[arch-security] [Arch Linux Security Advisory ASA-201410-12] libxml2: Denial of service
anthraxx at archlinux.org
Fri Oct 24 22:15:08 UTC 2014
Arch Linux Security Advisory ASA-201410-12
Date : 2014-10-24
CVE-ID : CVE-2014-0191, CVE-2014-3660
Package : libxml2
Type : Denial of service
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE-2014
The package libxml2 before version 2.9.2-1 is vulnerable to denial of
service, even if entity substitution is disabled.
Upgrade to 2.9.2-1.
# pacman -Syu "libxml2>=2.9.2-1"
The problems have been fixed upstream  in version 2.9.2.
Daniel Berrange discovered that libxml2 incorrectly performs entity
substitution in the doctype prolog, even if the application using
libxml2 disabled any entity substitution. A remote attacker could
provide a specially crafted XML file that, when processed, leads to the
exhaustion of CPU and memory resources or file descriptors.
A remote attacker is able to exploit this vulnerability using a
specially crafted XML document containing malicious attributes to
consume all available CPU and memory resources or file descriptors.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the arch-security