Debian DSA-2394-1 : libxml2 - several vulnerabilities

High Nessus Plugin ID 57702

Synopsis

The remote Debian host is missing a security-related update.

Description

Many security problems have been fixed in libxml2, a popular library to handle XML data files.

- CVE-2011-3919 :
Juri Aedla discovered a heap-based buffer overflow that allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.

- CVE-2011-0216 :
An Off-by-one error have been discovered that allows remote attackers to execute arbitrary code or cause a denial of service.

- CVE-2011-2821 :
A memory corruption (double free) bug has been identified in libxml2's XPath engine. Through it, it is possible for an attacker to cause a denial of service or possibly have unspecified other impact. This vulnerability does not affect the oldstable distribution (lenny).

- CVE-2011-2834 :
Yang Dingning discovered a double free vulnerability related to XPath handling.

- CVE-2011-3905 :
An out-of-bounds read vulnerability had been discovered, which allows remote attackers to cause a denial of service.

Solution

Upgrade the libxml2 packages.

For the oldstable distribution (lenny), this problem has been fixed in version 2.6.32.dfsg-5+lenny5.

For the stable distribution (squeeze), this problem has been fixed in version 2.7.8.dfsg-2+squeeze2.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652352

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=643648

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=656377

https://security-tracker.debian.org/tracker/CVE-2011-3919

https://security-tracker.debian.org/tracker/CVE-2011-0216

https://security-tracker.debian.org/tracker/CVE-2011-2821

https://security-tracker.debian.org/tracker/CVE-2011-2834

https://security-tracker.debian.org/tracker/CVE-2011-3905

https://packages.debian.org/source/squeeze/libxml2

https://www.debian.org/security/2012/dsa-2394

Plugin Details

Severity: High

ID: 57702

File Name: debian_DSA-2394.nasl

Version: 1.13

Type: local

Agent: unix

Published: 2012/01/27

Updated: 2018/11/10

Dependencies: 12634

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 9.3

Temporal Score: 6.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:libxml2, cpe:/o:debian:debian_linux:5.0, cpe:/o:debian:debian_linux:6.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2012/01/27

Reference Information

CVE: CVE-2011-0216, CVE-2011-2821, CVE-2011-2834, CVE-2011-3905, CVE-2011-3919

BID: 48832, 49279, 49658, 51084, 51300

DSA: 2394