CLD-20 Details
Other IDs this deficiency may be known by:
Basic Information:
Affected Package(s) |
libxml2 |
Deficiency Type |
SECURITY |
Date Created |
2017-09-13 10:24:23 |
Date Last Modified |
2017-09-13 10:44:55 |
Version Specific Information:
Cucumber 1.0 i686 | fixed in libxml2-2.9.5-i686-1 |
Cucumber 1.0 x86_64 | fixed in libxml2-2.9.5-x86_64-1 and libxml2-lib_i686-2.9.5-lib_i686-1 |
Cucumber 1.1 i686 |
fixed in libxml2-2.9.5-i686-1 |
Cucumber 1.1 x86_64 |
fixed in libxml2-2.9.5-x86_64-1 and libxml2-lib_i686-2.9.5-lib_i686-1 |
Details:
** DISPUTED ** libxml2 2.9.4, when used in recover mode, allows remote attackers
to cause a denial of service (NULL pointer dereference) via a crafted XML
document. NOTE: The maintainer states "I would disagree of a CVE with the
Recover parsing option which should only be used for manual recovery at least
for XML parser." (https://nvd.nist.gov/vuln/detail/CVE-2017-5969)
The bugzilla page (https://bugzilla.gnome.org/show_bug.cgi?id=778519) claims
this was fixed by https://git.gnome.org/browse/libxml2/commit/?id=94691dc884d1a8ada39f073408b4bb92fe7fe882.
This patch has been applied in 2.9.5.