Executive Summary
Summary | |
---|---|
Title | libxml2 security update |
Informations | |||
---|---|---|---|
Name | DSA-2652 | First vendor Publication | 2013-03-24 |
Vendor | Debian | Last vendor Modification | 2013-03-24 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 6.8 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Brad Hill of iSEC Partners discovered that many XML implementations are vulnerable to external entity expansion issues, which can be used for various purposes such as firewall circumvention, disguising an IP address, and denial-of-service. libxml2 was susceptible to these problems when performing string substitution during entity expansion. For the stable distribution (squeeze), these problems have been fixed in version 2.7.8.dfsg-2+squeeze7. For the testing (wheezy) and unstable (sid) distributions, these problems have been fixed in version 2.8.0+dfsg1-7+nmu1. We recommend that you upgrade your libxml2 packages. |
Original Source
Url : http://www.debian.org/security/2013/dsa-2652 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-264 | Permissions, Privileges, and Access Controls |
50 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:18166 | |||
Oval ID: | oval:org.mitre.oval:def:18166 | ||
Title: | USN-1782-1 -- libxml2 vulnerability | ||
Description: | libxml2 could be made to hang if it received specially crafted input. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1782-1 CVE-2013-0338 | Version: | 7 |
Platform(s): | Ubuntu 12.10 Ubuntu 12.04 Ubuntu 11.10 Ubuntu 10.04 Ubuntu 8.04 | Product(s): | libxml2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20018 | |||
Oval ID: | oval:org.mitre.oval:def:20018 | ||
Title: | DSA-2652-1 libxml2 - external entity expansion | ||
Description: | Brad Hill of iSEC Partners discovered that many XML implementations are vulnerable to external entity expansion issues, which can be used for various purposes such as firewall circumvention, disguising an IP address, and denial-of-service. libxml2 was susceptible to these problems when performing string substitution during entity expansion. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2652-1 CVE-2013-0338 CVE-2013-0339 | Version: | 5 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0 | Product(s): | libxml2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20491 | |||
Oval ID: | oval:org.mitre.oval:def:20491 | ||
Title: | VMware vSphere, ESX and ESXi updates to third party libraries | ||
Description: | libxml2 2.9.0 and earlier allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via an XML file containing an entity declaration with long replacement text and many references to this entity, aka "internal entity expansion" with linear complexity. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2013-0338 | Version: | 4 |
Platform(s): | VMWare ESX Server 4.1 VMWare ESX Server 4.0 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20894 | |||
Oval ID: | oval:org.mitre.oval:def:20894 | ||
Title: | RHSA-2013:0581: libxml2 security update (Moderate) | ||
Description: | libxml2 2.9.0 and earlier allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via an XML file containing an entity declaration with long replacement text and many references to this entity, aka "internal entity expansion" with linear complexity. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2013:0581-01 CESA-2013:0581 CVE-2013-0338 | Version: | 4 |
Platform(s): | Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 CentOS Linux 5 CentOS Linux 6 | Product(s): | libxml2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23449 | |||
Oval ID: | oval:org.mitre.oval:def:23449 | ||
Title: | ELSA-2013:0581: libxml2 security update (Moderate) | ||
Description: | libxml2 2.9.0 and earlier allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via an XML file containing an entity declaration with long replacement text and many references to this entity, aka "internal entity expansion" with linear complexity. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013:0581-01 CVE-2013-0338 | Version: | 6 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | libxml2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23965 | |||
Oval ID: | oval:org.mitre.oval:def:23965 | ||
Title: | DEPRECATED: ELSA-2013:0581: libxml2 security update (Moderate) | ||
Description: | libxml2 2.9.0 and earlier allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via an XML file containing an entity declaration with long replacement text and many references to this entity, aka "internal entity expansion" with linear complexity. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013:0581-01 CVE-2013-0338 | Version: | 6 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | libxml2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:25714 | |||
Oval ID: | oval:org.mitre.oval:def:25714 | ||
Title: | SUSE-SU-2013:1625-1 -- Security update for libxml2 | ||
Description: | This is a LTSS rollup update for the libxml2 library that fixes various security issues. | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2013:1625-1 CVE-2013-2877 CVE-2013-0338 CVE-2012-5134 CVE-2012-2807 CVE-2011-3102 CVE-2012-0841 CVE-2011-3919 CVE-2013-0339 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 10 | Product(s): | libxml2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:25816 | |||
Oval ID: | oval:org.mitre.oval:def:25816 | ||
Title: | SUSE-SU-2013:0743-1 -- Security update for libxml2 | ||
Description: | libxml2 has been updated to fix two security bugs. * CVE-2013-0338: Internal entity expansion within XML was not bounded, leading to simple small XML files being able to cause "out of memory" denial of service conditions. * CVE-2012-5134: Heap-based buffer underflow in the xmlParseAttValueComplex function in parser.c in libxml2 allowed remote attackers to cause a denial of service or possibly execute arbitrary code via crafted entities in an XML document. | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2013:0743-1 CVE-2013-0338 CVE-2012-5134 CVE-2013-0339 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 | Product(s): | libxml2 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:25923 | |||
Oval ID: | oval:org.mitre.oval:def:25923 | ||
Title: | SUSE-SU-2013:0744-1 -- Security update for libxml2 | ||
Description: | libxml2 has been updated to fix entity expansion problems: * CVE-2013-0338: Internal entity expansion within XML was not bounded, leading to simple small XML files being able to cause "out of memory" denial of service conditions. | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2013:0744-1 CVE-2013-0338 CVE-2013-0339 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Server 10 SUSE Linux Enterprise Desktop 11 SUSE Linux Enterprise Desktop 10 | Product(s): | libxml2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:27000 | |||
Oval ID: | oval:org.mitre.oval:def:27000 | ||
Title: | DEPRECATED: ELSA-2013-0581 -- libxml2 security update (moderate) | ||
Description: | [2.7.6-12.0.1.el6_4.1] - Update doc/redhat.gif in tarball - Add libxml2-oracle-enterprise.patch and update logos in tarball | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013-0581 CVE-2013-0338 | Version: | 4 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | libxml2 |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2016-03-04 | Name : The remote VMware ESX / ESXi host is missing a security-related patch. File : vmware_esx_VMSA-2013-0009_remote.nasl - Type : ACT_GATHER_INFO |
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2013-1627-1.nasl - Type : ACT_GATHER_INFO |
2015-01-27 | Name : The remote web server is affected by multiple vulnerabilities. File : oracle_http_server_cpu_jan_2015.nasl - Type : ACT_GATHER_INFO |
2015-01-23 | Name : The remote device is missing a vendor-supplied security patch. File : juniper_jsa10669.nasl - Type : ACT_GATHER_INFO |
2015-01-19 | Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_libxml2_20130716.nasl - Type : ACT_GATHER_INFO |
2014-12-15 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201412-11.nasl - Type : ACT_GATHER_INFO |
2014-11-08 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2013-0636.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-263.nasl - Type : ACT_GATHER_INFO |
2014-01-20 | Name : The remote VMware ESXi 5.1 host is affected by multiple vulnerabilities. File : vmware_esxi_5_1_build_1483097_remote.nasl - Type : ACT_GATHER_INFO |
2013-11-13 | Name : The remote VMware ESXi 5.0 host is affected by multiple security vulnerabilit... File : vmware_esxi_5_0_build_1311177_remote.nasl - Type : ACT_GATHER_INFO |
2013-11-11 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201311-06.nasl - Type : ACT_GATHER_INFO |
2013-09-04 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2013-188.nasl - Type : ACT_GATHER_INFO |
2013-08-02 | Name : The remote VMware ESXi / ESX host is missing one or more security-related pat... File : vmware_VMSA-2013-0009.nasl - Type : ACT_GATHER_INFO |
2013-07-25 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2013-198.nasl - Type : ACT_GATHER_INFO |
2013-07-18 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1904-2.nasl - Type : ACT_GATHER_INFO |
2013-07-16 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1904-1.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2013-0581.nasl - Type : ACT_GATHER_INFO |
2013-05-03 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_libxml2-8513.nasl - Type : ACT_GATHER_INFO |
2013-05-03 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_libxml2-130320.nasl - Type : ACT_GATHER_INFO |
2013-04-20 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2013-056.nasl - Type : ACT_GATHER_INFO |
2013-04-08 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_843a4641981611e29c51080027019be0.nasl - Type : ACT_GATHER_INFO |
2013-03-29 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1782-1.nasl - Type : ACT_GATHER_INFO |
2013-03-27 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2652.nasl - Type : ACT_GATHER_INFO |
2013-03-04 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2013-0581.nasl - Type : ACT_GATHER_INFO |
2013-03-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20130228_libxml2_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2013-03-01 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-0581.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:31:46 |
|
2014-01-23 00:22:07 |
|
2014-01-21 21:25:02 |
|
2013-04-30 00:20:03 |
|
2013-04-26 21:21:02 |
|
2013-04-26 13:20:19 |
|
2013-03-26 09:17:30 |
|