[xml/sgml-pkgs] Bug#660846: libxml2: CVE-2012-0841 computational DoS attack via hash collisions

Nico Golde nion at debian.org
Wed Feb 22 09:59:50 UTC 2012

Source: libxml2
Severity: grave
Tags: security patch

the following CVE (Common Vulnerabilities & Exposures) id was
published for libxml2.

| Juraj Somorovsky reported that certain XML parsers/servers are affected by the
| same, or similar, flaw as the hash table collisions CPU usage denial of
| service.  Sending a specially crafted message to an XML service can result in
| longer processing time, which could lead to a denial of service.  It is
| reported that this attack on XML can be applied on different XML nodes (such as
| entities, element attributes, namespaces, various elements in the XML security,
| etc.).

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

Patch: http://git.gnome.org/browse/libxml2/commit/?id=8973d58b7498fa5100a876815476b81fd1a2412a

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0841

Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/debian-xml-sgml-pkgs/attachments/20120222/99ce07f2/attachment.pgp>

More information about the debian-xml-sgml-pkgs mailing list