Security update for libxml2 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:1810-1 Final 1 1 2017-07-06T16:27:17Z current 2017-07-06T16:27:17Z 2017-07-06T16:27:17Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libxml2 This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-7376: Increase buffer space for port in HTTP redirect support (bsc#1044887) * CVE-2017-7375: Prevent unwanted external entity reference (bsc#1044894) This update was imported from the SUSE:SLE-12-SP2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2017-07/msg00040.html E-Mail link for openSUSE-SU-2017:1810-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.2 libxml2-2.9.4-5.10.1 libxml2-2-2.9.4-5.10.1 libxml2-2-32bit-2.9.4-5.10.1 libxml2-devel-2.9.4-5.10.1 libxml2-devel-32bit-2.9.4-5.10.1 libxml2-doc-2.9.4-5.10.1 libxml2-tools-2.9.4-5.10.1 python-libxml2-2.9.4-5.10.1 libxml2-2.9.4-5.10.1 as a component of openSUSE Leap 42.2 libxml2-2-2.9.4-5.10.1 as a component of openSUSE Leap 42.2 libxml2-2-32bit-2.9.4-5.10.1 as a component of openSUSE Leap 42.2 libxml2-devel-2.9.4-5.10.1 as a component of openSUSE Leap 42.2 libxml2-devel-32bit-2.9.4-5.10.1 as a component of openSUSE Leap 42.2 libxml2-doc-2.9.4-5.10.1 as a component of openSUSE Leap 42.2 libxml2-tools-2.9.4-5.10.1 as a component of openSUSE Leap 42.2 python-libxml2-2.9.4-5.10.1 as a component of openSUSE Leap 42.2 A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i.e., when the caller did not request entity substitution, DTD validation, external DTD subset loading, or default DTD attributes). Depending on the context, this may expose a higher-risk attack surface in libxml2 not usually reachable with default parser flags, and expose content from local files, HTTP, or FTP servers (which might be otherwise unreachable). CVE-2017-7375 openSUSE Leap 42.2:libxml2-2-2.9.4-5.10.1 openSUSE Leap 42.2:libxml2-2-32bit-2.9.4-5.10.1 openSUSE Leap 42.2:libxml2-2.9.4-5.10.1 openSUSE Leap 42.2:libxml2-devel-2.9.4-5.10.1 openSUSE Leap 42.2:libxml2-devel-32bit-2.9.4-5.10.1 openSUSE Leap 42.2:libxml2-doc-2.9.4-5.10.1 openSUSE Leap 42.2:libxml2-tools-2.9.4-5.10.1 openSUSE Leap 42.2:python-libxml2-2.9.4-5.10.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-07/msg00040.html https://www.suse.com/security/cve/CVE-2017-7375.html CVE-2017-7375 https://bugzilla.suse.com/1044894 SUSE Bug 1044894 https://bugzilla.suse.com/1049467 SUSE Bug 1049467 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 Buffer overflow in libxml2 allows remote attackers to execute arbitrary code by leveraging an incorrect limit for port values when handling redirects. CVE-2017-7376 openSUSE Leap 42.2:libxml2-2-2.9.4-5.10.1 openSUSE Leap 42.2:libxml2-2-32bit-2.9.4-5.10.1 openSUSE Leap 42.2:libxml2-2.9.4-5.10.1 openSUSE Leap 42.2:libxml2-devel-2.9.4-5.10.1 openSUSE Leap 42.2:libxml2-devel-32bit-2.9.4-5.10.1 openSUSE Leap 42.2:libxml2-doc-2.9.4-5.10.1 openSUSE Leap 42.2:libxml2-tools-2.9.4-5.10.1 openSUSE Leap 42.2:python-libxml2-2.9.4-5.10.1 moderate 2.6 AV:N/AC:H/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-07/msg00040.html https://www.suse.com/security/cve/CVE-2017-7376.html CVE-2017-7376 https://bugzilla.suse.com/1044887 SUSE Bug 1044887 https://bugzilla.suse.com/1049467 SUSE Bug 1049467 https://bugzilla.suse.com/1123919 SUSE Bug 1123919