Security update for tidy
SUSE Patch
security@suse.de
SUSE Security Team
SUSE-SU-2015:1513-1
Final
1
1
2015-08-26T20:03:54Z
current
2015-08-26T20:03:54Z
2015-08-26T20:03:54Z
cve-database/bin/generate-cvrf.pl
2017-02-24T01:00:00Z
Security update for tidy
This update fixes two heap-based buffer overflows in tidy/libtidy. These vulnerabilities
could allow remote attackers to cause a denial of service (crash) via vectors involving
a command character in an href. (CVE-2015-5522, CVE-2015-5523)
The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
SUSE-SLE-SDK-12-2015-501
Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0)
https://www.suse.com/support/update/announcement/2015/suse-su-20151513-1/
Link for SUSE-SU-2015:1513-1
https://lists.suse.com/pipermail/sle-security-updates/2015-September/001580.html
E-Mail link for SUSE-SU-2015:1513-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/903962
SUSE Bug 903962
https://bugzilla.suse.com/933588
SUSE Bug 933588
https://www.suse.com/security/cve/CVE-2015-5522/
SUSE CVE CVE-2015-5522 page
https://www.suse.com/security/cve/CVE-2015-5523/
SUSE CVE CVE-2015-5523 page
SUSE Linux Enterprise Software Development Kit 12
libtidy-0_99-0-1.0.20100204cvs-25.3
libtidy-0_99-0-devel-1.0.20100204cvs-25.3
tidy-1.0.20100204cvs-25.3
libtidy-0_99-0-1.0.20100204cvs-25.3 as a component of SUSE Linux Enterprise Software Development Kit 12
libtidy-0_99-0-devel-1.0.20100204cvs-25.3 as a component of SUSE Linux Enterprise Software Development Kit 12
tidy-1.0.20100204cvs-25.3 as a component of SUSE Linux Enterprise Software Development Kit 12
Heap-based buffer overflow in the ParseValue function in lexer.c in tidy before 4.9.31 allows remote attackers to cause a denial of service (crash) via vectors involving a command character in an href.
CVE-2015-5522
SUSE Linux Enterprise Software Development Kit 12:libtidy-0_99-0-1.0.20100204cvs-25.3
SUSE Linux Enterprise Software Development Kit 12:libtidy-0_99-0-devel-1.0.20100204cvs-25.3
SUSE Linux Enterprise Software Development Kit 12:tidy-1.0.20100204cvs-25.3
low
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2015/suse-su-20151513-1/
https://www.suse.com/security/cve/CVE-2015-5522.html
CVE-2015-5522
https://bugzilla.suse.com/933588
SUSE Bug 933588
The ParseValue function in lexer.c in tidy before 4.9.31 allows remote attackers to cause a denial of service (crash) via vectors involving multiple whitespace characters before an empty href, which triggers a large memory allocation.
CVE-2015-5523
SUSE Linux Enterprise Software Development Kit 12:libtidy-0_99-0-1.0.20100204cvs-25.3
SUSE Linux Enterprise Software Development Kit 12:libtidy-0_99-0-devel-1.0.20100204cvs-25.3
SUSE Linux Enterprise Software Development Kit 12:tidy-1.0.20100204cvs-25.3
low
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2015/suse-su-20151513-1/
https://www.suse.com/security/cve/CVE-2015-5523.html
CVE-2015-5523
https://bugzilla.suse.com/933588
SUSE Bug 933588