Bug 6985 - libxml2 new security issue CVE-2012-2807
: libxml2 new security issue CVE-2012-2807
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: x86_64 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
:
:
: MGA1TOO has_procedure MGA2-32-OK MGA2...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-08-08 14:24 CEST by David Walser
Modified: 2012-08-12 21:28 CEST (History)
4 users (show)

See Also:
Source RPM: libxml2
CVE:
Status comment:


Attachments

Description David Walser 2012-08-08 14:24:36 CEST
Mandriva has issued an advisory on August 6:
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:126
Comment 1 David Walser 2012-08-08 16:50:21 CEST
Patched package uploaded for Mageia 1, Mageia 2, and Cauldron.

Advisory:
========================

Updated libxml2 packages fix security vulnerability:

Multiple integer overflows in libxml2, on 64-bit Linux platforms
allow remote attackers to cause a denial of service or possibly have
unspecified other impact via unknown vectors (CVE-2012-2807).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2807
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:126
========================

Updated packages in core/updates_testing:
========================
libxml2_2-2.7.8-9.7.mga1
libxml2-utils-2.7.8-9.7.mga1
libxml2-python-2.7.8-9.7.mga1
libxml2-devel-2.7.8-9.7.mga1
libxml2_2-2.7.8-14.20120229.3.mga2
libxml2-utils-2.7.8-14.20120229.3.mga2
libxml2-python-2.7.8-14.20120229.3.mga2
libxml2-devel-2.7.8-14.20120229.3.mga2

from SRPMS:
libxml2-2.7.8-9.7.mga1.src.rpm
libxml2-2.7.8-14.20120229.3.mga2.src.rpm
Comment 2 Samuel Verschelde 2012-08-08 20:33:33 CEST
I haven't found any POCs, so let's test for regressions. We've got a testing procedure in the wiki: https://wiki.mageia.org/en/QA_procedure:Libxml2
Comment 3 Dave Hodgins 2012-08-09 01:34:03 CEST
Testing complete on Mageia 2 i586.  I'll test 2 x86-64 shortly.
Comment 4 Dave Hodgins 2012-08-09 01:49:02 CEST
Testing complete on Mageia 2 x86-64.  Testing Mageia 1 i586 shortly.
Comment 5 Dave Hodgins 2012-08-09 01:55:01 CEST
Testing complete on Mageia 1 i586.  Testing 1 x86-64 shortly.
Comment 6 Dave Hodgins 2012-08-09 02:01:05 CEST
Testing complete on Mageia 1 x86-64.

Could someone from the sysadmin team push the srpm
libxml2-2.7.8-14.20120229.3.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
libxml2-2.7.8-9.7.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated libxml2 packages fix security vulnerability:

Multiple integer overflows in libxml2, on 64-bit Linux platforms
allow remote attackers to cause a denial of service or possibly have
unspecified other impact via unknown vectors (CVE-2012-2807).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2807
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:126

https://bugs.mageia.org/show_bug.cgi?id=6985
Comment 7 Thomas Backlund 2012-08-12 21:28:59 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0213

Note You need to log in before you can comment on or make changes to this bug.