-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:316-3 http://www.mandriva.com/security/ _______________________________________________________________________ Package : expat Date : January 10, 2010 Affected: 2008.0, 2009.0, 2009.1, 2010.0, Enterprise Server 5.0 _______________________________________________________________________ Problem Description: A vulnerability has been found and corrected in expat: The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read, related to the doProlog function in lib/xmlparse.c, a different vulnerability than CVE-2009-2625 and CVE-2009-3720 (CVE-2009-3560). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers This update provides a solution to these vulnerabilities. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. Update: The previous (MDVSA-2009:316-2) updates provided packages for 2008.0/2009.0/2009.1/2010.0/mes5 that did not have an increased release number which prevented the packages from hitting the mirrors. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560 https://bugzilla.novell.com/show_bug.cgi?id=566434 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.0: 13774ef90c141db6326c7262d3c320c8 2008.0/i586/expat-2.0.1-4.3mdv2008.0.i586.rpm 8cc403e46d7b6c5239763ccef3ac97f6 2008.0/i586/libexpat1-2.0.1-4.3mdv2008.0.i586.rpm 97e7266c3a2bdd6b1e2b3b3046904c98 2008.0/i586/libexpat1-devel-2.0.1-4.3mdv2008.0.i586.rpm 00f546038b5b8efae7e7cbfaa806dae8 2008.0/SRPMS/expat-2.0.1-4.3mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: bfe2cc21ead72b18a505ac13d3b0857c 2008.0/x86_64/expat-2.0.1-4.3mdv2008.0.x86_64.rpm dac863ff59aed4282ae59e321f203f93 2008.0/x86_64/lib64expat1-2.0.1-4.3mdv2008.0.x86_64.rpm 37d732528c186489897ecdf7f9585cb8 2008.0/x86_64/lib64expat1-devel-2.0.1-4.3mdv2008.0.x86_64.rpm 00f546038b5b8efae7e7cbfaa806dae8 2008.0/SRPMS/expat-2.0.1-4.3mdv2008.0.src.rpm Mandriva Linux 2009.0: 1b5e3348c1bbe4ecdbe2d171dbc92f2a 2009.0/i586/expat-2.0.1-7.3mdv2009.0.i586.rpm d4df428ea77983271d7c31f9bce59669 2009.0/i586/libexpat1-2.0.1-7.3mdv2009.0.i586.rpm 0d0802d87eb78bc64f3ca8195d7cc17b 2009.0/i586/libexpat1-devel-2.0.1-7.3mdv2009.0.i586.rpm 6508d5fba047cf35b6d61259266b82ed 2009.0/SRPMS/expat-2.0.1-7.3mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 765f5d35b0e1b4ff33d426dc79296851 2009.0/x86_64/expat-2.0.1-7.3mdv2009.0.x86_64.rpm 0905a279e62d648abaa025dec1f262eb 2009.0/x86_64/lib64expat1-2.0.1-7.3mdv2009.0.x86_64.rpm 2562ec57be33f72dbaa5d04cd4a3e566 2009.0/x86_64/lib64expat1-devel-2.0.1-7.3mdv2009.0.x86_64.rpm 6508d5fba047cf35b6d61259266b82ed 2009.0/SRPMS/expat-2.0.1-7.3mdv2009.0.src.rpm Mandriva Linux 2009.1: fe1d2d61e0447990a8fea4e133f1c0d1 2009.1/i586/expat-2.0.1-8.3mdv2009.1.i586.rpm ee800d042612c90ac48004d026d87e18 2009.1/i586/libexpat1-2.0.1-8.3mdv2009.1.i586.rpm 8a556a2c5bcd40d1160fb86d3b24ad93 2009.1/i586/libexpat1-devel-2.0.1-8.3mdv2009.1.i586.rpm 591ceb30bbc21cce048c04d5f67cc3d7 2009.1/SRPMS/expat-2.0.1-8.3mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: 7532d0529c362180c9a1a8fd206f13fd 2009.1/x86_64/expat-2.0.1-8.3mdv2009.1.x86_64.rpm 6b7a604d8c15a39c59bf04e7f26bb90e 2009.1/x86_64/lib64expat1-2.0.1-8.3mdv2009.1.x86_64.rpm adc29880c73da313bc69d23085963dcd 2009.1/x86_64/lib64expat1-devel-2.0.1-8.3mdv2009.1.x86_64.rpm 591ceb30bbc21cce048c04d5f67cc3d7 2009.1/SRPMS/expat-2.0.1-8.3mdv2009.1.src.rpm Mandriva Linux 2010.0: eb556df9f00d67acd20a0b3a4d21f487 2010.0/i586/expat-2.0.1-10.2mdv2010.0.i586.rpm 3f2fe4b31ef2e572aa0f103cec4cac02 2010.0/i586/libexpat1-2.0.1-10.2mdv2010.0.i586.rpm 7787b1cfae235d1146ead95c67240832 2010.0/i586/libexpat1-devel-2.0.1-10.2mdv2010.0.i586.rpm 91c4034ba57643ad09893ee550b124fb 2010.0/SRPMS/expat-2.0.1-10.2mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: 339cbedef9d61586aa4bdef40801db0d 2010.0/x86_64/expat-2.0.1-10.2mdv2010.0.x86_64.rpm 95067327674b3752b6166e631e6c0c54 2010.0/x86_64/lib64expat1-2.0.1-10.2mdv2010.0.x86_64.rpm 9d327cfab29a197b2f2910259ca1f421 2010.0/x86_64/lib64expat1-devel-2.0.1-10.2mdv2010.0.x86_64.rpm 91c4034ba57643ad09893ee550b124fb 2010.0/SRPMS/expat-2.0.1-10.2mdv2010.0.src.rpm Mandriva Enterprise Server 5: 0c1e5ed2e68540b127707df985eaa9b2 mes5/i586/expat-2.0.1-7.3mdvmes5.i586.rpm 969c2c861d178394615eba9bd786a2d1 mes5/i586/libexpat1-2.0.1-7.3mdvmes5.i586.rpm 4668e05cf61f067112e4c55f2c864f76 mes5/i586/libexpat1-devel-2.0.1-7.3mdvmes5.i586.rpm cb94fe0c73aa6140abcf05b277a438d2 mes5/SRPMS/expat-2.0.1-7.3mdvmes5.src.rpm Mandriva Enterprise Server 5/X86_64: 5a1624a1c856992f50a38efa739f5987 mes5/x86_64/expat-2.0.1-7.3mdvmes5.x86_64.rpm bfb6d7058cf6d4930db4362576839281 mes5/x86_64/lib64expat1-2.0.1-7.3mdvmes5.x86_64.rpm b314bdc8eabfb001be798e0a382996f3 mes5/x86_64/lib64expat1-devel-2.0.1-7.3mdvmes5.x86_64.rpm cb94fe0c73aa6140abcf05b277a438d2 mes5/SRPMS/expat-2.0.1-7.3mdvmes5.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFLSa6LmqjQ0CJFipgRAismAJwNAoq62MoQe6algI6ORpj32M13EQCfSyOt LnDKMlnXZBjDtSA1Vggis7E= =TrDH -----END PGP SIGNATURE-----