Executive Summary
Summary | |
---|---|
Title | libxml2 security update |
Informations | |||
---|---|---|---|
Name | RHSA-2014:1885 | First vendor Publication | 2014-11-20 |
Vendor | RedHat | Last vendor Modification | 2014-11-20 |
Severity (Vendor) | Moderate | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:P) | |||
---|---|---|---|
Cvss Base Score | 5 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated libxml2 packages that fix one security issue are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: The libxml2 library is a development toolbox providing the implementation of various XML standards. A denial of service flaw was found in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, would lead to excessive CPU consumption (denial of service) based on excessive entity substitutions, even if entity substitution was disabled, which is the parser default behavior. (CVE-2014-3660) All libxml2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. The desktop must be restarted (log out, then log back in) for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1149084 - CVE-2014-3660 libxml2: denial of service via recursive entity expansion |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2014-1885.html |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:27021 | |||
Oval ID: | oval:org.mitre.oval:def:27021 | ||
Title: | DSA-3057-1 libxml2 - security update | ||
Description: | Sogeti found a denial of service flaw in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, would lead to excessive CPU consumption (denial of service) based on excessive entity substitutions, even if entity substitution was disabled, which is the parser default behavior. (<a href="https://security-tracker.debian.org/tracker/CVE-2014-3660">CVE-2014-3660</a>) | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-3057-1 CVE-2014-3660 | Version: | 3 |
Platform(s): | Debian GNU/Linux 7.0 Debian GNU/kFreeBSD 7.0 | Product(s): | libxml2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:27098 | |||
Oval ID: | oval:org.mitre.oval:def:27098 | ||
Title: | ELSA-2014-1655 -- libxml2 security update | ||
Description: | [2.9.1-5.0.1.el7_0.1] - Update doc/redhat.gif in tarball - Add libxml2-oracle-enterprise.patch and update logos in tarball [2.9.1-5.1] - CVE-2014-3660 denial of service via recursive entity expansion (rhbz#1149087) | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2014-1655 CVE-2014-3660 | Version: | 4 |
Platform(s): | Oracle Linux 7 | Product(s): | libxml2 libxml2-devel libxml2-python libxml2-static |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:27149 | |||
Oval ID: | oval:org.mitre.oval:def:27149 | ||
Title: | RHSA-2014:1655: libxml2 security update (Moderate) | ||
Description: | The libxml2 library is a development toolbox providing the implementation of various XML standards. A denial of service flaw was found in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, would lead to excessive CPU consumption (denial of service) based on excessive entity substitutions, even if entity substitution was disabled, which is the parser default behavior. (CVE-2014-3660) All libxml2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. The desktop must be restarted (log out, then log back in) for this update to take effect. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2014:1655-00 CVE-2014-3660 CESA-2014:1655-CentOS 7 CESA-2014:1655-CentOS 6 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 CentOS Linux 7 CentOS Linux 6 | Product(s): | libxml2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:27531 | |||
Oval ID: | oval:org.mitre.oval:def:27531 | ||
Title: | USN-2389-1 -- libxml2 vulnerability | ||
Description: | It was discovered that libxml2 would incorrectly perform entity substitution even when requested not to. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause resource consumption, resulting in a denial of service. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-2389-1 CVE-2014-3660 | Version: | 3 |
Platform(s): | Ubuntu 14.04 Ubuntu 12.04 Ubuntu 10.04 | Product(s): | libxml2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:27707 | |||
Oval ID: | oval:org.mitre.oval:def:27707 | ||
Title: | RHSA-2014:1885 -- libxml2 security update (Moderate) | ||
Description: | The libxml2 library is a development toolbox providing the implementation of various XML standards. A denial of service flaw was found in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, would lead to excessive CPU consumption (denial of service) based on excessive entity substitutions, even if entity substitution was disabled, which is the parser default behavior. (CVE-2014-3660) All libxml2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. The desktop must be restarted (log out, then log back in) for this update to take effect. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2014:1885 CESA-2014:1885 CVE-2014-3660 | Version: | 3 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 | Product(s): | libxml2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:27924 | |||
Oval ID: | oval:org.mitre.oval:def:27924 | ||
Title: | SUSE-SU-2014:1440-1 -- Security update for libxml2 (moderate) | ||
Description: | This update fixes a denial of service via recursive entity expansion. (CVE-2014-3660) Security Issues: * CVE-2014-3660 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3660> | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2014:1440-1 CVE-2014-3660 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Desktop 11 | Product(s): | libxml2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:28050 | |||
Oval ID: | oval:org.mitre.oval:def:28050 | ||
Title: | ELSA-2014-1885 -- libxml2 security update (moderate) | ||
Description: | [2.6.26-2.1.25.0.1.el5_11] - Add libxml2-enterprise.patch - Replaced doc/redhat.gif in tarball with updated image [2.6.26-2.1.25.el5] - CVE-2014-3660 denial of service via recursive entity expansion (rhbz#1161841) [2.6.26-2.1.24.el5] - fixed one regexp bug and added a (rhbz#922450) - Another small change on the algorithm for the elimination of epsilon (rhbz#922450) [2.6.26-2.1.23.el5] - detect and stop excessive entities expansion upon replacement (rhbz#912573) [2.6.26-2.1.22.el5] - fix validation issues with some XSD (rhbz#877348) - xmlDOMWrapCloneNode discards namespace of the node parameter (rhbz#884707) | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2014-1885 CVE-2014-3660 | Version: | 3 |
Platform(s): | Oracle Linux 5 | Product(s): | libxml2 |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2015-08-20 | IAVM : 2015-A-0199 - Multiple Vulnerabilities in Apple Mac OS X Severity : Category I - VMSKEY : V0061337 |
2015-02-05 | IAVM : 2015-B-0014 - Multiple Vulnerabilities in VMware ESXi 5.5 Severity : Category I - VMSKEY : V0058513 |
2015-02-05 | IAVM : 2015-B-0013 - Multiple Vulnerabilities in VMware ESXi 5.1 Severity : Category I - VMSKEY : V0058515 |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2016-06-22 | Name : The remote OracleVM host is missing one or more security updates. File : oraclevm_OVMSA-2016-0063.nasl - Type : ACT_GATHER_INFO |
2016-04-04 | Name : The remote device is affected by multiple vulnerabilities. File : appletv_7_2_1.nasl - Type : ACT_GATHER_INFO |
2016-02-16 | Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL61570943.nasl - Type : ACT_GATHER_INFO |
2015-12-29 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2015-959.nasl - Type : ACT_GATHER_INFO |
2015-08-17 | Name : The remote host is missing a Mac OS X update that fixes multiple security vul... File : macosx_SecUpd2015-006.nasl - Type : ACT_GATHER_INFO |
2015-08-17 | Name : The remote host is missing a Mac OS X update that fixes multiple security vul... File : macosx_10_10_5.nasl - Type : ACT_GATHER_INFO |
2015-07-31 | Name : The remote OracleVM host is missing one or more security updates. File : oraclevm_OVMSA-2015-0097.nasl - Type : ACT_GATHER_INFO |
2015-05-27 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2015-0003-1.nasl - Type : ACT_GATHER_INFO |
2015-04-13 | Name : The remote Fedora host is missing a security update. File : fedora_2015-4719.nasl - Type : ACT_GATHER_INFO |
2015-04-08 | Name : The remote Fedora host is missing a security update. File : fedora_2015-4658.nasl - Type : ACT_GATHER_INFO |
2015-03-30 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2015-111.nasl - Type : ACT_GATHER_INFO |
2015-03-26 | Name : The remote Debian host is missing a security update. File : debian_DLA-80.nasl - Type : ACT_GATHER_INFO |
2015-03-26 | Name : The remote Debian host is missing a security update. File : debian_DLA-151.nasl - Type : ACT_GATHER_INFO |
2015-01-29 | Name : The remote VMware ESXi 5.5 host is affected by multiple vulnerabilities. File : vmware_esxi_5_5_build_2352327_remote.nasl - Type : ACT_GATHER_INFO |
2015-01-29 | Name : The remote VMware ESXi host is missing one or more security-related patches. File : vmware_VMSA-2015-0001.nasl - Type : ACT_GATHER_INFO |
2014-12-15 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2014-244.nasl - Type : ACT_GATHER_INFO |
2014-12-15 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201412-06.nasl - Type : ACT_GATHER_INFO |
2014-12-05 | Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL15872.nasl - Type : ACT_GATHER_INFO |
2014-11-26 | Name : The remote OracleVM host is missing one or more security updates. File : oraclevm_OVMSA-2014-0031.nasl - Type : ACT_GATHER_INFO |
2014-11-24 | Name : The remote Fedora host is missing a security update. File : fedora_2014-13047.nasl - Type : ACT_GATHER_INFO |
2014-11-21 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20141120_libxml2_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2014-11-21 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-1885.nasl - Type : ACT_GATHER_INFO |
2014-11-21 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2014-1885.nasl - Type : ACT_GATHER_INFO |
2014-11-21 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2014-1885.nasl - Type : ACT_GATHER_INFO |
2014-11-18 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_libxml2-141020.nasl - Type : ACT_GATHER_INFO |
2014-11-18 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2014-444.nasl - Type : ACT_GATHER_INFO |
2014-11-03 | Name : The remote Fedora host is missing a security update. File : fedora_2014-12915.nasl - Type : ACT_GATHER_INFO |
2014-10-30 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2014-606.nasl - Type : ACT_GATHER_INFO |
2014-10-28 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2389-1.nasl - Type : ACT_GATHER_INFO |
2014-10-28 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-3057.nasl - Type : ACT_GATHER_INFO |
2014-10-24 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2014-204.nasl - Type : ACT_GATHER_INFO |
2014-10-23 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20141016_libxml2_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2014-10-22 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2014-1655.nasl - Type : ACT_GATHER_INFO |
2014-10-20 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_0642b06456c411e48b87bcaec565249c.nasl - Type : ACT_GATHER_INFO |
2014-10-20 | Name : The remote Fedora host is missing a security update. File : fedora_2014-12995.nasl - Type : ACT_GATHER_INFO |
2014-10-17 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2014-1655.nasl - Type : ACT_GATHER_INFO |
2014-10-17 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-1655.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-11-22 13:24:08 |
|
2014-11-20 21:22:10 |
|