[USN-10-1] XML library vulnerabilities
Martin Pitt
martin.pitt at canonical.com
Fri Oct 29 19:52:49 UTC 2004
===========================================================
Ubuntu Security Notice USN-10-1 October 28, 2004
XML library vulnerabilities
CAN-2004-0981
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
The following packages are affected:
libxml2
The problem can be corrected by upgrading the affected package to
version 2.6.11-3ubuntu1.1. In general, a standard system upgrade is
sufficient to effect the necessary changes.
Details follow:
Several buffer overflows have been discovered in libxml2's FTP connection
and DNS resolution functions. Supplying very long FTP URLs or IP
addresses might result in execution of arbitrary code with the
privileges of the process using libxml2.
Since libxml2 is used in packages like php4-imagick, the vulnerability
also might lead to privilege escalation, like executing attacker
supplied code with a web server's privileges.
However, this does not affect the core XML parsing code, which is what
the majority of programs use this library for.
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.11-3ubuntu1.1.diff.gz
Size/MD5: 81651 eae051ac1100f886cbd8283edf8e5607
http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.11-3ubuntu1.1.dsc
Size/MD5: 789 918f6210e51f5bc9832ae6c0a1b9b01c
http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.11.orig.tar.gz
Size/MD5: 3693599 c391173a26ec7c2ac702b54d06420fdb
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-doc_2.6.11-3ubuntu1.1_all.deb
Size/MD5: 982544 841f55ccc2187805a18e58f13c38a326
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dev_2.6.11-3ubuntu1.1_amd64.deb
Size/MD5: 1329748 de1f602df0902fdbe933a9642b8a8c69
http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-python2.3_2.6.11-3ubuntu1.1_amd64.deb
Size/MD5: 489060 f1e515cb1c197e5e560940e235a6a25b
http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.6.11-3ubuntu1.1_amd64.deb
Size/MD5: 257016 62c9834d6c4f9f24bc5d8fe95c06a6d3
http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.11-3ubuntu1.1_amd64.deb
Size/MD5: 672770 7723dbd0c5766dd5ac665b8a136ae424
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dev_2.6.11-3ubuntu1.1_i386.deb
Size/MD5: 1255242 825d79ae6985fb4b802647f092e9b054
http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-python2.3_2.6.11-3ubuntu1.1_i386.deb
Size/MD5: 458560 8b1dd60cfadcf398d738747f4c0bc2c7
http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.6.11-3ubuntu1.1_i386.deb
Size/MD5: 254420 e98777bd621906359d84d186102ad91b
http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.11-3ubuntu1.1_i386.deb
Size/MD5: 629992 f5cfca49f3212efaaf58d226ad4bc688
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dev_2.6.11-3ubuntu1.1_powerpc.deb
Size/MD5: 1416378 ec8500e62980b717e0acfe72a0898770
http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-python2.3_2.6.11-3ubuntu1.1_powerpc.deb
Size/MD5: 484820 ae0eb37b289128fb64ccf69120437424
http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.6.11-3ubuntu1.1_powerpc.deb
Size/MD5: 258252 c605662898a320d67bca0fe082a64110
http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.11-3ubuntu1.1_powerpc.deb
Size/MD5: 675066 5f9ce27c76c23031b25239b3d3607d71
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20041029/818bba9d/attachment.sig>
More information about the ubuntu-security-announce
mailing list