USN-644-1: libxml2 vulnerabilities

Publication date

11 September 2008

Overview

libxml2 vulnerabilities


Packages

Details

It was discovered that libxml2 did not correctly handle long entity names.
If a user were tricked into processing a specially crafted XML document,
a remote attacker could execute arbitrary code with user privileges
or cause the application linked against libxml2 to crash, leading to a
denial of service. (CVE-2008-3529)

USN-640-1 fixed vulnerabilities in libxml2. When processing extremely
large XML documents with valid entities, it was possible to incorrectly
trigger the newly added vulnerability protections. This update fixes
the problem. (CVE-2008-3281)

It was discovered that libxml2 did not correctly handle long entity names.
If a user were tricked into processing a specially crafted XML document,
a remote attacker could execute arbitrary code with user privileges
or cause the application linked against libxml2 to crash, leading to a
denial of service. (CVE-2008-3529)

USN-640-1 fixed vulnerabilities in libxml2. When processing extremely
large XML documents with valid entities, it was possible to incorrectly
trigger the newly added vulnerability protections. This update fixes
the problem. (CVE-2008-3281)

Update instructions

In general, a standard system upgrade is sufficient to effect the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
8.04 hardy libxml2 –  2.6.31.dfsg-2ubuntu1.2
7.10 gutsy libxml2 –  2.6.30.dfsg-2ubuntu1.3
7.04 feisty libxml2 –  2.6.27.dfsg-1ubuntu3.3
6.06 dapper libxml2 –  2.6.24.dfsg-1ubuntu1.3

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.


Have additional questions?

Talk to a member of the team ›