RedHat has issued an advisory on February 28:
Patched packages uploaded for Mageia 2 and Cauldron.
Patch checked into Mageia 1 SVN.
Updated libxml2 packages fix security vulnerability:
A denial of service flaw was found in the way libxml2 performed string
substitutions when entity values for entity references replacement was
enabled. A remote attacker could provide a specially-crafted XML file that,
when processed by an application linked against libxml2, would lead to
excessive CPU consumption (CVE-2013-0338).
Updated packages in core/updates_testing:
Steps to Reproduce:
python test and xml utils testing All tested OK per the wiki procedure.
No PoC found on securityfocus.
Python test and xml utils testing All tested OK per the wiki procedure
Can someone from the sysadmin team please push from core/updates_testing to core/updates?
has_procedure MGA2-64-ok =>
has_procedure MGA2-64-ok MGA2-32-OK Validated-update
has_procedure MGA2-64-ok MGA2-32-OK Validated-update =>
has_procedure MGA2-64-ok MGA2-32-OK Validated_update
has_procedure MGA2-64-ok MGA2-32-OK Validated_update =>
has_procedure MGA2-64-ok MGA2-32-OK
This has been validated (in Comment 3). Advisory and SRPM in Comment 0.
FYI. This was discussed on oss-sec:
Oden, do we need to take further action for CVE-2013-0339,0340,0341?
I think you should check which patches are applied to the RHEL6 package, which is quite a few. The redhat bug doesn't expose much, neither does the patches.
As for Mandriva MES5 I'm considering using their version + patches, which means a bump from 2.7.1 to 2.7.6. YUCK!
I think they silently fixed CVE-2013-0339 in RHEL6, maybe even dates back to july 2012(!).
As for the expat patches I found no further info, yet.
libxml2 2.9.0 and earlier allows context-dependent attackers to cause
a denial of service (CPU and memory consumption) via an XML file
containing an entity declaration with long replacement text and many
references to this entity, aka "internal entity expansion" with linear