USN-2214-3: libxml2 regression

Publication date

17 June 2014

Overview

USN-2214-1 introduced a regression in libxml2.


Packages

Details

USN-2214-1 fixed vulnerabilities in libxml2. The upstream fix introduced a
number of regressions. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Daniel Berrange discovered that libxml2 would incorrectly perform entity
substitution even when requested not to. If a user or automated system were
tricked into opening a specially crafted document, an attacker could
possibly cause resource consumption, resulting in a denial of service.

USN-2214-1 fixed vulnerabilities in libxml2. The upstream fix introduced a
number of regressions. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Daniel Berrange discovered that libxml2 would incorrectly perform entity
substitution even when requested not to. If a user or automated system were
tricked into opening a specially crafted document, an attacker could
possibly cause resource consumption, resulting in a denial of service.

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
14.04 trusty libxml2 –  2.9.1+dfsg1-3ubuntu4.3
13.10 saucy libxml2 –  2.9.1+dfsg1-3ubuntu2.3
12.04 precise libxml2 –  2.7.8.dfsg-5.1ubuntu4.9
10.04 lucid libxml2 –  2.7.6.dfsg-1ubuntu1.13

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.


Have additional questions?

Talk to a member of the team ›