libxml2-2-2.9.4-1.22 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10192 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libxml2-2-2.9.4-1.22 on GA media These are all security issues fixed in the libxml2-2-2.9.4-1.22 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10192 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10192 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2008-4225/ SUSE CVE CVE-2008-4225 page https://www.suse.com/security/cve/CVE-2008-4226/ SUSE CVE CVE-2008-4226 page https://www.suse.com/security/cve/CVE-2008-4409/ SUSE CVE CVE-2008-4409 page https://www.suse.com/security/cve/CVE-2010-4494/ SUSE CVE CVE-2010-4494 page https://www.suse.com/security/cve/CVE-2011-1944/ SUSE CVE CVE-2011-1944 page https://www.suse.com/security/cve/CVE-2012-5134/ SUSE CVE CVE-2012-5134 page https://www.suse.com/security/cve/CVE-2013-0338/ SUSE CVE CVE-2013-0338 page https://www.suse.com/security/cve/CVE-2013-1969/ SUSE CVE CVE-2013-1969 page https://www.suse.com/security/cve/CVE-2014-0191/ SUSE CVE CVE-2014-0191 page https://www.suse.com/security/cve/CVE-2014-3660/ SUSE CVE CVE-2014-3660 page https://www.suse.com/security/cve/CVE-2015-1819/ SUSE CVE CVE-2015-1819 page https://www.suse.com/security/cve/CVE-2015-5312/ SUSE CVE CVE-2015-5312 page https://www.suse.com/security/cve/CVE-2015-7497/ SUSE CVE CVE-2015-7497 page https://www.suse.com/security/cve/CVE-2015-7498/ SUSE CVE CVE-2015-7498 page https://www.suse.com/security/cve/CVE-2015-7499/ SUSE CVE CVE-2015-7499 page https://www.suse.com/security/cve/CVE-2015-7500/ SUSE CVE CVE-2015-7500 page https://www.suse.com/security/cve/CVE-2015-7941/ SUSE CVE CVE-2015-7941 page https://www.suse.com/security/cve/CVE-2015-7942/ SUSE CVE CVE-2015-7942 page https://www.suse.com/security/cve/CVE-2015-8035/ SUSE CVE CVE-2015-8035 page https://www.suse.com/security/cve/CVE-2015-8242/ SUSE CVE CVE-2015-8242 page https://www.suse.com/security/cve/CVE-2016-1762/ SUSE CVE CVE-2016-1762 page https://www.suse.com/security/cve/CVE-2016-1833/ SUSE CVE CVE-2016-1833 page https://www.suse.com/security/cve/CVE-2016-1834/ SUSE CVE CVE-2016-1834 page https://www.suse.com/security/cve/CVE-2016-1835/ SUSE CVE CVE-2016-1835 page https://www.suse.com/security/cve/CVE-2016-1836/ SUSE CVE CVE-2016-1836 page https://www.suse.com/security/cve/CVE-2016-1837/ SUSE CVE CVE-2016-1837 page https://www.suse.com/security/cve/CVE-2016-1838/ SUSE CVE CVE-2016-1838 page https://www.suse.com/security/cve/CVE-2016-1839/ SUSE CVE CVE-2016-1839 page https://www.suse.com/security/cve/CVE-2016-1840/ SUSE CVE CVE-2016-1840 page https://www.suse.com/security/cve/CVE-2016-3627/ SUSE CVE CVE-2016-3627 page https://www.suse.com/security/cve/CVE-2016-3705/ SUSE CVE CVE-2016-3705 page https://www.suse.com/security/cve/CVE-2016-4483/ SUSE CVE CVE-2016-4483 page openSUSE Tumbleweed libxml2-2-2.9.4-1.22 libxml2-2-32bit-2.9.4-1.22 libxml2-devel-2.9.4-1.22 libxml2-devel-32bit-2.9.4-1.22 libxml2-doc-2.9.4-1.22 libxml2-tools-2.9.4-1.22 libxml2-2-2.9.4-1.22 as a component of openSUSE Tumbleweed libxml2-2-32bit-2.9.4-1.22 as a component of openSUSE Tumbleweed libxml2-devel-2.9.4-1.22 as a component of openSUSE Tumbleweed libxml2-devel-32bit-2.9.4-1.22 as a component of openSUSE Tumbleweed libxml2-doc-2.9.4-1.22 as a component of openSUSE Tumbleweed libxml2-tools-2.9.4-1.22 as a component of openSUSE Tumbleweed Integer overflow in the xmlBufferResize function in libxml2 2.7.2 allows context-dependent attackers to cause a denial of service (infinite loop) via a large XML document. CVE-2008-4225 openSUSE Tumbleweed:libxml2-2-2.9.4-1.22 openSUSE Tumbleweed:libxml2-2-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-doc-2.9.4-1.22 openSUSE Tumbleweed:libxml2-tools-2.9.4-1.22 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-4225.html CVE-2008-4225 https://bugzilla.suse.com/445677 SUSE Bug 445677 Integer overflow in the xmlSAX2Characters function in libxml2 2.7.2 allows context-dependent attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a large XML document. CVE-2008-4226 openSUSE Tumbleweed:libxml2-2-2.9.4-1.22 openSUSE Tumbleweed:libxml2-2-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-doc-2.9.4-1.22 openSUSE Tumbleweed:libxml2-tools-2.9.4-1.22 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-4226.html CVE-2008-4226 https://bugzilla.suse.com/441368 SUSE Bug 441368 libxml2 2.7.0 and 2.7.1 does not properly handle "predefined entities definitions" in entities, which allows context-dependent attackers to cause a denial of service (memory consumption and application crash), as demonstrated by use of xmllint on a certain XML document, a different vulnerability than CVE-2003-1564 and CVE-2008-3281. CVE-2008-4409 openSUSE Tumbleweed:libxml2-2-2.9.4-1.22 openSUSE Tumbleweed:libxml2-2-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-doc-2.9.4-1.22 openSUSE Tumbleweed:libxml2-tools-2.9.4-1.22 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-4409.html CVE-2008-4409 https://bugzilla.suse.com/432486 SUSE Bug 432486 Double free vulnerability in libxml2 2.7.8 and other versions, as used in Google Chrome before 8.0.552.215 and other products, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to XPath handling. CVE-2010-4494 openSUSE Tumbleweed:libxml2-2-2.9.4-1.22 openSUSE Tumbleweed:libxml2-2-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-doc-2.9.4-1.22 openSUSE Tumbleweed:libxml2-tools-2.9.4-1.22 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2010-4494.html CVE-2010-4494 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/661471 SUSE Bug 661471 Integer overflow in xpath.c in libxml2 2.6.x through 2.6.32 and 2.7.x through 2.7.8, and libxml 1.8.16 and earlier, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted XML file that triggers a heap-based buffer overflow when adding a new namespace node, related to handling of XPath expressions. CVE-2011-1944 openSUSE Tumbleweed:libxml2-2-2.9.4-1.22 openSUSE Tumbleweed:libxml2-2-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-doc-2.9.4-1.22 openSUSE Tumbleweed:libxml2-tools-2.9.4-1.22 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2011-1944.html CVE-2011-1944 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/697372 SUSE Bug 697372 Heap-based buffer underflow in the xmlParseAttValueComplex function in parser.c in libxml2 2.9.0 and earlier, as used in Google Chrome before 23.0.1271.91 and other products, allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted entities in an XML document. CVE-2012-5134 openSUSE Tumbleweed:libxml2-2-2.9.4-1.22 openSUSE Tumbleweed:libxml2-2-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-doc-2.9.4-1.22 openSUSE Tumbleweed:libxml2-tools-2.9.4-1.22 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-5134.html CVE-2012-5134 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/791234 SUSE Bug 791234 https://bugzilla.suse.com/793334 SUSE Bug 793334 https://bugzilla.suse.com/795039 SUSE Bug 795039 https://bugzilla.suse.com/804033 SUSE Bug 804033 libxml2 2.9.0 and earlier allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via an XML file containing an entity declaration with long replacement text and many references to this entity, aka "internal entity expansion" with linear complexity. CVE-2013-0338 openSUSE Tumbleweed:libxml2-2-2.9.4-1.22 openSUSE Tumbleweed:libxml2-2-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-doc-2.9.4-1.22 openSUSE Tumbleweed:libxml2-tools-2.9.4-1.22 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-0338.html CVE-2013-0338 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/805233 SUSE Bug 805233 Multiple use-after-free vulnerabilities in libxml2 2.9.0 and possibly other versions might allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to the (1) htmlParseChunk and (2) xmldecl_done functions, as demonstrated by a buffer overflow in the xmlBufGetInputBase function. CVE-2013-1969 openSUSE Tumbleweed:libxml2-2-2.9.4-1.22 openSUSE Tumbleweed:libxml2-2-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-doc-2.9.4-1.22 openSUSE Tumbleweed:libxml2-tools-2.9.4-1.22 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-1969.html CVE-2013-1969 https://bugzilla.suse.com/815665 SUSE Bug 815665 The xmlParserHandlePEReference function in parser.c in libxml2 before 2.9.2, as used in Web Listener in Oracle HTTP Server in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 and other products, loads external parameter entities regardless of whether entity substitution or validation is enabled, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XML document. CVE-2014-0191 openSUSE Tumbleweed:libxml2-2-2.9.4-1.22 openSUSE Tumbleweed:libxml2-2-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-doc-2.9.4-1.22 openSUSE Tumbleweed:libxml2-tools-2.9.4-1.22 moderate 7.1 AV:N/AC:M/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-0191.html CVE-2014-0191 https://bugzilla.suse.com/1014873 SUSE Bug 1014873 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/876652 SUSE Bug 876652 https://bugzilla.suse.com/877506 SUSE Bug 877506 https://bugzilla.suse.com/996079 SUSE Bug 996079 parser.c in libxml2 before 2.9.2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested entity references, a variant of the "billion laughs" attack. CVE-2014-3660 openSUSE Tumbleweed:libxml2-2-2.9.4-1.22 openSUSE Tumbleweed:libxml2-2-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-doc-2.9.4-1.22 openSUSE Tumbleweed:libxml2-tools-2.9.4-1.22 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-3660.html CVE-2014-3660 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/901546 SUSE Bug 901546 The xmlreader in libxml allows remote attackers to cause a denial of service (memory consumption) via crafted XML data, related to an XML Entity Expansion (XEE) attack. CVE-2015-1819 openSUSE Tumbleweed:libxml2-2-2.9.4-1.22 openSUSE Tumbleweed:libxml2-2-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-doc-2.9.4-1.22 openSUSE Tumbleweed:libxml2-tools-2.9.4-1.22 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-1819.html CVE-2015-1819 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/928193 SUSE Bug 928193 https://bugzilla.suse.com/969769 SUSE Bug 969769 The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660. CVE-2015-5312 openSUSE Tumbleweed:libxml2-2-2.9.4-1.22 openSUSE Tumbleweed:libxml2-2-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-doc-2.9.4-1.22 openSUSE Tumbleweed:libxml2-tools-2.9.4-1.22 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-5312.html CVE-2015-5312 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/957105 SUSE Bug 957105 https://bugzilla.suse.com/959469 SUSE Bug 959469 https://bugzilla.suse.com/969769 SUSE Bug 969769 Heap-based buffer overflow in the xmlDictComputeFastQKey function in dict.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors. CVE-2015-7497 openSUSE Tumbleweed:libxml2-2-2.9.4-1.22 openSUSE Tumbleweed:libxml2-2-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-doc-2.9.4-1.22 openSUSE Tumbleweed:libxml2-tools-2.9.4-1.22 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-7497.html CVE-2015-7497 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/957106 SUSE Bug 957106 https://bugzilla.suse.com/959469 SUSE Bug 959469 https://bugzilla.suse.com/969769 SUSE Bug 969769 Heap-based buffer overflow in the xmlParseXmlDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors related to extracting errors after an encoding conversion failure. CVE-2015-7498 openSUSE Tumbleweed:libxml2-2-2.9.4-1.22 openSUSE Tumbleweed:libxml2-2-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-doc-2.9.4-1.22 openSUSE Tumbleweed:libxml2-tools-2.9.4-1.22 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-7498.html CVE-2015-7498 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/957107 SUSE Bug 957107 https://bugzilla.suse.com/959469 SUSE Bug 959469 https://bugzilla.suse.com/969769 SUSE Bug 969769 Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors. CVE-2015-7499 openSUSE Tumbleweed:libxml2-2-2.9.4-1.22 openSUSE Tumbleweed:libxml2-2-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-doc-2.9.4-1.22 openSUSE Tumbleweed:libxml2-tools-2.9.4-1.22 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-7499.html CVE-2015-7499 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/957109 SUSE Bug 957109 https://bugzilla.suse.com/959469 SUSE Bug 959469 https://bugzilla.suse.com/969769 SUSE Bug 969769 The xmlParseMisc function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (out-of-bounds heap read) via unspecified vectors related to incorrect entities boundaries and start tags. CVE-2015-7500 openSUSE Tumbleweed:libxml2-2-2.9.4-1.22 openSUSE Tumbleweed:libxml2-2-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-doc-2.9.4-1.22 openSUSE Tumbleweed:libxml2-tools-2.9.4-1.22 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-7500.html CVE-2015-7500 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/957110 SUSE Bug 957110 https://bugzilla.suse.com/959469 SUSE Bug 959469 https://bugzilla.suse.com/969769 SUSE Bug 969769 libxml2 2.9.2 does not properly stop parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and libxml2 crash) via crafted XML data to the (1) xmlParseEntityDecl or (2) xmlParseConditionalSections function in parser.c, as demonstrated by non-terminated entities. CVE-2015-7941 openSUSE Tumbleweed:libxml2-2-2.9.4-1.22 openSUSE Tumbleweed:libxml2-2-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-doc-2.9.4-1.22 openSUSE Tumbleweed:libxml2-tools-2.9.4-1.22 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-7941.html CVE-2015-7941 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/951734 SUSE Bug 951734 https://bugzilla.suse.com/951735 SUSE Bug 951735 https://bugzilla.suse.com/969769 SUSE Bug 969769 The xmlParseConditionalSections function in parser.c in libxml2 does not properly skip intermediary entities when it stops parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via crafted XML data, a different vulnerability than CVE-2015-7941. CVE-2015-7942 openSUSE Tumbleweed:libxml2-2-2.9.4-1.22 openSUSE Tumbleweed:libxml2-2-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-doc-2.9.4-1.22 openSUSE Tumbleweed:libxml2-tools-2.9.4-1.22 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-7942.html CVE-2015-7942 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/951735 SUSE Bug 951735 https://bugzilla.suse.com/969769 SUSE Bug 969769 The xz_decomp function in xzlib.c in libxml2 2.9.1 does not properly detect compression errors, which allows context-dependent attackers to cause a denial of service (process hang) via crafted XML data. CVE-2015-8035 openSUSE Tumbleweed:libxml2-2-2.9.4-1.22 openSUSE Tumbleweed:libxml2-2-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-doc-2.9.4-1.22 openSUSE Tumbleweed:libxml2-tools-2.9.4-1.22 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-8035.html CVE-2015-8035 https://bugzilla.suse.com/1088279 SUSE Bug 1088279 https://bugzilla.suse.com/1105166 SUSE Bug 1105166 https://bugzilla.suse.com/954429 SUSE Bug 954429 The xmlSAX2TextNode function in SAX2.c in the push interface in the HTML parser in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (stack-based buffer over-read and application crash) or obtain sensitive information via crafted XML data. CVE-2015-8242 openSUSE Tumbleweed:libxml2-2-2.9.4-1.22 openSUSE Tumbleweed:libxml2-2-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-doc-2.9.4-1.22 openSUSE Tumbleweed:libxml2-tools-2.9.4-1.22 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-8242.html CVE-2015-8242 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/956021 SUSE Bug 956021 https://bugzilla.suse.com/959469 SUSE Bug 959469 https://bugzilla.suse.com/969769 SUSE Bug 969769 The xmlNextChar function in libxml2 before 2.9.4 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document. CVE-2016-1762 openSUSE Tumbleweed:libxml2-2-2.9.4-1.22 openSUSE Tumbleweed:libxml2-2-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-doc-2.9.4-1.22 openSUSE Tumbleweed:libxml2-tools-2.9.4-1.22 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-1762.html CVE-2016-1762 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/981040 SUSE Bug 981040 The htmlCurrentChar function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document. CVE-2016-1833 openSUSE Tumbleweed:libxml2-2-2.9.4-1.22 openSUSE Tumbleweed:libxml2-2-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-doc-2.9.4-1.22 openSUSE Tumbleweed:libxml2-tools-2.9.4-1.22 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-1833.html CVE-2016-1833 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/981108 SUSE Bug 981108 Heap-based buffer overflow in the xmlStrncat function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document. CVE-2016-1834 openSUSE Tumbleweed:libxml2-2-2.9.4-1.22 openSUSE Tumbleweed:libxml2-2-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-doc-2.9.4-1.22 openSUSE Tumbleweed:libxml2-tools-2.9.4-1.22 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-1834.html CVE-2016-1834 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/981041 SUSE Bug 981041 Use-after-free vulnerability in the xmlSAX2AttributeNs function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2 and OS X before 10.11.5, allows remote attackers to cause a denial of service via a crafted XML document. CVE-2016-1835 openSUSE Tumbleweed:libxml2-2-2.9.4-1.22 openSUSE Tumbleweed:libxml2-2-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-doc-2.9.4-1.22 openSUSE Tumbleweed:libxml2-tools-2.9.4-1.22 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-1835.html CVE-2016-1835 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/981109 SUSE Bug 981109 Use-after-free vulnerability in the xmlDictComputeFastKey function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to cause a denial of service via a crafted XML document. CVE-2016-1836 openSUSE Tumbleweed:libxml2-2-2.9.4-1.22 openSUSE Tumbleweed:libxml2-2-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-doc-2.9.4-1.22 openSUSE Tumbleweed:libxml2-tools-2.9.4-1.22 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-1836.html CVE-2016-1836 https://bugzilla.suse.com/1174862 SUSE Bug 1174862 https://bugzilla.suse.com/981110 SUSE Bug 981110 Multiple use-after-free vulnerabilities in the (1) htmlPArsePubidLiteral and (2) htmlParseSystemiteral functions in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allow remote attackers to cause a denial of service via a crafted XML document. CVE-2016-1837 openSUSE Tumbleweed:libxml2-2-2.9.4-1.22 openSUSE Tumbleweed:libxml2-2-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-doc-2.9.4-1.22 openSUSE Tumbleweed:libxml2-tools-2.9.4-1.22 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-1837.html CVE-2016-1837 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/981111 SUSE Bug 981111 The xmlPArserPrintFileContextInternal function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document. CVE-2016-1838 openSUSE Tumbleweed:libxml2-2-2.9.4-1.22 openSUSE Tumbleweed:libxml2-2-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-doc-2.9.4-1.22 openSUSE Tumbleweed:libxml2-tools-2.9.4-1.22 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-1838.html CVE-2016-1838 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/981112 SUSE Bug 981112 The xmlDictAddString function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document. CVE-2016-1839 openSUSE Tumbleweed:libxml2-2-2.9.4-1.22 openSUSE Tumbleweed:libxml2-2-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-doc-2.9.4-1.22 openSUSE Tumbleweed:libxml2-tools-2.9.4-1.22 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-1839.html CVE-2016-1839 https://bugzilla.suse.com/1039069 SUSE Bug 1039069 https://bugzilla.suse.com/1039661 SUSE Bug 1039661 https://bugzilla.suse.com/1069433 SUSE Bug 1069433 https://bugzilla.suse.com/1069690 SUSE Bug 1069690 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/963963 SUSE Bug 963963 https://bugzilla.suse.com/981114 SUSE Bug 981114 Heap-based buffer overflow in the xmlFAParsePosCharGroup function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document. CVE-2016-1840 openSUSE Tumbleweed:libxml2-2-2.9.4-1.22 openSUSE Tumbleweed:libxml2-2-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-doc-2.9.4-1.22 openSUSE Tumbleweed:libxml2-tools-2.9.4-1.22 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-1840.html CVE-2016-1840 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/981115 SUSE Bug 981115 The xmlStringGetNodeList function in tree.c in libxml2 2.9.3 and earlier, when used in recovery mode, allows context-dependent attackers to cause a denial of service (infinite recursion, stack consumption, and application crash) via a crafted XML document. CVE-2016-3627 openSUSE Tumbleweed:libxml2-2-2.9.4-1.22 openSUSE Tumbleweed:libxml2-2-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-doc-2.9.4-1.22 openSUSE Tumbleweed:libxml2-tools-2.9.4-1.22 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-3627.html CVE-2016-3627 https://bugzilla.suse.com/1026099 SUSE Bug 1026099 https://bugzilla.suse.com/1026101 SUSE Bug 1026101 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/972335 SUSE Bug 972335 https://bugzilla.suse.com/975947 SUSE Bug 975947 The (1) xmlParserEntityCheck and (2) xmlParseAttValueComplex functions in parser.c in libxml2 2.9.3 do not properly keep track of the recursion depth, which allows context-dependent attackers to cause a denial of service (stack consumption and application crash) via a crafted XML document containing a large number of nested entity references. CVE-2016-3705 openSUSE Tumbleweed:libxml2-2-2.9.4-1.22 openSUSE Tumbleweed:libxml2-2-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-doc-2.9.4-1.22 openSUSE Tumbleweed:libxml2-tools-2.9.4-1.22 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-3705.html CVE-2016-3705 https://bugzilla.suse.com/1017497 SUSE Bug 1017497 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/975947 SUSE Bug 975947 The xmlBufAttrSerializeTxtContent function in xmlsave.c in libxml2 allows context-dependent attackers to cause a denial of service (out-of-bounds read and application crash) via a non-UTF-8 attribute value, related to serialization. NOTE: this vulnerability may be a duplicate of CVE-2016-3627. CVE-2016-4483 openSUSE Tumbleweed:libxml2-2-2.9.4-1.22 openSUSE Tumbleweed:libxml2-2-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-2.9.4-1.22 openSUSE Tumbleweed:libxml2-devel-32bit-2.9.4-1.22 openSUSE Tumbleweed:libxml2-doc-2.9.4-1.22 openSUSE Tumbleweed:libxml2-tools-2.9.4-1.22 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-4483.html CVE-2016-4483 https://bugzilla.suse.com/1026101 SUSE Bug 1026101 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/978395 SUSE Bug 978395