Ubuntu has issued an advisory today (July 15): http://www.ubuntu.com/usn/usn-1904-1/ Cauldron is not affected, as it was fixed in 2.9.1 (as noted by Ubuntu). Patched packages uploaded for Mageia 2 and Mageia 3. Advisory: ======================== Updated libxml2 packages fix security vulnerability: It was discovered that libxml2 incorrectly handled documents that end abruptly. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause libxml2 to crash, resulting in a denial of service (CVE-2013-2877). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2877 http://www.ubuntu.com/usn/usn-1904-1/ ======================== Updated packages in core/updates_testing: ======================== libxml2_2-2.7.8-14.20120229.7.mga2 libxml2-utils-2.7.8-14.20120229.7.mga2 libxml2-python-2.7.8-14.20120229.7.mga2 libxml2-devel-2.7.8-14.20120229.7.mga2 libxml2_2-2.9.0-5.2.mga3 libxml2-utils-2.9.0-5.2.mga3 libxml2-python-2.9.0-5.2.mga3 libxml2-devel-2.9.0-5.2.mga3 from SRPMS: libxml2-2.7.8-14.20120229.7.mga2.src.rpm libxml2-2.9.0-5.2.mga3.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA2TOO
I haven't found a POC. We have a procedure for libxml2 https://wiki.mageia.org/en/QA_procedure:Libxml2 You can also search for previous updates of libxml2 to see what people tested.
Whiteboard: MGA2TOO => MGA2TOO has_procedure
I messed up the CVE name in the source for the Mageia 2 update. It's rebuilt. Advisory: ======================== Updated libxml2 packages fix security vulnerability: It was discovered that libxml2 incorrectly handled documents that end abruptly. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause libxml2 to crash, resulting in a denial of service (CVE-2013-2877). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2877 http://www.ubuntu.com/usn/usn-1904-1/ ======================== Updated packages in core/updates_testing: ======================== libxml2_2-2.7.8-14.20120229.8.mga2 libxml2-utils-2.7.8-14.20120229.8.mga2 libxml2-python-2.7.8-14.20120229.8.mga2 libxml2-devel-2.7.8-14.20120229.8.mga2 libxml2_2-2.9.0-5.2.mga3 libxml2-utils-2.9.0-5.2.mga3 libxml2-python-2.9.0-5.2.mga3 libxml2-devel-2.9.0-5.2.mga3 from SRPMS: libxml2-2.7.8-14.20120229.8.mga2.src.rpm libxml2-2.9.0-5.2.mga3.src.rpm
Testing complete mga2 64 No public PoC that I can find so just testing with our procedure.
Whiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure mga2-64-ok
Testing complete mga2 32
Whiteboard: MGA2TOO has_procedure mga2-64-ok => MGA2TOO has_procedure mga2-64-ok mga2-32-ok
Testing complete mga3 64
Whiteboard: MGA2TOO has_procedure mga2-64-ok mga2-32-ok => MGA2TOO has_procedure mga2-64-ok mga2-32-ok mga3-64-ok
Testing complete mga3 32
Whiteboard: MGA2TOO has_procedure mga2-64-ok mga2-32-ok mga3-64-ok => MGA2TOO has_procedure mga2-64-ok mga2-32-ok mga3-64-ok mga3-32-ok
Validating. Advisory from comment 2 uploaded. Could sysadmin please push from 2 & 3 core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
http://advisories.mageia.org/MGASA-2013-0218.html
Status: NEW => RESOLVEDCC: (none) => boklmResolution: (none) => FIXED
CC: boklm => (none)