c in libxml2 2.9.3 and earlier, when used in recovery mode, allows context-dependent attackers to cause a denial of service (infinite recursion, stack consumption, and application crash) via a crafted XML document. CVE-2016-3627 openSUSE 13.2:libxml2-2-2.9.3-7.11.1 openSUSE 13.2:libxml2-2-32bit-2.9.3-7.11.1 openSUSE 13.2:libxml2-2-debuginfo-2.9.3-7.11.1 openSUSE 13.2:libxml2-2-debuginfo-32bit-2.9.3-7.11.1 openSUSE 13.2:libxml2-2.9.3-7.11.1 openSUSE 13.2:libxml2-debugsource-2.9.3-7.11.1 openSUSE 13.2:libxml2-devel-2.9.3-7.11.1 openSUSE 13.2:libxml2-devel-32bit-2.9.3-7.11.1 openSUSE 13.2:libxml2-doc-2.9.3-7.11.1 openSUSE 13.2:libxml2-tools-2.9.3-7.11.1 openSUSE 13.2:libxml2-tools-debuginfo-2.9.3-7.11.1 openSUSE 13.2:python-libxml2-2.9.3-7.11.1 openSUSE 13.2:python-libxml2-debuginfo-2.9.3-7.11.1 openSUSE 13.2:python-libxml2-debugsource-2.9.3-7.11.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-05/msg00127.html https://www.suse.com/security/cve/CVE-2016-3627.html CVE-2016-3627 https://bugzilla.suse.com/1026099 SUSE Bug 1026099 https://bugzilla.suse.com/1026101 SUSE Bug 1026101 https://bugzilla.suse.com/972335 SUSE Bug 972335 https://bugzilla.suse.com/975947 SUSE Bug 975947 The (1) xmlParserEntityCheck and (2) xmlParseAttValueComplex functions in parser.c in libxml2 2.9.3 do not properly keep track of the recursion depth, which allows context-dependent attackers to cause a denial of service (stack consumption and application crash) via a crafted XML document containing a large number of nested entity references. CVE-2016-3705 openSUSE 13.2:libxml2-2-2.9.3-7.11.1 openSUSE 13.2:libxml2-2-32bit-2.9.3-7.11.1 openSUSE 13.2:libxml2-2-debuginfo-2.9.3-7.11.1 openSUSE 13.2:libxml2-2-debuginfo-32bit-2.9.3-7.11.1 openSUSE 13.2:libxml2-2.9.3-7.11.1 openSUSE 13.2:libxml2-debugsource-2.9.3-7.11.1 openSUSE 13.2:libxml2-devel-2.9.3-7.11.1 openSUSE 13.2:libxml2-devel-32bit-2.9.3-7.11.1 openSUSE 13.2:libxml2-doc-2.9.3-7.11.1 openSUSE 13.2:libxml2-tools-2.9.3-7.11.1 openSUSE 13.2:libxml2-tools-debuginfo-2.9.3-7.11.1 openSUSE 13.2:python-libxml2-2.9.3-7.11.1 openSUSE 13.2:python-libxml2-debuginfo-2.9.3-7.11.1 openSUSE 13.2:python-libxml2-debugsource-2.9.3-7.11.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-05/msg00127.html https://www.suse.com/security/cve/CVE-2016-3705.html CVE-2016-3705 https://bugzilla.suse.com/975947 SUSE Bug 975947