CVE-2016-4449

Properties

Published:
08.06.2016
Updated:
29.06.2016
Patch available:
Severity:
Medium
CVSS vector:
(AV:N/AC:M/Au:N/C:P/I:N/A:P)
Product:
debian: debian_linux
canonical: ubuntu_linux
canonical: ubuntu_linux
canonical: ubuntu_linux

Vulnerability description

XML external entity (XXE) vulnerability in the xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.4, when not in validating mode, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors.

References:

DEBIAN: https://www.debian.org/security/2016/dsa-3593
CONFIRM: https://git.gnome.org/browse/libxml2/commit/?id=b1d34de46a11323fccffa9fadeb33be670d602f5
CONFIRM: http://xmlsoft.org/news.html
UBUNTU: http://www.ubuntu.com/usn/USN-2994-1
SLACKWARE: http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.404722
MLIST: http://www.openwall.com/lists/oss-security/2016/05/25/2