Vulnerability CVE-2016-4449: Information

Description

XML external entity (XXE) vulnerability in the xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.4, when not in validating mode, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors.

Severity: HIGH (7.1) Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2016-4449

Published: June 9, 2016

Modified: Jan. 18, 2018

Error type identifier: CWE-20

Fixed packages

Package name	Branch	Fixed in version	Version from repository	Errata ID	Task #	State
libxml2	sisyphus	2.9.3.0.5.6511-alt1	2.12.7-alt1	ALT-PU-2016-1221-1	160389	Fixed
libxml2	p10	2.9.3.0.5.6511-alt1	2.9.12-alt1.p10.1	ALT-PU-2016-1221-1	160389	Fixed
libxml2	p9	2.9.3.0.5.6511-alt1	2.9.10-alt6.p9.1	ALT-PU-2016-1221-1	160389	Fixed
libxml2	p8	2.9.4.0.12.e905-alt1	2.9.4.0.12.e905-alt1	ALT-PU-2017-1252-1	179256	Fixed
libxml2	c10f1	2.9.3.0.5.6511-alt1	2.9.12-alt1.p10.1	ALT-PU-2016-1221-1	160389	Fixed
libxml2	c9f2	2.9.3.0.5.6511-alt1	2.9.12-alt1.c9f2.1	ALT-PU-2016-1221-1	160389	Fixed
libxml2	p11	2.9.3.0.5.6511-alt1	2.12.7-alt1	ALT-PU-2016-1221-1	160389	Fixed

References to Advisories, Solutions, and Tools

Hyperlink	Resource
DSA-3593
USN-2994-1
[oss-security] 20160525 3 libxml2 issues
http://xmlsoft.org/news.html
https://git.gnome.org/browse/libxml2/commit/?id=b1d34de46a11323fccffa9fadeb33be670d602f5	Vendor Advisory
SSA:2016-148-01
RHSA-2016:1292
APPLE-SA-2016-07-18-4
APPLE-SA-2016-07-18-1
https://support.apple.com/HT206904
https://support.apple.com/HT206899
https://support.apple.com/HT206902
APPLE-SA-2016-07-18-2
APPLE-SA-2016-07-18-6
https://support.apple.com/HT206905
https://support.apple.com/HT206903
APPLE-SA-2016-07-18-3
https://support.apple.com/HT206901
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05194709
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
90865
https://kc.mcafee.com/corporate/index?page=content&id=SB10170
https://www.tenable.com/security/tns-2016-18
https://support.cybozu.com/ja-jp/article/9735
JVNDB-2017-000066
JVN#17535578
1036348
RHSA-2016:2957
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Affected configurations:
1. Configuration 1
  cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  
  Configuration 2
  cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
  cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
  cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*
  cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
  
  Configuration 3
  cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*
  End including
  2.9.3

Version: v24.5.3

Vulnerability CVE-2016-4449: Information

Description

Fixed packages

References to Advisories, Solutions, and Tools

Configuration 1

Configuration 2

Configuration 3