Bug 16286

Fixed in libxml2-2.9.2-1.mga6 in Cauldron except for bdo#782985.

(In reply to David Walser from comment #1)
> Fixed in libxml2-2.9.2-1.mga6 in Cauldron except for bdo#782985.

Also checked into Mageia 4 and Mageia 5 SVN.

As for bdo#782985 (aka bgo#746048), the patch suggested upstream applies cleanly, but I'll wait a little longer to see what others do with that one.

Patch for bgo#746048 committed as well.  There still has been no action upstream or anywhere else on this.

Testing procedure:
https://wiki.mageia.org/en/QA_procedure:Libxml2

Advisory:
========================

Updated libxml2 packages fix security vulnerability:

The xmlreader in libxml2 allows remote attackers to cause a denial of service
(memory consumption) via crafted XML data, related to an XML Entity Expansion
(XEE) attack (CVE-2015-1819).

The libxml2 package has been patched to fix this issue, as well as two
out-of-bounds read issues (bgo#744980, bgo#746048).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1819
https://bugzilla.gnome.org/show_bug.cgi?id=744980
https://bugzilla.gnome.org/show_bug.cgi?id=746048
http://lwn.net/Alerts/650108/
========================

Updated packages in core/updates_testing:
========================
libxml2_2-2.9.1-2.3.mga4
libxml2-utils-2.9.1-2.3.mga4
libxml2-python-2.9.1-2.3.mga4
libxml2-devel-2.9.1-2.3.mga4
libxml2_2-2.9.1-11.1.mga5
libxml2-utils-2.9.1-11.1.mga5
libxml2-python-2.9.1-11.1.mga5
libxml2-devel-2.9.1-11.1.mga5

from SRPMS:
libxml2-2.9.1-2.3.mga4.src.rpm
libxml2-2.9.1-11.1.mga5.src.rpm

Version: Cauldron => 5
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO has_procedure

mga5 x86_64
mga4 x86_64 (VM)

Installed packages :
libxml2-utils-2.9.1-11.1.mga5
lib64xml2-devel-2.9.1-11.1.mga5
lib64xml2_2-2.9.1-11.1.mga5
libxml2-python-2.9.1-11.1.mga5
libxml2-utils-2.9.1-2.3.mga4
lib64xml2-devel-2.9.1-2.3.mga4
lib64xml2_2-2.9.1-2.3.mga4
libxml2-python-2.9.1-2.3.mga4

Testing procedure : all OK.

Update OK.

CC: (none) => yann.cantin

Tested fine Mageia 4 i586 and Mageia 5 i586 using the procedure.

Whiteboard: MGA4TOO has_procedure MGA4-64-OK MGA5-64-OK => MGA4TOO has_procedure MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Advisory uploaded.

Whiteboard: MGA4TOO has_procedure MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK => MGA4TOO has_procedure advisory MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0358.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

CVE request for bgo#744980:
http://openwall.com/lists/oss-security/2015/10/22/5

(In reply to David Walser from comment #9)
> CVE request for bgo#744980:
> http://openwall.com/lists/oss-security/2015/10/22/5

CVE-2015-7941 assigned:
http://openwall.com/lists/oss-security/2015/10/22/8

Summary: libxml2 new security issue CVE-2015-1819 => libxml2 new security issues CVE-2015-1819 and CVE-2015-7941

(In reply to David Walser from comment #10)
> (In reply to David Walser from comment #9)
> > CVE request for bgo#744980:
> > http://openwall.com/lists/oss-security/2015/10/22/5
> 
> CVE-2015-7941 assigned:
> http://openwall.com/lists/oss-security/2015/10/22/8

LWN reference:
http://lwn.net/Vulnerabilities/664752/

(In reply to David Walser from comment #2)
> As for bdo#782985 (aka bgo#746048), the patch suggested upstream applies
> cleanly, but I'll wait a little longer to see what others do with that one.

This one has been assigned CVE-2015-8710:
http://openwall.com/lists/oss-security/2015/12/31/7

Summary: libxml2 new security issues CVE-2015-1819 and CVE-2015-7941 => libxml2 new security issues CVE-2015-1819, CVE-2015-7941, and CVE-2015-8710

*** Bug 22536 has been marked as a duplicate of this bug. ***

CC: (none) => andrewsfarm