[SECURITY] [DSA 1861-1] New libxml packages fix several issues
Date: Thu, 13 Aug 2009 22:40:37 +0200
From: Nico Golde <nion@debian.org.>
Subject: [SECURITY] [DSA 1861-1] New libxml packages fix several issues
Priority: urgent
Resent-Message-ID: <q5pg5sARIJB.A.BVF.3sHhKB@liszt.>
Reply-To: [email protected]
Mail-Followup-To: [email protected]
To: [email protected]
Resent-Date: Thu, 13 Aug 2009 20:44:39 +0000 (UTC)
Resent-From: [email protected] (Mailing List Manager)
X-Virus-Scanned: antivirus-gw at tyumen.ru
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Debian Security Advisory DSA-1861-1 [email protected]
http://www.debian.org/security/ Nico Golde
August 13th, 2009 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : libxml
Vulnerability : several
Problem type : local (remote)
Debian-specific: no
CVE IDs : CVE-2009-2416 CVE-2009-2414
Rauli Kaksonen, Tero Rontti and Jukka Taimisto discovered several
vulnerabilities in libxml, a library for parsing and handling XML data
files, which can lead to denial of service conditions or possibly arbitrary
code execution in the application using the library. The Common
Vulnerabilities and Exposures project identifies the following problems:
An XML document with specially-crafted Notation or Enumeration attribute
types in a DTD definition leads to the use of a pointers to memory areas
which have already been freed (CVE-2009-2416).
Missing checks for the depth of ELEMENT DTD definitions when parsing
child content can lead to extensive stack-growth due to a function
recursion which can be triggered via a crafted XML document (CVE-2009-2414).
For the oldstable distribution (etch), this problem has been fixed in
version 1.8.17-14+etch1.
The stable (lenny), testing (squeeze) and unstable (sid) distribution
do not contain libxml anymore but libxml2 for which DSA-1859-1 has been
released.
We recommend that you upgrade your libxml packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- -------------------------------
Debian (oldstable)
- ------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/libx/libxml/libxml_1.8.17-14+etch1.diff.gz
Size/MD5 checksum: 366268 512cbc5adce12b54741cadd80e62eb7d
http://security.debian.org/pool/updates/main/libx/libxml/libxml_1.8.17.orig.tar.gz
Size/MD5 checksum: 1016403 b8f01e43e1e03dec37dfd6b4507a9568
http://security.debian.org/pool/updates/main/libx/libxml/libxml_1.8.17-14+etch1.dsc
Size/MD5 checksum: 716 26bf8a9d037f583d4a9dc1dab5aa4792
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-14+etch1_alpha.deb
Size/MD5 checksum: 429312 749dda70c33689b70d13469f6c3357ac
http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-14+etch1_alpha.deb
Size/MD5 checksum: 233288 02b88e80b91681e956cb4ab19acfeca6
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-14+etch1_amd64.deb
Size/MD5 checksum: 223558 ceb0d44c5a6a50373af43359e83667e7
http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-14+etch1_amd64.deb
Size/MD5 checksum: 383872 fc52303783696d53c20999a82e962bd7
arm architecture (ARM)
http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-14+etch1_arm.deb
Size/MD5 checksum: 356830 43860080fa42274a3d7ad649a6dea3fd
http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-14+etch1_arm.deb
Size/MD5 checksum: 197970 63134af5530d4ab6f1a41046136ea62d
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-14+etch1_hppa.deb
Size/MD5 checksum: 429646 938ea12262d6fe02426a8d59f5242794
http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-14+etch1_hppa.deb
Size/MD5 checksum: 240036 52f8f7e7c277f0b37fdba7e4b1609f19
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-14+etch1_i386.deb
Size/MD5 checksum: 212762 b25bde43ee075fa743b1f037a43919b8
http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-14+etch1_i386.deb
Size/MD5 checksum: 364460 0d3f3229b87c1b2d2ff614679d805600
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-14+etch1_ia64.deb
Size/MD5 checksum: 498736 7fa5b542dcd264d899ea0b49cdf4ffdc
http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-14+etch1_ia64.deb
Size/MD5 checksum: 315918 7e2351fbb88e55dcabcd4bbca3bb26c0
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-14+etch1_mips.deb
Size/MD5 checksum: 411816 f32a3c2d678a256691a7a6b300467eeb
http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-14+etch1_mips.deb
Size/MD5 checksum: 209842 603a443d76deb3bafea7e288f102d2bb
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-14+etch1_mipsel.deb
Size/MD5 checksum: 408602 36e9600b0be7e846b4788cd475413858
http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-14+etch1_mipsel.deb
Size/MD5 checksum: 210312 e78866fce8cdc8fd0854203a73f50a6e
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-14+etch1_powerpc.deb
Size/MD5 checksum: 213862 5a6fde00e79c0ab8a873f0f0d2bfc028
http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-14+etch1_powerpc.deb
Size/MD5 checksum: 388622 c93294decb6b25bb4c3fe43dc0fa25e2
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-14+etch1_s390.deb
Size/MD5 checksum: 387402 43844dfcb0401e9fd1ac3d4c80281f83
http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-14+etch1_s390.deb
Size/MD5 checksum: 226562 c9da4865e04f157ceacde8f59b040f28
These files will probably be moved into the stable distribution on
its next update.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: [email protected]
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkqEekUACgkQHYflSXNkfP8mZgCggjl7lV6LNPSO+b5xCdhx2/o2
k+0AoK7VaXyZJpBP48ZMPpyXSFXFKWoA
=r2rS
-----END PGP SIGNATURE-----