Synopsis: Updated libxml2 resolves security vulnerability
Advisory ID: FLSA:1324
Issue date: 2004-07-19
Product: Red Hat Linux
Keywords: Security
Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1324
CVE Names: CAN-2004-0110
-----------------------------------------------------------------------

---------------------------------------------------------------------
1. Topic:

Updated libxml2 packages that fix an overflow when parsing remote resources
are now available.

2. Relevent releases/architectures:

Red Hat Linux 7.3 - i386

3. Problem description:

libxml2 is a library for manipulating XML files.

Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. The Common Vulnerabilities
and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0110
to this issue.

All users are advised to upgrade to these updated packages, which contain a
backported fix and are not vulnerable to this issue.

Fedora Legacy would like to thank Johnny Strom for reporting this issue.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

http://bugzilla.fedora.us - 1324 - libxml2: an overflow when parsing remote
resources.

6. RPMs required:

Red Hat Linux 7.3:

SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/libxml2-2.4.19...

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/libxml2-2.4.19-...
http://download.fedoralegacy.org/redhat/7.3/updates/i386/libxml2-python-...
http://download.fedoralegacy.org/redhat/7.3/updates/i386/libxml2-devel-2...

7. Verification:

SHA1 sum Package Name
- ---------------------------------------------------------------------------

7ea6c8e40a04c2eafb82d53e8e6931b27348f4ad
7.3/updates/SRPMS/libxml2-2.4.19-5.legacy.src.rpm
c325b2b9d03335b41db6b0b462a35d1ed847e56f
7.3/updates/i386/libxml2-2.4.19-5.legacy.i386.rpm
c53f70cad435630b3e5b5f5d363c7d425f980a35
7.3/updates/i386/libxml2-devel-2.4.19-5.legacy.i386.rpm
8819fa789731693645839f32f55aac2f2dc27906
7.3/updates/i386/libxml2-python-2.4.19-5.legacy.i386.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy org/about/security.php

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0110
https://www.redhat.com/archives/redhat-watch-list/2004-February/msg00007...
http://mail.gnome.org/archives/xml/2004-February/msg00070.html

==============================================================================

sysklogd

Synopsis: Updated sysklogd resolves memory buffer bug
Advisory ID: FLSA:1553
Issue date: 2004-07-19
Product: Red Hat Linux
Keywords: Bugfix
Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1553
-----------------------------------------------------------------------

1. Topic:

Updated sysklogd packages that fixes a memory buffer bug are now available.

2. Relevent releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386

3. Problem description:

The sysklogd package contains two system utilities (syslogd and klogd) that
provide support for system logging. Syslogd and klogd run as daemons and
log system messages to different places, like sendmail logs, security
logs, and error logs.

During a code review it was discovered that syslogd does not allocate
enough memory to store all its pointers in the crunch list. Without it,
the array is not big enough and unexpected results (or core dump) may
follow.

All users are advised to upgrade to these updated packages, which contain a
backported fix and are not vulnerable to this issue.

Fedora Legacy would like to thank Rok Papez for reporting this issue.

4. Solution:

5. Bug IDs fixed:

http://bugzilla.fedora.us - 1553 - syslogd memory allocation error

6. RPMs required:

Red Hat Linux 7.3:

SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/sysklogd-1.4.1...

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/sysklogd-1.4.1-...

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/sysklogd-1.4.1...

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/sysklogd-1.4.1-...

7. Verification:

SHA1 sum Package Name
- ---------------------------------------------------------------------------

3f8e285b96ae0edac5e13ac79ac399370273aabf
7.3/updates/SRPMS/sysklogd-1.4.1-14.legacy.7x.src.rpm
f0f67bd5db849a382f6535363b6233f8e72a45c5
7.3/updates/i386/sysklogd-1.4.1-14.legacy.7x.i386.rpm

ed1462e72e4ab23e7bb3ec270a4df7fa3216dd5e
9/updates/SRPMS/sysklogd-1.4.1-14.legacy.9.src.rpm
9a5972d1b3485c875b8f57b7b277341a74958d4b
9/updates/i386/sysklogd-1.4.1-14.legacy.9.i386.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy org/about/security.php

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum <filename>

8. References:

9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More
project details at http://www.fedoralegacy.org

---------------------------------------------------------------------

관련 링크: http://www.fedoralegacy.org

+ Recent posts