Detections
Analytics

Debian DSA-2394-1 : libxml2 - several vulnerabilities

high Nessus Plugin ID 57702

Language:

Synopsis

The remote Debian host is missing a security-related update.

Description

Many security problems have been fixed in libxml2, a popular library to handle XML data files.

 - CVE-2011-3919 :
 Juri Aedla discovered a heap-based buffer overflow that allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.

 - CVE-2011-0216 :
 An Off-by-one error have been discovered that allows remote attackers to execute arbitrary code or cause a denial of service.

 - CVE-2011-2821 :
 A memory corruption (double free) bug has been identified in libxml2's XPath engine. Through it, it is possible for an attacker to cause a denial of service or possibly have unspecified other impact. This vulnerability does not affect the oldstable distribution (lenny).

 - CVE-2011-2834 :
 Yang Dingning discovered a double free vulnerability related to XPath handling.

 - CVE-2011-3905 :
 An out-of-bounds read vulnerability had been discovered, which allows remote attackers to cause a denial of service.

Solution

Upgrade the libxml2 packages.

For the oldstable distribution (lenny), this problem has been fixed in version 2.6.32.dfsg-5+lenny5.

For the stable distribution (squeeze), this problem has been fixed in version 2.7.8.dfsg-2+squeeze2.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652352

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=643648

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=656377

https://security-tracker.debian.org/tracker/CVE-2011-3919

https://security-tracker.debian.org/tracker/CVE-2011-0216

https://security-tracker.debian.org/tracker/CVE-2011-2821

https://security-tracker.debian.org/tracker/CVE-2011-2834

https://security-tracker.debian.org/tracker/CVE-2011-3905

https://packages.debian.org/source/squeeze/libxml2

https://www.debian.org/security/2012/dsa-2394

Plugin Details

Severity: High

ID: 57702

File Name: debian_DSA-2394.nasl

Version: 1.15

Type: local

Agent: unix

Published: 1/27/2012

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 6.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:libxml2, cpe:/o:debian:debian_linux:5.0, cpe:/o:debian:debian_linux:6.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 1/27/2012

Reference Information

CVE: CVE-2011-0216, CVE-2011-2821, CVE-2011-2834, CVE-2011-3905, CVE-2011-3919

BID: 48832, 49279, 49658, 51084, 51300

DSA: 2394