Security update for expat
SUSE Patch
security@suse.de
SUSE Security Team
openSUSE-SU-2017:0483-1
Final
1
1
2017-02-16T20:52:53Z
current
2017-02-16T20:52:53Z
2017-02-16T20:52:53Z
cve-database/bin/generate-cvrf.pl
2017-02-24T01:00:00Z
Security update for expat
This update for expat fixes the following security issues:
- CVE-2012-6702: Expat, when used in a parser that has not
called XML_SetHashSalt or passed it a seed of 0, made it easier for
context-dependent attackers to defeat cryptographic protection mechanisms
via vectors involving use of the srand function. (bsc#983215)
- CVE-2016-5300: The XML parser in Expat did not use sufficient entropy
for hash initialization, which allowed context-dependent attackers to
cause a denial of service (CPU consumption) via crafted identifiers in
an XML document. NOTE: this vulnerability exists because of an incomplete
fix for CVE-2012-0876. (bsc#983216)
This update was imported from the SUSE:SLE-12:Update update project.
The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0)
https://lists.opensuse.org/opensuse-updates/2017-02/msg00071.html
E-Mail link for openSUSE-SU-2017:0483-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
openSUSE Leap 42.1
openSUSE Leap 42.2
expat-2.1.0-19.1
libexpat-devel-2.1.0-19.1
libexpat-devel-32bit-2.1.0-19.1
libexpat1-2.1.0-19.1
libexpat1-32bit-2.1.0-19.1
expat-2.1.0-19.1 as a component of openSUSE Leap 42.1
libexpat-devel-2.1.0-19.1 as a component of openSUSE Leap 42.1
libexpat-devel-32bit-2.1.0-19.1 as a component of openSUSE Leap 42.1
libexpat1-2.1.0-19.1 as a component of openSUSE Leap 42.1
libexpat1-32bit-2.1.0-19.1 as a component of openSUSE Leap 42.1
expat-2.1.0-19.1 as a component of openSUSE Leap 42.2
libexpat-devel-2.1.0-19.1 as a component of openSUSE Leap 42.2
libexpat-devel-32bit-2.1.0-19.1 as a component of openSUSE Leap 42.2
libexpat1-2.1.0-19.1 as a component of openSUSE Leap 42.2
libexpat1-32bit-2.1.0-19.1 as a component of openSUSE Leap 42.2
Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function.
CVE-2012-6702
openSUSE Leap 42.1:expat-2.1.0-19.1
openSUSE Leap 42.1:libexpat-devel-2.1.0-19.1
openSUSE Leap 42.1:libexpat-devel-32bit-2.1.0-19.1
openSUSE Leap 42.1:libexpat1-2.1.0-19.1
openSUSE Leap 42.1:libexpat1-32bit-2.1.0-19.1
openSUSE Leap 42.2:expat-2.1.0-19.1
openSUSE Leap 42.2:libexpat-devel-2.1.0-19.1
openSUSE Leap 42.2:libexpat-devel-32bit-2.1.0-19.1
openSUSE Leap 42.2:libexpat1-2.1.0-19.1
openSUSE Leap 42.2:libexpat1-32bit-2.1.0-19.1
moderate
4.3
AV:N/AC:M/Au:N/C:P/I:N/A:N
Please Install the update.
https://lists.opensuse.org/opensuse-updates/2017-02/msg00071.html
https://www.suse.com/security/cve/CVE-2012-6702.html
CVE-2012-6702
https://bugzilla.suse.com/983215
SUSE Bug 983215
https://bugzilla.suse.com/983216
SUSE Bug 983216
The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876.
CVE-2016-5300
openSUSE Leap 42.1:expat-2.1.0-19.1
openSUSE Leap 42.1:libexpat-devel-2.1.0-19.1
openSUSE Leap 42.1:libexpat-devel-32bit-2.1.0-19.1
openSUSE Leap 42.1:libexpat1-2.1.0-19.1
openSUSE Leap 42.1:libexpat1-32bit-2.1.0-19.1
openSUSE Leap 42.2:expat-2.1.0-19.1
openSUSE Leap 42.2:libexpat-devel-2.1.0-19.1
openSUSE Leap 42.2:libexpat-devel-32bit-2.1.0-19.1
openSUSE Leap 42.2:libexpat1-2.1.0-19.1
openSUSE Leap 42.2:libexpat1-32bit-2.1.0-19.1
moderate
4.3
AV:N/AC:M/Au:N/C:P/I:N/A:N
Please Install the update.
https://lists.opensuse.org/opensuse-updates/2017-02/msg00071.html
https://www.suse.com/security/cve/CVE-2016-5300.html
CVE-2016-5300
https://bugzilla.suse.com/983216
SUSE Bug 983216