Date: 4 Mar 2004 04:49:20 -0000
From: Mandrake Linux Security Team <[email protected]>
To: [email protected]Subject: MDKSA-2004:018 - Updated libxml2 packages fix vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: libxml2
Advisory ID: MDKSA-2004:018
Date: March 3rd, 2004
Affected versions: 9.1, 9.2, Corporate Server 2.1
______________________________________________________________________
Problem Description:
A flaw in libxml2 versions prior to 2.6.6 was found by Yuuichi
Teranishi. When fetching a remote source via FTP or HTTP, libxml2
uses special parsing routines that can overflow a buffer if passed a
very long URL. In the event that the attacker can find a program that
uses libxml2 which parses remote resources and allows them to
influence the URL, this flaw could be used to execute arbitrary code.
The updated packages provide a backported fix to correct the problem.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0110
______________________________________________________________________
Updated Packages:
Corporate Server 2.1:
51af35991ac6ceef5cd6ddc4330e1995 corporate/2.1/RPMS/libxml2-2.4.23-4.2.C21mdk.i586.rpm
34e6aa4c010e14199767c97d5fe0b706 corporate/2.1/RPMS/libxml2-devel-2.4.23-4.2.C21mdk.i586.rpm
9b551a5dfa4129f88fa90062ed684725 corporate/2.1/RPMS/libxml2-python-2.4.23-4.2.C21mdk.i586.rpm
7c2efde8dde2fabc15d0c59fd867d156 corporate/2.1/RPMS/libxml2-utils-2.4.23-4.2.C21mdk.i586.rpm
153ca0fed634a7485046181baf06ea94 corporate/2.1/SRPMS/libxml2-2.4.23-4.2.C21mdk.src.rpm
Corporate Server 2.1/x86_64:
2bfb3a34f15d5484119f94ea0d8c9d69 x86_64/corporate/2.1/RPMS/libxml2-2.4.23-4.2.C21mdk.x86_64.rpm
251108957d5ba90a9082d1f1976e5fb7 x86_64/corporate/2.1/RPMS/libxml2-devel-2.4.23-4.2.C21mdk.x86_64.rpm
7f4d9e5052d9ca41cd0ed8dba78d2416 x86_64/corporate/2.1/RPMS/libxml2-python-2.4.23-4.2.C21mdk.x86_64.rpm
63e3b6910f6e42b775cb936ce581b16e x86_64/corporate/2.1/RPMS/libxml2-utils-2.4.23-4.2.C21mdk.x86_64.rpm
153ca0fed634a7485046181baf06ea94 x86_64/corporate/2.1/SRPMS/libxml2-2.4.23-4.2.C21mdk.src.rpm
Mandrakelinux 9.1:
9b91d9a62e88829d180335e93005d706 9.1/RPMS/libxml2-2.5.4-1.2.91mdk.i586.rpm
42ea5fe9ee7733bab3e726cb0005a9e8 9.1/RPMS/libxml2-devel-2.5.4-1.2.91mdk.i586.rpm
98642ae61a8884d25878bc91f1d06622 9.1/RPMS/libxml2-python-2.5.4-1.2.91mdk.i586.rpm
3a7b2acf410ed9d6dc7d34d7e7fc319a 9.1/RPMS/libxml2-utils-2.5.4-1.2.91mdk.i586.rpm
bbb88662f90ff49f28a2e3e6905106f3 9.1/SRPMS/libxml2-2.5.4-1.2.91mdk.src.rpm
Mandrakelinux 9.1/PPC:
bcf80b555579701ed2ba8925bc1a9634 ppc/9.1/RPMS/libxml2-2.5.4-1.2.91mdk.ppc.rpm
3f6a1d38b9aaefd39a2ad116ec65643d ppc/9.1/RPMS/libxml2-devel-2.5.4-1.2.91mdk.ppc.rpm
cdb9ee131ca5bd58564259d6917a9c56 ppc/9.1/RPMS/libxml2-python-2.5.4-1.2.91mdk.ppc.rpm
3c96adac2eb332f1e535b80e626a2c80 ppc/9.1/RPMS/libxml2-utils-2.5.4-1.2.91mdk.ppc.rpm
bbb88662f90ff49f28a2e3e6905106f3 ppc/9.1/SRPMS/libxml2-2.5.4-1.2.91mdk.src.rpm
Mandrakelinux 9.2:
6566203ab3c4fb904ae0126196aaf400 9.2/RPMS/libxml2-2.5.11-1.2.92mdk.i586.rpm
5552925b636b9926059c5c27ca37a588 9.2/RPMS/libxml2-devel-2.5.11-1.2.92mdk.i586.rpm
377f7250ee689d7ee7453b852e651d02 9.2/RPMS/libxml2-python-2.5.11-1.2.92mdk.i586.rpm
7e04e506249fbb224690ce3cc6434776 9.2/RPMS/libxml2-utils-2.5.11-1.2.92mdk.i586.rpm
34048480a99f5f04d02902ab918cf5c8 9.2/SRPMS/libxml2-2.5.11-1.2.92mdk.src.rpm
Mandrakelinux 9.2/AMD64:
12bfba14856691201fb44eeecd2e0760 amd64/9.2/RPMS/lib64xml2-2.5.11-1.2.92mdk.amd64.rpm
0267276afa32b153be2ab27821f2a45c amd64/9.2/RPMS/lib64xml2-devel-2.5.11-1.2.92mdk.amd64.rpm
545cdb232a403bb77dbd7ae5881dfe01 amd64/9.2/RPMS/lib64xml2-python-2.5.11-1.2.92mdk.amd64.rpm
32012969ba7f58a67f8569d86ca90246 amd64/9.2/RPMS/libxml2-utils-2.5.11-1.2.92mdk.amd64.rpm
34048480a99f5f04d02902ab918cf5c8 amd64/9.2/SRPMS/libxml2-2.5.11-1.2.92mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
A list of FTP mirrors can be obtained from:
http://www.mandrakesecure.net/en/ftp.php
All packages are signed by Mandrakesoft for security. You can obtain
the GPG public key of the Mandrakelinux Security Team by executing:
gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98
Please be aware that sometimes it takes the mirrors a few hours to
update.
You can view other update advisories for Mandrakelinux at:
http://www.mandrakesecure.net/en/advisories/
Mandrakesoft has several security-related mailing list services that
anyone can subscribe to. Information on these lists can be obtained by
visiting:
http://www.mandrakesecure.net/en/mlist.php
If you want to report vulnerabilities, please contact
security_linux-mandrake.com
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
<security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQFARrVQmqjQ0CJFipgRApmfAKDAmU1wWFUMOt0zdBXMK5B3TnbFiQCgtUPf
ZHaFx48BQTxaJG6ZbwDG/0E=
=Tz/7
-----END PGP SIGNATURE-----