Executive Summary

Summary
Title libxml2 security update
Informations
Name RHSA-2014:1885 First vendor Publication 2014-11-20
Vendor RedHat Last vendor Modification 2014-11-20
Severity (Vendor) Moderate Revision 01

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Cvss Base Score 5 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

Updated libxml2 packages that fix one security issue are now available for Red Hat Enterprise Linux 5.

Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

2. Relevant releases/architectures:

RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64

3. Description:

The libxml2 library is a development toolbox providing the implementation of various XML standards.

A denial of service flaw was found in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, would lead to excessive CPU consumption (denial of service) based on excessive entity substitutions, even if entity substitution was disabled, which is the parser default behavior. (CVE-2014-3660)

All libxml2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. The desktop must be restarted (log out, then log back in) for this update to take effect.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1149084 - CVE-2014-3660 libxml2: denial of service via recursive entity expansion

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2014-1885.html

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:27021
 
Oval ID: oval:org.mitre.oval:def:27021
Title: DSA-3057-1 libxml2 - security update
Description: Sogeti found a denial of service flaw in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, would lead to excessive CPU consumption (denial of service) based on excessive entity substitutions, even if entity substitution was disabled, which is the parser default behavior. (<a href="https://security-tracker.debian.org/tracker/CVE-2014-3660">CVE-2014-3660</a>)
Family: unix Class: patch
Reference(s): DSA-3057-1
CVE-2014-3660
Version: 3
Platform(s): Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
Product(s): libxml2
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27098
 
Oval ID: oval:org.mitre.oval:def:27098
Title: ELSA-2014-1655 -- libxml2 security update
Description: [2.9.1-5.0.1.el7_0.1] - Update doc/redhat.gif in tarball - Add libxml2-oracle-enterprise.patch and update logos in tarball [2.9.1-5.1] - CVE-2014-3660 denial of service via recursive entity expansion (rhbz#1149087)
Family: unix Class: patch
Reference(s): ELSA-2014-1655
CVE-2014-3660
Version: 4
Platform(s): Oracle Linux 7
Product(s): libxml2
libxml2-devel
libxml2-python
libxml2-static
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27149
 
Oval ID: oval:org.mitre.oval:def:27149
Title: RHSA-2014:1655: libxml2 security update (Moderate)
Description: The libxml2 library is a development toolbox providing the implementation of various XML standards. A denial of service flaw was found in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, would lead to excessive CPU consumption (denial of service) based on excessive entity substitutions, even if entity substitution was disabled, which is the parser default behavior. (CVE-2014-3660) All libxml2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. The desktop must be restarted (log out, then log back in) for this update to take effect.
Family: unix Class: patch
Reference(s): RHSA-2014:1655-00
CVE-2014-3660
CESA-2014:1655-CentOS 7
CESA-2014:1655-CentOS 6
Version: 5
Platform(s): Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 6
CentOS Linux 7
CentOS Linux 6
Product(s): libxml2
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27531
 
Oval ID: oval:org.mitre.oval:def:27531
Title: USN-2389-1 -- libxml2 vulnerability
Description: It was discovered that libxml2 would incorrectly perform entity substitution even when requested not to. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause resource consumption, resulting in a denial of service.
Family: unix Class: patch
Reference(s): USN-2389-1
CVE-2014-3660
Version: 3
Platform(s): Ubuntu 14.04
Ubuntu 12.04
Ubuntu 10.04
Product(s): libxml2
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27707
 
Oval ID: oval:org.mitre.oval:def:27707
Title: RHSA-2014:1885 -- libxml2 security update (Moderate)
Description: The libxml2 library is a development toolbox providing the implementation of various XML standards. A denial of service flaw was found in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, would lead to excessive CPU consumption (denial of service) based on excessive entity substitutions, even if entity substitution was disabled, which is the parser default behavior. (CVE-2014-3660) All libxml2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. The desktop must be restarted (log out, then log back in) for this update to take effect.
Family: unix Class: patch
Reference(s): RHSA-2014:1885
CESA-2014:1885
CVE-2014-3660
Version: 3
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
Product(s): libxml2
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27924
 
Oval ID: oval:org.mitre.oval:def:27924
Title: SUSE-SU-2014:1440-1 -- Security update for libxml2 (moderate)
Description: This update fixes a denial of service via recursive entity expansion. (CVE-2014-3660) Security Issues: * CVE-2014-3660 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3660>
Family: unix Class: patch
Reference(s): SUSE-SU-2014:1440-1
CVE-2014-3660
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Desktop 11
Product(s): libxml2
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:28050
 
Oval ID: oval:org.mitre.oval:def:28050
Title: ELSA-2014-1885 -- libxml2 security update (moderate)
Description: [2.6.26-2.1.25.0.1.el5_11] - Add libxml2-enterprise.patch - Replaced doc/redhat.gif in tarball with updated image [2.6.26-2.1.25.el5] - CVE-2014-3660 denial of service via recursive entity expansion (rhbz#1161841) [2.6.26-2.1.24.el5] - fixed one regexp bug and added a (rhbz#922450) - Another small change on the algorithm for the elimination of epsilon (rhbz#922450) [2.6.26-2.1.23.el5] - detect and stop excessive entities expansion upon replacement (rhbz#912573) [2.6.26-2.1.22.el5] - fix validation issues with some XSD (rhbz#877348) - xmlDOMWrapCloneNode discards namespace of the node parameter (rhbz#884707)
Family: unix Class: patch
Reference(s): ELSA-2014-1885
CVE-2014-3660
Version: 3
Platform(s): Oracle Linux 5
Product(s): libxml2
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 2
Application 149
Os 102
Os 3
Os 1
Os 1

Information Assurance Vulnerability Management (IAVM)

Date Description
2015-08-20 IAVM : 2015-A-0199 - Multiple Vulnerabilities in Apple Mac OS X
Severity : Category I - VMSKEY : V0061337
2015-02-05 IAVM : 2015-B-0014 - Multiple Vulnerabilities in VMware ESXi 5.5
Severity : Category I - VMSKEY : V0058513
2015-02-05 IAVM : 2015-B-0013 - Multiple Vulnerabilities in VMware ESXi 5.1
Severity : Category I - VMSKEY : V0058515

Nessus® Vulnerability Scanner

Date Description
2016-06-22 Name : The remote OracleVM host is missing one or more security updates.
File : oraclevm_OVMSA-2016-0063.nasl - Type : ACT_GATHER_INFO
2016-04-04 Name : The remote device is affected by multiple vulnerabilities.
File : appletv_7_2_1.nasl - Type : ACT_GATHER_INFO
2016-02-16 Name : The remote device is missing a vendor-supplied security patch.
File : f5_bigip_SOL61570943.nasl - Type : ACT_GATHER_INFO
2015-12-29 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2015-959.nasl - Type : ACT_GATHER_INFO
2015-08-17 Name : The remote host is missing a Mac OS X update that fixes multiple security vul...
File : macosx_SecUpd2015-006.nasl - Type : ACT_GATHER_INFO
2015-08-17 Name : The remote host is missing a Mac OS X update that fixes multiple security vul...
File : macosx_10_10_5.nasl - Type : ACT_GATHER_INFO
2015-07-31 Name : The remote OracleVM host is missing one or more security updates.
File : oraclevm_OVMSA-2015-0097.nasl - Type : ACT_GATHER_INFO
2015-05-27 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2015-0003-1.nasl - Type : ACT_GATHER_INFO
2015-04-13 Name : The remote Fedora host is missing a security update.
File : fedora_2015-4719.nasl - Type : ACT_GATHER_INFO
2015-04-08 Name : The remote Fedora host is missing a security update.
File : fedora_2015-4658.nasl - Type : ACT_GATHER_INFO
2015-03-30 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2015-111.nasl - Type : ACT_GATHER_INFO
2015-03-26 Name : The remote Debian host is missing a security update.
File : debian_DLA-80.nasl - Type : ACT_GATHER_INFO
2015-03-26 Name : The remote Debian host is missing a security update.
File : debian_DLA-151.nasl - Type : ACT_GATHER_INFO
2015-01-29 Name : The remote VMware ESXi 5.5 host is affected by multiple vulnerabilities.
File : vmware_esxi_5_5_build_2352327_remote.nasl - Type : ACT_GATHER_INFO
2015-01-29 Name : The remote VMware ESXi host is missing one or more security-related patches.
File : vmware_VMSA-2015-0001.nasl - Type : ACT_GATHER_INFO
2014-12-15 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2014-244.nasl - Type : ACT_GATHER_INFO
2014-12-15 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201412-06.nasl - Type : ACT_GATHER_INFO
2014-12-05 Name : The remote device is missing a vendor-supplied security patch.
File : f5_bigip_SOL15872.nasl - Type : ACT_GATHER_INFO
2014-11-26 Name : The remote OracleVM host is missing one or more security updates.
File : oraclevm_OVMSA-2014-0031.nasl - Type : ACT_GATHER_INFO
2014-11-24 Name : The remote Fedora host is missing a security update.
File : fedora_2014-13047.nasl - Type : ACT_GATHER_INFO
2014-11-21 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20141120_libxml2_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2014-11-21 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-1885.nasl - Type : ACT_GATHER_INFO
2014-11-21 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2014-1885.nasl - Type : ACT_GATHER_INFO
2014-11-21 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2014-1885.nasl - Type : ACT_GATHER_INFO
2014-11-18 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_libxml2-141020.nasl - Type : ACT_GATHER_INFO
2014-11-18 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2014-444.nasl - Type : ACT_GATHER_INFO
2014-11-03 Name : The remote Fedora host is missing a security update.
File : fedora_2014-12915.nasl - Type : ACT_GATHER_INFO
2014-10-30 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2014-606.nasl - Type : ACT_GATHER_INFO
2014-10-28 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-2389-1.nasl - Type : ACT_GATHER_INFO
2014-10-28 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-3057.nasl - Type : ACT_GATHER_INFO
2014-10-24 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2014-204.nasl - Type : ACT_GATHER_INFO
2014-10-23 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20141016_libxml2_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2014-10-22 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2014-1655.nasl - Type : ACT_GATHER_INFO
2014-10-20 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_0642b06456c411e48b87bcaec565249c.nasl - Type : ACT_GATHER_INFO
2014-10-20 Name : The remote Fedora host is missing a security update.
File : fedora_2014-12995.nasl - Type : ACT_GATHER_INFO
2014-10-17 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2014-1655.nasl - Type : ACT_GATHER_INFO
2014-10-17 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-1655.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
Date Informations
2014-11-22 13:24:08
  • Multiple Updates
2014-11-20 21:22:10
  • First insertion