Security update for libxml2 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2018:0395-1 Final 1 1 2018-02-08T07:54:46Z current 2018-02-08T07:54:46Z 2018-02-08T07:54:46Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libxml2 This update for libxml2 fixes several issues. Theses security issues were fixed: - CVE-2017-16932: Fixed infinite recursion could lead to an infinite loop or memory exhaustion when expanding a parameter entity in a DTD (bsc#1069689). - CVE-2017-15412: Prevent use after free when calling XPath extension functions that allowed remote attackers to cause DoS or potentially RCE (bsc#1077993) - CVE-2016-5131: Use-after-free vulnerability in libxml2 allowed remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. (bsc#1078813) - CVE-2017-5130: Fixed a potential remote buffer overflow in function xmlMemoryStrdup() (bsc#1078806) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). sdksp4-libxml2-13458,slessp4-libxml2-13458 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2018/suse-su-20180395-1/ Link for SUSE-SU-2018:0395-1 https://lists.suse.com/pipermail/sle-security-updates/2018-February/003715.html E-Mail link for SUSE-SU-2018:0395-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1069689 SUSE Bug 1069689 https://bugzilla.suse.com/1077993 SUSE Bug 1077993 https://bugzilla.suse.com/1078806 SUSE Bug 1078806 https://bugzilla.suse.com/1078813 SUSE Bug 1078813 https://www.suse.com/security/cve/CVE-2016-5131/ SUSE CVE CVE-2016-5131 page https://www.suse.com/security/cve/CVE-2017-15412/ SUSE CVE CVE-2017-15412 page https://www.suse.com/security/cve/CVE-2017-16932/ SUSE CVE CVE-2017-16932 page https://www.suse.com/security/cve/CVE-2017-5130/ SUSE CVE CVE-2017-5130 page SUSE Linux Enterprise Server 11 SP4 SUSE Linux Enterprise Server for SAP Applications 11 SP4 SUSE Linux Enterprise Software Development Kit 11 SP4 libxml2-devel-2.7.6-0.77.10.1 libxml2-devel-32bit-2.7.6-0.77.10.1 libxml2-2.7.6-0.77.10.1 libxml2-32bit-2.7.6-0.77.10.1 libxml2-doc-2.7.6-0.77.10.1 libxml2-python-2.7.6-0.77.10.1 libxml2-x86-2.7.6-0.77.10.1 libxml2-2.7.6-0.77.10.1 as a component of SUSE Linux Enterprise Server 11 SP4 libxml2-32bit-2.7.6-0.77.10.1 as a component of SUSE Linux Enterprise Server 11 SP4 libxml2-doc-2.7.6-0.77.10.1 as a component of SUSE Linux Enterprise Server 11 SP4 libxml2-python-2.7.6-0.77.10.1 as a component of SUSE Linux Enterprise Server 11 SP4 libxml2-x86-2.7.6-0.77.10.1 as a component of SUSE Linux Enterprise Server 11 SP4 libxml2-2.7.6-0.77.10.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 libxml2-32bit-2.7.6-0.77.10.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 libxml2-doc-2.7.6-0.77.10.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 libxml2-python-2.7.6-0.77.10.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 libxml2-x86-2.7.6-0.77.10.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 libxml2-devel-2.7.6-0.77.10.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 libxml2-devel-32bit-2.7.6-0.77.10.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. CVE-2016-5131 SUSE Linux Enterprise Server 11 SP4:libxml2-2.7.6-0.77.10.1 SUSE Linux Enterprise Server 11 SP4:libxml2-32bit-2.7.6-0.77.10.1 SUSE Linux Enterprise Server 11 SP4:libxml2-doc-2.7.6-0.77.10.1 SUSE Linux Enterprise Server 11 SP4:libxml2-python-2.7.6-0.77.10.1 SUSE Linux Enterprise Server 11 SP4:libxml2-x86-2.7.6-0.77.10.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libxml2-2.7.6-0.77.10.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libxml2-32bit-2.7.6-0.77.10.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libxml2-doc-2.7.6-0.77.10.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libxml2-python-2.7.6-0.77.10.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libxml2-x86-2.7.6-0.77.10.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libxml2-devel-2.7.6-0.77.10.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libxml2-devel-32bit-2.7.6-0.77.10.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20180395-1/ https://www.suse.com/security/cve/CVE-2016-5131.html CVE-2016-5131 https://bugzilla.suse.com/1014873 SUSE Bug 1014873 https://bugzilla.suse.com/1069433 SUSE Bug 1069433 https://bugzilla.suse.com/1078813 SUSE Bug 1078813 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/989901 SUSE Bug 989901 Use after free in libxml2 before 2.9.5, as used in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2017-15412 SUSE Linux Enterprise Server 11 SP4:libxml2-2.7.6-0.77.10.1 SUSE Linux Enterprise Server 11 SP4:libxml2-32bit-2.7.6-0.77.10.1 SUSE Linux Enterprise Server 11 SP4:libxml2-doc-2.7.6-0.77.10.1 SUSE Linux Enterprise Server 11 SP4:libxml2-python-2.7.6-0.77.10.1 SUSE Linux Enterprise Server 11 SP4:libxml2-x86-2.7.6-0.77.10.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libxml2-2.7.6-0.77.10.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libxml2-32bit-2.7.6-0.77.10.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libxml2-doc-2.7.6-0.77.10.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libxml2-python-2.7.6-0.77.10.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libxml2-x86-2.7.6-0.77.10.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libxml2-devel-2.7.6-0.77.10.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libxml2-devel-32bit-2.7.6-0.77.10.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20180395-1/ https://www.suse.com/security/cve/CVE-2017-15412.html CVE-2017-15412 https://bugzilla.suse.com/1071691 SUSE Bug 1071691 https://bugzilla.suse.com/1077993 SUSE Bug 1077993 https://bugzilla.suse.com/1123129 SUSE Bug 1123129 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities. CVE-2017-16932 SUSE Linux Enterprise Server 11 SP4:libxml2-2.7.6-0.77.10.1 SUSE Linux Enterprise Server 11 SP4:libxml2-32bit-2.7.6-0.77.10.1 SUSE Linux Enterprise Server 11 SP4:libxml2-doc-2.7.6-0.77.10.1 SUSE Linux Enterprise Server 11 SP4:libxml2-python-2.7.6-0.77.10.1 SUSE Linux Enterprise Server 11 SP4:libxml2-x86-2.7.6-0.77.10.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libxml2-2.7.6-0.77.10.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libxml2-32bit-2.7.6-0.77.10.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libxml2-doc-2.7.6-0.77.10.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libxml2-python-2.7.6-0.77.10.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libxml2-x86-2.7.6-0.77.10.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libxml2-devel-2.7.6-0.77.10.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libxml2-devel-32bit-2.7.6-0.77.10.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20180395-1/ https://www.suse.com/security/cve/CVE-2017-16932.html CVE-2017-16932 https://bugzilla.suse.com/1069689 SUSE Bug 1069689 https://bugzilla.suse.com/1103099 SUSE Bug 1103099 https://bugzilla.suse.com/1123129 SUSE Bug 1123129 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 An integer overflow in xmlmemory.c in libxml2 before 2.9.5, as used in Google Chrome prior to 62.0.3202.62 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted XML file. CVE-2017-5130 SUSE Linux Enterprise Server 11 SP4:libxml2-2.7.6-0.77.10.1 SUSE Linux Enterprise Server 11 SP4:libxml2-32bit-2.7.6-0.77.10.1 SUSE Linux Enterprise Server 11 SP4:libxml2-doc-2.7.6-0.77.10.1 SUSE Linux Enterprise Server 11 SP4:libxml2-python-2.7.6-0.77.10.1 SUSE Linux Enterprise Server 11 SP4:libxml2-x86-2.7.6-0.77.10.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libxml2-2.7.6-0.77.10.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libxml2-32bit-2.7.6-0.77.10.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libxml2-doc-2.7.6-0.77.10.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libxml2-python-2.7.6-0.77.10.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libxml2-x86-2.7.6-0.77.10.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libxml2-devel-2.7.6-0.77.10.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libxml2-devel-32bit-2.7.6-0.77.10.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20180395-1/ https://www.suse.com/security/cve/CVE-2017-5130.html CVE-2017-5130 https://bugzilla.suse.com/1064066 SUSE Bug 1064066 https://bugzilla.suse.com/1064089 SUSE Bug 1064089 https://bugzilla.suse.com/1078806 SUSE Bug 1078806 https://bugzilla.suse.com/1123129 SUSE Bug 1123129 https://bugzilla.suse.com/1123919 SUSE Bug 1123919