Debian Long Term Support / LTS Security Information / 2015 / Security Information -- DLA-151-1 libxml2

Debian Security Advisory

DLA-151-1 libxml2 -- LTS security update

Date Reported:

07 Feb 2015

Affected Packages:

libxml2

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 768089.
In Mitre's CVE dictionary: CVE-2014-0191, CVE-2014-3660.

More information:

It was discovered that the update released for libxml2 in DSA 2978 fixing CVE-2014-0191 was incomplete. This caused libxml2 to still fetch external entities regardless of whether entity substitution or validation is enabled.

In addition, this update addresses a regression introduced in DSA 3057 by the patch fixing CVE-2014-3660. This caused libxml2 to not parse an entity when it's used first in another entity referenced from an attribute value.

For Debian 6 Squeeze, these issues have been fixed in libxml2 version 2.7.8.dfsg-2+squeeze11