SUSE SLED12 / SLES12 Security Update : libxml2 (SUSE-SU-2016:1538-1)

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote SUSE host is missing one or more security updates.

Description :

This update for libxml2 fixes the following security issues :

- CVE-2016-2073, CVE-2015-8806, CVE-2016-1839: A
Heap-buffer overread was fixed in libxml2/dict.c
[bsc#963963, bsc#965283, bsc#981114].

- CVE-2016-4483: Code was added to avoid an out of bound
access when serializing malformed strings [bsc#978395].

- CVE-2016-1762: Fixed a heap-based buffer overread in
xmlNextChar [bsc#981040].

- CVE-2016-1834: Fixed a heap-buffer-overflow in
xmlStrncat [bsc#981041].

- CVE-2016-1833: Fixed a heap-based buffer overread in
htmlCurrentChar [bsc#981108].

- CVE-2016-1835: Fixed a heap use-after-free in
xmlSAX2AttributeNs [bsc#981109].

- CVE-2016-1837: Fixed a heap use-after-free in
htmlParsePubidLiteral and htmlParseSystemiteral
[bsc#981111].

- CVE-2016-1838: Fixed a heap-based buffer overread in
xmlParserPrintFileContextInternal [bsc#981112].

- CVE-2016-1840: Fixed a heap-buffer-overflow in
xmlFAParsePosCharGroup [bsc#981115].

- CVE-2016-4447: Fixed a heap-based buffer-underreads due
to xmlParseName [bsc#981548].

- CVE-2016-4448: Fixed some format string warnings with
possible format string vulnerability [bsc#981549],

- CVE-2016-4449: Fixed inappropriate fetch of entities
content [bsc#981550].

- CVE-2016-3705: Fixed missing increment of recursion
counter.

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

https://bugzilla.suse.com/963963
https://bugzilla.suse.com/965283
https://bugzilla.suse.com/978395
https://bugzilla.suse.com/981040
https://bugzilla.suse.com/981041
https://bugzilla.suse.com/981108
https://bugzilla.suse.com/981109
https://bugzilla.suse.com/981111
https://bugzilla.suse.com/981112
https://bugzilla.suse.com/981114
https://bugzilla.suse.com/981115
https://bugzilla.suse.com/981548
https://bugzilla.suse.com/981549
https://bugzilla.suse.com/981550
https://www.suse.com/security/cve/CVE-2015-8806.html
https://www.suse.com/security/cve/CVE-2016-1762.html
https://www.suse.com/security/cve/CVE-2016-1833.html
https://www.suse.com/security/cve/CVE-2016-1834.html
https://www.suse.com/security/cve/CVE-2016-1835.html
https://www.suse.com/security/cve/CVE-2016-1837.html
https://www.suse.com/security/cve/CVE-2016-1838.html
https://www.suse.com/security/cve/CVE-2016-1839.html
https://www.suse.com/security/cve/CVE-2016-1840.html
https://www.suse.com/security/cve/CVE-2016-2073.html
https://www.suse.com/security/cve/CVE-2016-3705.html
https://www.suse.com/security/cve/CVE-2016-4447.html
https://www.suse.com/security/cve/CVE-2016-4448.html
https://www.suse.com/security/cve/CVE-2016-4449.html
https://www.suse.com/security/cve/CVE-2016-4483.html
http://www.nessus.org/u?f576822b

Solution :

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Software Development Kit 12-SP1 :

zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-915=1

SUSE Linux Enterprise Software Development Kit 12 :

zypper in -t patch SUSE-SLE-SDK-12-2016-915=1

SUSE Linux Enterprise Server 12-SP1 :

zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-915=1

SUSE Linux Enterprise Server 12 :

zypper in -t patch SUSE-SLE-SERVER-12-2016-915=1

SUSE Linux Enterprise Desktop 12-SP1 :

zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-915=1

SUSE Linux Enterprise Desktop 12 :

zypper in -t patch SUSE-SLE-DESKTOP-12-2016-915=1

To bring your system up-to-date, use 'zypper patch'.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.1
(CVSS2#E:U/RL:ND/RC:UR)
Public Exploit Available : false

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now