-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ************************************************************************************ Netwosix Linux Security Advisory #2004-0004 <http://www.netwosix.org> - ----------------------------------------------------------------------------------- Package name: libxml2 Summary: Buffer overflow in the nanohttp or nanoftp modules in XMLSoft Libxml2 2.6.0 Date: 2004-03-04 Affected versions: Netwosix 1.0 ************************************************************************************ - -> Package description: - ------------------------ Libxml2 is the XML C parser and toolkit developed for the Gnome project. - -> Problem description: - ------------------------ A flaw in libxml2 versions prior to 2.6.6 was found by Yuuichi Teranishi. When fetching a remote source via FTP or HTTP, libxml2 uses special parsing routines that can overflow a buffer if passed a very long URL. In the event that the attacker can find a program that uses libxml2 which parses remote resources and allows them to influence the URL, this flaw could be used to execute arbitrary code. - -> Action: - ------------------------ We recommend that all systems with this package installed be upgraded. Please note that if you do not need the functionality provided by this package, you may want to remove it from your system. - -> Location: - --------------------- You can download the latest version of this package in NEPOTE format from: <http://download.netwosix.org/0004/nepote> - -> Nepote Update (Nepote has been updated with new ports on 25 February 2004. Update your portage tree from http://nepote.netwosix.org, first): - --------------------- See this instructions to update the port of this package: # cd /usr/ports/lib/libxml # rm nepote # wget http://download.netwosix.org/0004/nepote # sh nepote (to install the new and updated package) - -> References - --------------------- Specific references for this advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0110 - -> About Linux Netwosix: - --------------------------------- Linux Netwosix is a powerful and optimized Linux distribution for servers and Network Security related jobs. It can also be used for special operations such as penetration testing with its big collection of security oriented software and sources. It's a light distribution created for the requirements of every SysAdmin and it's very portable and highly configurable. Our philosophy is to give greater liberty for configuration to the SysAdmin. Only in this way can he/she configure a powerful and stable server machine. Linux Netwosix also has a powerful ports system (Nepote) similar to the xBSD systems but more flexible and usable. - -> Questions? - --------------------- Check out our mailing lists: <http://www.netwosix.org/mailing.html> The advisory itself is available at <http://www.netwosix.org/adv04.html> - -------------------------------------------------- MD5sums of the packages: - - -------------------------------------------------------------------------- 60cb43bdcc312a611178df10c52a19c6 0004/nepote - - -------------------------------------------------------------------------- Vincenzo Ciaglia - Linux Netwosix Security Advisories <ciaglia@netwosix.org> - <http://www.netwosix.org> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAR6JP6jz9pGuz4koRAvzeAJ98LXBB30rNXDdkoTjW20FLCVuDmwCeOqsh 0JB1uL92Ux7adp2bz+uf/0c= =ySSs -----END PGP SIGNATURE-----
