Executive Summary
Informations | |||
---|---|---|---|
Name | MDVSA-2013:198 | First vendor Publication | 2013-07-24 |
Vendor | Mandriva | Last vendor Modification | 2013-07-24 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 6.8 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Multiple vulnerabilities has been discovered and corrected in libxml2: A denial of service flaw was found in the way libxml2, a library providing support to read, modify and write XML and HTML files, performed string substitutions when entity values for external entity references replacement (--noent option) was requested / enabled during the XML file parsing. A remote attacker could provide a specially-crafted XML file containing an external entity expansion, when processed would lead to excessive CPU consumption (denial of service) (CVE-2013-0339). This a different flaw from CVE-2013-0338. parser.c in libxml2 before 2.9.0, as used in Google Chrome before 28.0.1500.71 and other products, allows remote attackers to cause a denial of service (out-of-bounds read) via a document that ends abruptly, related to the lack of certain checks for the XML_PARSER_EOF state (CVE-2013-2877). The updated packages have been patched to correct these issues. |
Original Source
Url : http://www.mandriva.com/security/advisories?name=MDVSA-2013:198 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
67 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
33 % | CWE-264 | Permissions, Privileges, and Access Controls |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:18166 | |||
Oval ID: | oval:org.mitre.oval:def:18166 | ||
Title: | USN-1782-1 -- libxml2 vulnerability | ||
Description: | libxml2 could be made to hang if it received specially crafted input. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1782-1 CVE-2013-0338 | Version: | 7 |
Platform(s): | Ubuntu 12.10 Ubuntu 12.04 Ubuntu 11.10 Ubuntu 10.04 Ubuntu 8.04 | Product(s): | libxml2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:18320 | |||
Oval ID: | oval:org.mitre.oval:def:18320 | ||
Title: | USN-1904-2 -- libxml2 regression | ||
Description: | USN-1904-1 introduced a regression in libxml2. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1904-2 CVE-2013-0339 CVE-2013-2877 | Version: | 7 |
Platform(s): | Ubuntu 13.04 Ubuntu 12.10 Ubuntu 12.04 Ubuntu 10.04 | Product(s): | libxml2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:18347 | |||
Oval ID: | oval:org.mitre.oval:def:18347 | ||
Title: | USN-1904-1 -- libxml2 vulnerabilities | ||
Description: | Several security issues were fixed in libxml2. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1904-1 CVE-2013-0339 CVE-2013-2877 | Version: | 7 |
Platform(s): | Ubuntu 13.04 Ubuntu 12.10 Ubuntu 12.04 Ubuntu 10.04 | Product(s): | libxml2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20018 | |||
Oval ID: | oval:org.mitre.oval:def:20018 | ||
Title: | DSA-2652-1 libxml2 - external entity expansion | ||
Description: | Brad Hill of iSEC Partners discovered that many XML implementations are vulnerable to external entity expansion issues, which can be used for various purposes such as firewall circumvention, disguising an IP address, and denial-of-service. libxml2 was susceptible to these problems when performing string substitution during entity expansion. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2652-1 CVE-2013-0338 CVE-2013-0339 | Version: | 5 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0 | Product(s): | libxml2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20088 | |||
Oval ID: | oval:org.mitre.oval:def:20088 | ||
Title: | DSA-2779-1 libxml2 - denial of service | ||
Description: | Aki Helin of OUSPG discovered many out-of-bounds read issues in libxml2, the GNOME project's XML parser library, which can lead to denial of service issues when handling XML documents that end abruptly. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2779-1 CVE-2013-2877 | Version: | 5 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/Linux 7 Debian GNU/kFreeBSD 6.0 Debian GNU/kFreeBSD 7 | Product(s): | libxml2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20491 | |||
Oval ID: | oval:org.mitre.oval:def:20491 | ||
Title: | VMware vSphere, ESX and ESXi updates to third party libraries | ||
Description: | libxml2 2.9.0 and earlier allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via an XML file containing an entity declaration with long replacement text and many references to this entity, aka "internal entity expansion" with linear complexity. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2013-0338 | Version: | 4 |
Platform(s): | VMWare ESX Server 4.1 VMWare ESX Server 4.0 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20894 | |||
Oval ID: | oval:org.mitre.oval:def:20894 | ||
Title: | RHSA-2013:0581: libxml2 security update (Moderate) | ||
Description: | libxml2 2.9.0 and earlier allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via an XML file containing an entity declaration with long replacement text and many references to this entity, aka "internal entity expansion" with linear complexity. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2013:0581-01 CESA-2013:0581 CVE-2013-0338 | Version: | 4 |
Platform(s): | Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 CentOS Linux 5 CentOS Linux 6 | Product(s): | libxml2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23449 | |||
Oval ID: | oval:org.mitre.oval:def:23449 | ||
Title: | ELSA-2013:0581: libxml2 security update (Moderate) | ||
Description: | libxml2 2.9.0 and earlier allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via an XML file containing an entity declaration with long replacement text and many references to this entity, aka "internal entity expansion" with linear complexity. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013:0581-01 CVE-2013-0338 | Version: | 6 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | libxml2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23965 | |||
Oval ID: | oval:org.mitre.oval:def:23965 | ||
Title: | DEPRECATED: ELSA-2013:0581: libxml2 security update (Moderate) | ||
Description: | libxml2 2.9.0 and earlier allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via an XML file containing an entity declaration with long replacement text and many references to this entity, aka "internal entity expansion" with linear complexity. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013:0581-01 CVE-2013-0338 | Version: | 6 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | libxml2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:25431 | |||
Oval ID: | oval:org.mitre.oval:def:25431 | ||
Title: | SUSE-SU-2014:0150-1 -- Security update for libxml2 | ||
Description: | This update fixes a DoS vulnerability in libxml2. CVE-2013-2877 has been assigned to this issue. Security Issue reference: * CVE-2013-2877 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2877 > | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2014:0150-1 CVE-2013-2877 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Desktop 11 | Product(s): | libxml2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:25457 | |||
Oval ID: | oval:org.mitre.oval:def:25457 | ||
Title: | SUSE-SU-2013:1627-1 -- Security update for libxml2 | ||
Description: | libxml2 has been updated to fix the following security issue: * CVE-2013-0338: libxml2 allowed context-dependent attackers to cause a denial of service (CPU and memory consumption) via an XML file containing an entity declaration with long replacement text and many references to this entity, aka "internal entity expansion" with linear complexity. | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2013:1627-1 CVE-2013-0338 CVE-2013-0339 CVE-2012-5134 CVE-2012-2807 CVE-2011-3102 CVE-2012-0841 CVE-2011-3919 CVE-2013-2877 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 10 | Product(s): | libxml2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:25714 | |||
Oval ID: | oval:org.mitre.oval:def:25714 | ||
Title: | SUSE-SU-2013:1625-1 -- Security update for libxml2 | ||
Description: | This is a LTSS rollup update for the libxml2 library that fixes various security issues. | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2013:1625-1 CVE-2013-2877 CVE-2013-0338 CVE-2012-5134 CVE-2012-2807 CVE-2011-3102 CVE-2012-0841 CVE-2011-3919 CVE-2013-0339 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 10 | Product(s): | libxml2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:25816 | |||
Oval ID: | oval:org.mitre.oval:def:25816 | ||
Title: | SUSE-SU-2013:0743-1 -- Security update for libxml2 | ||
Description: | libxml2 has been updated to fix two security bugs. * CVE-2013-0338: Internal entity expansion within XML was not bounded, leading to simple small XML files being able to cause "out of memory" denial of service conditions. * CVE-2012-5134: Heap-based buffer underflow in the xmlParseAttValueComplex function in parser.c in libxml2 allowed remote attackers to cause a denial of service or possibly execute arbitrary code via crafted entities in an XML document. | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2013:0743-1 CVE-2013-0338 CVE-2012-5134 CVE-2013-0339 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 | Product(s): | libxml2 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:25923 | |||
Oval ID: | oval:org.mitre.oval:def:25923 | ||
Title: | SUSE-SU-2013:0744-1 -- Security update for libxml2 | ||
Description: | libxml2 has been updated to fix entity expansion problems: * CVE-2013-0338: Internal entity expansion within XML was not bounded, leading to simple small XML files being able to cause "out of memory" denial of service conditions. | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2013:0744-1 CVE-2013-0338 CVE-2013-0339 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Server 10 SUSE Linux Enterprise Desktop 11 SUSE Linux Enterprise Desktop 10 | Product(s): | libxml2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:26734 | |||
Oval ID: | oval:org.mitre.oval:def:26734 | ||
Title: | Allows remote attackers to cause a denial of service (out-of-bounds read) via a document that ends abruptly | ||
Description: | parser.c in libxml2 before 2.9.0, as used in Google Chrome before 28.0.1500.71 and other products, allows remote attackers to cause a denial of service (out-of-bounds read) via a document that ends abruptly, related to the lack of certain checks for the XML_PARSER_EOF state. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2013-2877 | Version: | 3 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Vista Microsoft Windows 7 Microsoft Windows 8 Microsoft Windows 8.1 Microsoft Windows Server 2012 Microsoft Windows Server 2012 R2 | Product(s): | Google Chrome |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:27000 | |||
Oval ID: | oval:org.mitre.oval:def:27000 | ||
Title: | DEPRECATED: ELSA-2013-0581 -- libxml2 security update (moderate) | ||
Description: | [2.7.6-12.0.1.el6_4.1] - Update doc/redhat.gif in tarball - Add libxml2-oracle-enterprise.patch and update logos in tarball | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013-0581 CVE-2013-0338 | Version: | 4 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | libxml2 |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2014-12-11 | IAVM : 2014-B-0161 - Multiple Vulnerabilities in VMware ESXi 5.1 Severity : Category I - VMSKEY : V0057717 |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2016-03-04 | Name : The remote VMware ESX / ESXi host is missing a security-related patch. File : vmware_esx_VMSA-2013-0009_remote.nasl - Type : ACT_GATHER_INFO |
2015-12-30 | Name : The remote VMware ESXi host is missing a security-related patch. File : vmware_VMSA-2014-0012_remote.nasl - Type : ACT_GATHER_INFO |
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2013-1627-1.nasl - Type : ACT_GATHER_INFO |
2015-01-27 | Name : The remote web server is affected by multiple vulnerabilities. File : oracle_http_server_cpu_jan_2015.nasl - Type : ACT_GATHER_INFO |
2015-01-23 | Name : The remote device is missing a vendor-supplied security patch. File : juniper_jsa10669.nasl - Type : ACT_GATHER_INFO |
2015-01-19 | Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_libxml2_20130716.nasl - Type : ACT_GATHER_INFO |
2014-12-15 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201412-11.nasl - Type : ACT_GATHER_INFO |
2014-12-12 | Name : The remote VMware ESXi 5.1 host is affected by multiple vulnerabilities. File : vmware_esxi_5_1_build_2323236_remote.nasl - Type : ACT_GATHER_INFO |
2014-12-06 | Name : The remote VMware ESXi host is missing a security-related patch. File : vmware_VMSA-2014-0012.nasl - Type : ACT_GATHER_INFO |
2014-11-26 | Name : The remote OracleVM host is missing one or more security updates. File : oraclevm_OVMSA-2014-0031.nasl - Type : ACT_GATHER_INFO |
2014-11-08 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2013-0636.nasl - Type : ACT_GATHER_INFO |
2014-10-12 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2014-340.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-263.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-592.nasl - Type : ACT_GATHER_INFO |
2014-05-20 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2014-0513.nasl - Type : ACT_GATHER_INFO |
2014-05-20 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2014-0513.nasl - Type : ACT_GATHER_INFO |
2014-05-20 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-0513.nasl - Type : ACT_GATHER_INFO |
2014-05-20 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20140519_libxml2_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2014-05-13 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_e7bb3885da4011e39ecb2c4138874f7d.nasl - Type : ACT_GATHER_INFO |
2014-01-29 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_libxml2-140106.nasl - Type : ACT_GATHER_INFO |
2014-01-20 | Name : The remote VMware ESXi 5.1 host is affected by multiple vulnerabilities. File : vmware_esxi_5_1_build_1483097_remote.nasl - Type : ACT_GATHER_INFO |
2013-11-13 | Name : The remote VMware ESXi 5.0 host is affected by multiple security vulnerabilit... File : vmware_esxi_5_0_build_1311177_remote.nasl - Type : ACT_GATHER_INFO |
2013-11-11 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201311-06.nasl - Type : ACT_GATHER_INFO |
2013-10-15 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2779.nasl - Type : ACT_GATHER_INFO |
2013-09-25 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201309-16.nasl - Type : ACT_GATHER_INFO |
2013-09-04 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2013-188.nasl - Type : ACT_GATHER_INFO |
2013-08-02 | Name : The remote VMware ESXi / ESX host is missing one or more security-related pat... File : vmware_VMSA-2013-0009.nasl - Type : ACT_GATHER_INFO |
2013-07-25 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2013-198.nasl - Type : ACT_GATHER_INFO |
2013-07-19 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2724.nasl - Type : ACT_GATHER_INFO |
2013-07-18 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1904-2.nasl - Type : ACT_GATHER_INFO |
2013-07-16 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1904-1.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2013-0581.nasl - Type : ACT_GATHER_INFO |
2013-07-11 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_3b80104fe96c11e28bac00262d5ed8ee.nasl - Type : ACT_GATHER_INFO |
2013-07-10 | Name : The remote host contains a web browser that is affected by multiple vulnerabi... File : google_chrome_28_0_1500_71.nasl - Type : ACT_GATHER_INFO |
2013-05-03 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_libxml2-8513.nasl - Type : ACT_GATHER_INFO |
2013-05-03 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_libxml2-130320.nasl - Type : ACT_GATHER_INFO |
2013-04-20 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2013-056.nasl - Type : ACT_GATHER_INFO |
2013-04-08 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_843a4641981611e29c51080027019be0.nasl - Type : ACT_GATHER_INFO |
2013-03-29 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1782-1.nasl - Type : ACT_GATHER_INFO |
2013-03-27 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2652.nasl - Type : ACT_GATHER_INFO |
2013-03-04 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2013-0581.nasl - Type : ACT_GATHER_INFO |
2013-03-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20130228_libxml2_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2013-03-01 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-0581.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:43:54 |
|
2014-01-23 00:22:07 |
|
2014-01-21 21:25:05 |
|
2013-07-24 13:19:13 |
|