Arch Linux Security Advisory ASA-201606-13 ========================================== Severity: Medium Date : 2016-06-13 CVE-ID : CVE-2012-6702 CVE-2016-5300 Package : expat Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package expat before version 2.1.1-3 is vulnerable to multiple issues including predictable random numbers and insufficient hash entropy leading to denial of service. Resolution ========== Upgrade to 2.1.1-3. # pacman -Syu "expat>=2.1.1-3" The problems have been fixed upstream but no release is available yet. Workaround ========== None. Description =========== - CVE-2012-6702 (predictable random numbers) It was found that when calling XML_Parse ahead of rand(), it causes the pseudo random generator to generate non-random predictable numbers. - CVE-2016-5300 (denial of service) It was found that original fix for CVE-2012-0876 used too little entropy for the hash initialization. This issue can be used to perform a hash collision based denial of service attack. Impact ====== A remote attacker is able to predict random numbers from the PRNG or perform a hash based collision attack resulting in denial of service. References ========== https://access.redhat.com/security/cve/CVE-2012-6702 https://access.redhat.com/security/cve/CVE-2016-5300