[SECURITY] [DLA 508-1] expat security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 508-1] expat security update
From: Markus Koschany <apo@debian.org>
Date: Wed, 8 Jun 2016 11:29:13 +0200
Message-id: <[🔎] 6415573c-d388-a92b-43bb-2c14104fa8bb@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : expat
Version        : 2.1.0-1+deb7u4
CVE ID         : CVE-2012-6702 CVE-2016-5300


Two related issues have been discovered in Expat, a C library for
parsing XML.

CVE-2012-6702

    This issue was introduced when CVE-2012-0876 was addressed. Stefan
    Sørensen discovered that the use of the function XML_Parse() seeds
    the random number generator generating repeated outputs for rand()
    calls.

CVE-2016-5300

    This is the product of an incomplete solution for CVE-2012-0876. The
    parser poorly seeds the random number generator allowing an
    attacker to cause a denial of service (CPU consumption) via an XML
    file with crafted identifiers.

You might need to manually restart programs and services using expat
libraries.

For Debian 7 "Wheezy", these problems have been fixed in version
2.1.0-1+deb7u4.

We recommend that you upgrade your expat packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQJ8BAEBCgBmBQJXV+VpXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1HkzwEP/1tiBGNIM573rNe9uaPT/FMY
PP2Nv5cDGcIb/FyF9Wn9KUTK5ecZeKXJCeEyBfKNYg/22A4jbPsQQ9s5WjOSJTl7
4vFohiPDyGvXIlzZFqXWcP5r4I2f0X4hJH6UzIZdkTojq31RZAPEAI2d5kY5w+u7
PnCbSvgRjJZo+ml6rTZfPJqN7SXxufyzeOjUumdQDEfV2enC2ekZmm6N1idtDpyH
ShiRI72ZAAHk6XrxqnoCJyokbfmYhpq0Z3dlhZYJ4qlpJd1brzNO81NCTtjsYh26
2empGR+6XytfGw+QuG5J8P6xXJ/gwe/+PxqEQUhjK1lPJwFmo4EnQTRPrqzeUbhP
faNdF9Vu0+wkWxXOeETYa4OW3LmgIH9azBG2P11GUtsDlMIgc4Z6LQ5qXzlQIxVM
c/08o22gLpvXAIt9wGRIEMOXzAl6abHXGDOQbq66iJCtC26FWCy8RdEmzB/9jD6m
O2v1CxLeyoxw0y5CpJiRQ7K3r4CtILC4aejBSYrZfuiu6sGacrvVyUxgD/KmLIz5
lHvEM8pFSDRTx0XyqDukbTCmBHmgPSqvN5FtjZyTzFpz6403/PdeRT/o2tZ/RB7E
lnbzY3XY/BRA74oXg1RtNUFAPcvKseHBMSMz5/5YyMn3lGWbv8GirIMXPX3XikEz
wnOHQIvDJsDv6UeuG+CK
=oC04
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 505-1] libpdfbox-java security update
Next by Date: [SECURITY] [DLA 509-1] samba security update
Previous by thread: [SECURITY] [DLA 505-1] libpdfbox-java security update
Next by thread: [SECURITY] [DLA 509-1] samba security update
Index(es):
- Date
- Thread