[USN-3010-1] Expat vulnerabilities

Marc Deslauriers marc.deslauriers at canonical.com
Mon Jun 20 18:12:11 UTC 2016

Ubuntu Security Notice USN-3010-1
June 20, 2016

expat vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS
- Ubuntu 15.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS


Several security issues were fixed in Expat.

Software Description:
- expat: XML parsing C library


It was discovered that Expat unexpectedly called srand in certain
circumstances. This could reduce the security of calling applications.

It was discovered that Expat incorrectly handled seeding the random number
generator. A remote attacker could possibly use this issue to cause a
denial of service. (CVE-2016-5300)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS:
  lib64expat1                     2.1.0-7ubuntu0.16.04.2
  libexpat1                       2.1.0-7ubuntu0.16.04.2

Ubuntu 15.10:
  lib64expat1                     2.1.0-7ubuntu0.15.10.2
  libexpat1                       2.1.0-7ubuntu0.15.10.2

Ubuntu 14.04 LTS:
  lib64expat1                     2.1.0-4ubuntu1.3
  libexpat1                       2.1.0-4ubuntu1.3

Ubuntu 12.04 LTS:
  lib64expat1                     2.0.1-7.2ubuntu1.4
  libexpat1                       2.0.1-7.2ubuntu1.4

After a standard system upgrade you need to restart any applications linked
against Expat to effect the necessary changes.

  CVE-2012-6702, CVE-2016-5300

Package Information:

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20160620/52992007/attachment.sig>

More information about the ubuntu-security-announce mailing list