[SECURITY] [DLA 1641-1] mxml security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 1641-1] mxml security update
From: Abhijith PA <abhijith@disroot.org>
Date: Fri, 25 Jan 2019 13:26:02 +0530
Message-id: <[🔎] f371f7d7-c667-c86b-6088-ed5b89dfe4a5@disroot.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : mxml
Version        : 2.6-2+deb8u1
CVE ID         : CVE-2016-4570 CVE-2016-4571 CVE-2018-20004
Debian Bug     : 825855 918007


Several stack exhaustion conditions were found in mxml that can easily
crash when parsing xml files.

CVE-2016-4570

    The mxmlDelete function in mxml-node.c allows remote attackers to
    cause a denial of service (stack consumption) via crafted xml file.

CVE-2016-4571

    The mxml_write_node function in mxml-file.c allows remote attackers
    to cause a denial of service (stack consumption) via crafted xml
    file

CVE-2018-20004

    A stack-based buffer overflow in mxml_write_node via vectors
    involving a double-precision floating point number.

For Debian 8 "Jessie", these problems have been fixed in version
2.6-2+deb8u1.

We recommend that you upgrade your mxml packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlxKwQoACgkQhj1N8u2c
KO8lNw/+LZbcV8HB+nj0rx5rYT0Ba05JixpnhgxMfrpTk+LCXM0a9CkFpg1TvZR/
aa0/PX5qABxqgIJJ27olD2/fLwFV6UbjfLSkCrVUU87rfk40QzwuUohM0JxZxQum
4XSNF9AeO6vVnG6r5Hx26/Roppq83Bj4SwLmoBf55Mg8EatP8WITDOQMj4TMPcqT
r46FBOtKNwqIyuJ2FPHdAzhnJVdW7LhWQYuKsFNlXlfeYtiNTldUEC0Gz4GLMUQa
cw49gDSVoa3Hzx3P2G6yp7Ht/JEayYYmrgKmaxi2mpXfMpNa1XG2zmvKtXTBJcn3
LmoSlGQtHrU30MvNo772BxP9oAnY+1NsFy+z/XoykJ0/ehtR+K2uD7xRWaxDmWac
+LZrIzcZkupLlh1cwr2qY9AbH+CKW1ldljD00WFrBGOB9OAQM0HzZS3NwiWprJ9H
fS1m5o1bPK6G80WOtex/mNR4tE8+vecj0k0Ee+cPJmKiCZMrGRmafcPGIT0w06Pp
lc7l3yvB3GYBuS4Ht2yYZadqal7m7GoVO05ygrWuC+hNPV6nuxfIWRnxUltN621U
BnP3rUGE9pmLc9yQ3qInsBSKOgIJwrUTvPrPuGTuXHeIF75ASEYSaS2ghyYf3J2j
0w2m3BCCgc8lYyREWlVSSNceJWZQ8a5Fwx3ta08eXk47+jigZIg=
=4yuz
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 1640-1] tmpreaper security update
Next by Date: [SECURITY] [DLA 1642-1] postgresql-9.4 new minor release
Previous by thread: [SECURITY] [DLA 1640-1] tmpreaper security update
Next by thread: [SECURITY] [DLA 1642-1] postgresql-9.4 new minor release
Index(es):
- Date
- Thread