Debian LTS has issued an advisory today (July 3): http://lwn.net/Alerts/650108/ The RedHat bug for CVE-2015-1819 is here: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-1819 This is the upstream commit to fix it: https://git.gnome.org/browse/libxml2/commit/?id=213f1fe0d76d30eaed6e5853057defc43e6df2c9 Debian LTS also fixed two other security issues whose CVE requests were ignored. One (bdo#783010) has been fixed upstream in these commits: https://git.gnome.org/browse/libxml2/commit/?id=a7dfab7411cbf545f359dd3157e5df1eb0e7ce31 https://git.gnome.org/browse/libxml2/commit/?id=9b8512337d14c8ddf662fcb98b0135f225a1c489 The other (bdo#782985) has not yet been fixed upstream. Mageia 4 and Mageia 5 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
Fixed in libxml2-2.9.2-1.mga6 in Cauldron except for bdo#782985.
(In reply to David Walser from comment #1) > Fixed in libxml2-2.9.2-1.mga6 in Cauldron except for bdo#782985. Also checked into Mageia 4 and Mageia 5 SVN. As for bdo#782985 (aka bgo#746048), the patch suggested upstream applies cleanly, but I'll wait a little longer to see what others do with that one.
Patch for bgo#746048 committed as well. There still has been no action upstream or anywhere else on this. Testing procedure: https://wiki.mageia.org/en/QA_procedure:Libxml2 Advisory: ======================== Updated libxml2 packages fix security vulnerability: The xmlreader in libxml2 allows remote attackers to cause a denial of service (memory consumption) via crafted XML data, related to an XML Entity Expansion (XEE) attack (CVE-2015-1819). The libxml2 package has been patched to fix this issue, as well as two out-of-bounds read issues (bgo#744980, bgo#746048). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1819 https://bugzilla.gnome.org/show_bug.cgi?id=744980 https://bugzilla.gnome.org/show_bug.cgi?id=746048 http://lwn.net/Alerts/650108/ ======================== Updated packages in core/updates_testing: ======================== libxml2_2-2.9.1-2.3.mga4 libxml2-utils-2.9.1-2.3.mga4 libxml2-python-2.9.1-2.3.mga4 libxml2-devel-2.9.1-2.3.mga4 libxml2_2-2.9.1-11.1.mga5 libxml2-utils-2.9.1-11.1.mga5 libxml2-python-2.9.1-11.1.mga5 libxml2-devel-2.9.1-11.1.mga5 from SRPMS: libxml2-2.9.1-2.3.mga4.src.rpm libxml2-2.9.1-11.1.mga5.src.rpm
Version: Cauldron => 5Assignee: bugsquad => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => MGA4TOO has_procedure
mga5 x86_64 mga4 x86_64 (VM) Installed packages : libxml2-utils-2.9.1-11.1.mga5 lib64xml2-devel-2.9.1-11.1.mga5 lib64xml2_2-2.9.1-11.1.mga5 libxml2-python-2.9.1-11.1.mga5 libxml2-utils-2.9.1-2.3.mga4 lib64xml2-devel-2.9.1-2.3.mga4 lib64xml2_2-2.9.1-2.3.mga4 libxml2-python-2.9.1-2.3.mga4 Testing procedure : all OK. Update OK.
CC: (none) => yann.cantin
Whiteboard: MGA4TOO has_procedure => MGA4TOO has_procedure MGA4-34-OK MGA5-64-OK
Whiteboard: MGA4TOO has_procedure MGA4-34-OK MGA5-64-OK => MGA4TOO has_procedure MGA4-64-OK MGA5-64-OK
Tested fine Mageia 4 i586 and Mageia 5 i586 using the procedure.
Whiteboard: MGA4TOO has_procedure MGA4-64-OK MGA5-64-OK => MGA4TOO has_procedure MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: MGA4TOO has_procedure MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK => MGA4TOO has_procedure advisory MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0358.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
CVE request for bgo#744980: http://openwall.com/lists/oss-security/2015/10/22/5
(In reply to David Walser from comment #9) > CVE request for bgo#744980: > http://openwall.com/lists/oss-security/2015/10/22/5 CVE-2015-7941 assigned: http://openwall.com/lists/oss-security/2015/10/22/8
Summary: libxml2 new security issue CVE-2015-1819 => libxml2 new security issues CVE-2015-1819 and CVE-2015-7941
(In reply to David Walser from comment #10) > (In reply to David Walser from comment #9) > > CVE request for bgo#744980: > > http://openwall.com/lists/oss-security/2015/10/22/5 > > CVE-2015-7941 assigned: > http://openwall.com/lists/oss-security/2015/10/22/8 LWN reference: http://lwn.net/Vulnerabilities/664752/
(In reply to David Walser from comment #2) > As for bdo#782985 (aka bgo#746048), the patch suggested upstream applies > cleanly, but I'll wait a little longer to see what others do with that one. This one has been assigned CVE-2015-8710: http://openwall.com/lists/oss-security/2015/12/31/7
Summary: libxml2 new security issues CVE-2015-1819 and CVE-2015-7941 => libxml2 new security issues CVE-2015-1819, CVE-2015-7941, and CVE-2015-8710
*** Bug 22536 has been marked as a duplicate of this bug. ***
CC: (none) => andrewsfarm