Mandriva issued this advisory today (February 22): http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:023 Cauldron is vulnerable as well.
available on testing
CC: (none) => dmorganecAssignee: bugsquad => qa-bugs
Advisory: ======================== Updated libxml2 packages fix security vulnerabilities: It was found that the hashing routine used by libxml2 arrays was susceptible to predictable hash collisions. Sending a specially-crafted message to an XML service could result in longer processing time, which could lead to a denial of service. To mitigate this issue, randomization has been added to the hashing function to reduce the chance of an attacker successfully causing intentional collisions (CVE-2012-0841). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0841 https://bugzilla.redhat.com/show_bug.cgi?id=787067 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:023 ======================== Updated packages in core/updates_testing: ======================== libxml2-devel-2.7.8-9.5.mga1 libxml2-python-2.7.8-9.5.mga1 libxml2-utils-2.7.8-9.5.mga1 libxml2_2-2.7.8-9.5.mga1 from libxml2-2.7.8-9.5.mga1.src.rpm
We have a wiki page for this :) https://wiki.mageia.org/en/Testing_procedure_for_libxml2 $ python testxml.py Tested OK $ xmllint --auto <?xml version="1.0"?> <info>abc</info> $ xmlcatalog --create <?xml version="1.0"?> <!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd"> $ strace -o strace.out chromium-browser $ grep xml strace.out ... open("/usr/lib64/libxml2.so.2", O_RDONLY) = 3 ... Testing complete x86_64
Testing complete on i586. Could someone from the sysadmin team push the srpm libxml2-2.7.8-9.5.mga1.src.rpm from Core Updates Testing to Core Updates. Advisory: Updated libxml2 packages fix security vulnerabilities: It was found that the hashing routine used by libxml2 arrays was susceptible to predictable hash collisions. Sending a specially-crafted message to an XML service could result in longer processing time, which could lead to a denial of service. To mitigate this issue, randomization has been added to the hashing function to reduce the chance of an attacker successfully causing intentional collisions (CVE-2012-0841). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0841 https://bugzilla.redhat.com/show_bug.cgi?id=787067 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:023 https://bugs.mageia.org/show_bug.cgi?id=4634
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
update pushed
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED