ID CVE-2014-3660
Summary parser.c in libxml2 before 2.9.2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested entity references, a variant of the "billion laughs" attack.
References
Vulnerable Configurations
  • XMLSoft Libxml2 2.8.0
    cpe:2.3:a:xmlsoft:libxml2:2.8.0
  • XMLSoft Libxml2 2.0.0
    cpe:2.3:a:xmlsoft:libxml2:2.0.0
  • XMLSoft Libxml2 2.1.0
    cpe:2.3:a:xmlsoft:libxml2:2.1.0
  • XMLSoft Libxml2 2.1.1
    cpe:2.3:a:xmlsoft:libxml2:2.1.1
  • XMLSoft Libxml2 2.2.0
    cpe:2.3:a:xmlsoft:libxml2:2.2.0
  • XMLSoft Libxml2 2.2.0 beta
    cpe:2.3:a:xmlsoft:libxml2:2.2.0:beta
  • XMLSoft Libxml2 2.2.1
    cpe:2.3:a:xmlsoft:libxml2:2.2.1
  • XMLSoft Libxml2 2.2.10
    cpe:2.3:a:xmlsoft:libxml2:2.2.10
  • XMLSoft Libxml2 2.2.11
    cpe:2.3:a:xmlsoft:libxml2:2.2.11
  • XMLSoft Libxml2 2.2.2
    cpe:2.3:a:xmlsoft:libxml2:2.2.2
  • XMLSoft Libxml2 2.2.3
    cpe:2.3:a:xmlsoft:libxml2:2.2.3
  • XMLSoft Libxml2 2.2.4
    cpe:2.3:a:xmlsoft:libxml2:2.2.4
  • XMLSoft Libxml2 2.2.5
    cpe:2.3:a:xmlsoft:libxml2:2.2.5
  • XMLSoft Libxml2 2.2.6
    cpe:2.3:a:xmlsoft:libxml2:2.2.6
  • XMLSoft Libxml2 2.2.7
    cpe:2.3:a:xmlsoft:libxml2:2.2.7
  • XMLSoft Libxml2 2.2.8
    cpe:2.3:a:xmlsoft:libxml2:2.2.8
  • XMLSoft Libxml2 2.2.9
    cpe:2.3:a:xmlsoft:libxml2:2.2.9
  • XMLSoft Libxml2 2.3.0
    cpe:2.3:a:xmlsoft:libxml2:2.3.0
  • XMLSoft Libxml2 2.3.1
    cpe:2.3:a:xmlsoft:libxml2:2.3.1
  • XMLSoft Libxml2 2.3.10
    cpe:2.3:a:xmlsoft:libxml2:2.3.10
  • XMLSoft Libxml2 2.3.11
    cpe:2.3:a:xmlsoft:libxml2:2.3.11
  • XMLSoft Libxml2 2.3.12
    cpe:2.3:a:xmlsoft:libxml2:2.3.12
  • XMLSoft Libxml2 2.3.13
    cpe:2.3:a:xmlsoft:libxml2:2.3.13
  • XMLSoft Libxml2 2.3.14
    cpe:2.3:a:xmlsoft:libxml2:2.3.14
  • XMLSoft Libxml2 2.3.2
    cpe:2.3:a:xmlsoft:libxml2:2.3.2
  • XMLSoft Libxml2 2.3.3
    cpe:2.3:a:xmlsoft:libxml2:2.3.3
  • XMLSoft Libxml2 2.3.4
    cpe:2.3:a:xmlsoft:libxml2:2.3.4
  • XMLSoft Libxml2 2.3.5
    cpe:2.3:a:xmlsoft:libxml2:2.3.5
  • XMLSoft Libxml2 2.3.6
    cpe:2.3:a:xmlsoft:libxml2:2.3.6
  • XMLSoft Libxml2 2.3.7
    cpe:2.3:a:xmlsoft:libxml2:2.3.7
  • XMLSoft Libxml2 2.3.8
    cpe:2.3:a:xmlsoft:libxml2:2.3.8
  • XMLSoft Libxml2 2.3.9
    cpe:2.3:a:xmlsoft:libxml2:2.3.9
  • XMLSoft Libxml2 2.4.1
    cpe:2.3:a:xmlsoft:libxml2:2.4.1
  • XMLSoft Libxml2 2.4.10
    cpe:2.3:a:xmlsoft:libxml2:2.4.10
  • XMLSoft Libxml2 2.4.11
    cpe:2.3:a:xmlsoft:libxml2:2.4.11
  • XMLSoft Libxml2 2.4.12
    cpe:2.3:a:xmlsoft:libxml2:2.4.12
  • XMLSoft Libxml2 2.4.13
    cpe:2.3:a:xmlsoft:libxml2:2.4.13
  • XMLSoft Libxml2 2.4.14
    cpe:2.3:a:xmlsoft:libxml2:2.4.14
  • XMLSoft Libxml2 2.4.15
    cpe:2.3:a:xmlsoft:libxml2:2.4.15
  • XMLSoft Libxml2 2.4.16
    cpe:2.3:a:xmlsoft:libxml2:2.4.16
  • XMLSoft Libxml2 2.4.17
    cpe:2.3:a:xmlsoft:libxml2:2.4.17
  • XMLSoft Libxml2 2.4.18
    cpe:2.3:a:xmlsoft:libxml2:2.4.18
  • XMLSoft Libxml2 2.4.19
    cpe:2.3:a:xmlsoft:libxml2:2.4.19
  • XMLSoft Libxml2 2.4.2
    cpe:2.3:a:xmlsoft:libxml2:2.4.2
  • XMLSoft Libxml2 2.4.20
    cpe:2.3:a:xmlsoft:libxml2:2.4.20
  • XMLSoft Libxml2 2.4.21
    cpe:2.3:a:xmlsoft:libxml2:2.4.21
  • XMLSoft Libxml2 2.4.22
    cpe:2.3:a:xmlsoft:libxml2:2.4.22
  • XMLSoft Libxml2 2.4.23
    cpe:2.3:a:xmlsoft:libxml2:2.4.23
  • XMLSoft Libxml2 2.4.24
    cpe:2.3:a:xmlsoft:libxml2:2.4.24
  • XMLSoft Libxml2 2.4.25
    cpe:2.3:a:xmlsoft:libxml2:2.4.25
  • XMLSoft Libxml2 2.4.26
    cpe:2.3:a:xmlsoft:libxml2:2.4.26
  • XMLSoft Libxml2 2.4.27
    cpe:2.3:a:xmlsoft:libxml2:2.4.27
  • XMLSoft Libxml2 2.4.28
    cpe:2.3:a:xmlsoft:libxml2:2.4.28
  • XMLSoft Libxml2 2.4.29
    cpe:2.3:a:xmlsoft:libxml2:2.4.29
  • XMLSoft Libxml2 2.4.3
    cpe:2.3:a:xmlsoft:libxml2:2.4.3
  • XMLSoft Libxml2 2.4.30
    cpe:2.3:a:xmlsoft:libxml2:2.4.30
  • XMLSoft Libxml2 2.4.4
    cpe:2.3:a:xmlsoft:libxml2:2.4.4
  • XMLSoft Libxml2 2.4.5
    cpe:2.3:a:xmlsoft:libxml2:2.4.5
  • XMLSoft Libxml2 2.4.6
    cpe:2.3:a:xmlsoft:libxml2:2.4.6
  • XMLSoft Libxml2 2.4.7
    cpe:2.3:a:xmlsoft:libxml2:2.4.7
  • XMLSoft Libxml2 2.4.8
    cpe:2.3:a:xmlsoft:libxml2:2.4.8
  • XMLSoft Libxml2 2.4.9
    cpe:2.3:a:xmlsoft:libxml2:2.4.9
  • XMLSoft Libxml2 2.5.0
    cpe:2.3:a:xmlsoft:libxml2:2.5.0
  • Xmlsoft Libxml2 2.5.10
    cpe:2.3:a:xmlsoft:libxml2:2.5.10
  • XMLSoft Libxml2 2.5.11
    cpe:2.3:a:xmlsoft:libxml2:2.5.11
  • XMLSoft Libxml2 2.5.4
    cpe:2.3:a:xmlsoft:libxml2:2.5.4
  • XMLSoft Libxml2 2.5.7
    cpe:2.3:a:xmlsoft:libxml2:2.5.7
  • XMLSoft Libxml2 2.5.8
    cpe:2.3:a:xmlsoft:libxml2:2.5.8
  • XMLSoft Libxml2 2.6.0
    cpe:2.3:a:xmlsoft:libxml2:2.6.0
  • XMLSoft Libxml2 2.6.1
    cpe:2.3:a:xmlsoft:libxml2:2.6.1
  • XMLSoft Libxml2 2.6.11
    cpe:2.3:a:xmlsoft:libxml2:2.6.11
  • XMLSoft Libxml2 2.6.12
    cpe:2.3:a:xmlsoft:libxml2:2.6.12
  • XMLSoft Libxml2 2.6.13
    cpe:2.3:a:xmlsoft:libxml2:2.6.13
  • XMLSoft Libxml2 2.6.14
    cpe:2.3:a:xmlsoft:libxml2:2.6.14
  • Xmlsoft Libxml2 2.6.16
    cpe:2.3:a:xmlsoft:libxml2:2.6.16
  • XMLSoft Libxml2 2.6.17
    cpe:2.3:a:xmlsoft:libxml2:2.6.17
  • XMLSoft Libxml2 2.6.18
    cpe:2.3:a:xmlsoft:libxml2:2.6.18
  • XMLSoft Libxml2 2.6.2
    cpe:2.3:a:xmlsoft:libxml2:2.6.2
  • XMLSoft Libxml2 2.6.20
    cpe:2.3:a:xmlsoft:libxml2:2.6.20
  • XMLSoft Libxml2 2.6.21
    cpe:2.3:a:xmlsoft:libxml2:2.6.21
  • XMLSoft Libxml2 2.6.22
    cpe:2.3:a:xmlsoft:libxml2:2.6.22
  • XMLSoft Libxml2 2.6.23
    cpe:2.3:a:xmlsoft:libxml2:2.6.23
  • XMLSoft Libxml2 2.6.24
    cpe:2.3:a:xmlsoft:libxml2:2.6.24
  • XMLSoft Libxml2 2.6.25
    cpe:2.3:a:xmlsoft:libxml2:2.6.25
  • XMLSoft Libxml2 2.6.26
    cpe:2.3:a:xmlsoft:libxml2:2.6.26
  • XMLSoft Libxml2 2.6.27
    cpe:2.3:a:xmlsoft:libxml2:2.6.27
  • XMLSoft Libxml2 2.6.28
    cpe:2.3:a:xmlsoft:libxml2:2.6.28
  • XMLSoft Libxml2 2.6.29
    cpe:2.3:a:xmlsoft:libxml2:2.6.29
  • XMLSoft Libxml2 2.6.3
    cpe:2.3:a:xmlsoft:libxml2:2.6.3
  • XMLSoft Libxml2 2.6.30
    cpe:2.3:a:xmlsoft:libxml2:2.6.30
  • XMLSoft Libxml2 2.6.31
    cpe:2.3:a:xmlsoft:libxml2:2.6.31
  • XMLSoft Libxml2 2.6.32
    cpe:2.3:a:xmlsoft:libxml2:2.6.32
  • XMLSoft Libxml2 2.6.4
    cpe:2.3:a:xmlsoft:libxml2:2.6.4
  • XMLSoft Libxml2 2.6.5
    cpe:2.3:a:xmlsoft:libxml2:2.6.5
  • XMLSoft Libxml2 2.6.6
    cpe:2.3:a:xmlsoft:libxml2:2.6.6
  • XMLSoft Libxml2 2.6.7
    cpe:2.3:a:xmlsoft:libxml2:2.6.7
  • XMLSoft Libxml2 2.6.8
    cpe:2.3:a:xmlsoft:libxml2:2.6.8
  • XMLSoft Libxml2 2.6.9
    cpe:2.3:a:xmlsoft:libxml2:2.6.9
  • XMLSoft Libxml2 2.7.0
    cpe:2.3:a:xmlsoft:libxml2:2.7.0
  • XMLSoft Libxml2 2.7.1
    cpe:2.3:a:xmlsoft:libxml2:2.7.1
  • XMLSoft Libxml2 2.7.2
    cpe:2.3:a:xmlsoft:libxml2:2.7.2
  • XMLSoft Libxml2 2.7.3
    cpe:2.3:a:xmlsoft:libxml2:2.7.3
  • XMLSoft Libxml2 2.7.4
    cpe:2.3:a:xmlsoft:libxml2:2.7.4
  • XMLSoft Libxml2 2.7.5
    cpe:2.3:a:xmlsoft:libxml2:2.7.5
  • XMLSoft Libxml2 2.7.6
    cpe:2.3:a:xmlsoft:libxml2:2.7.6
  • XMLSoft Libxml2 2.7.7
    cpe:2.3:a:xmlsoft:libxml2:2.7.7
  • XMLSoft Libxml2 2.7.8
    cpe:2.3:a:xmlsoft:libxml2:2.7.8
  • XMLSoft Libxml2 2.9.0
    cpe:2.3:a:xmlsoft:libxml2:2.9.0
  • XMLSoft Libxml2 2.9.0 release candidate 1
    cpe:2.3:a:xmlsoft:libxml2:2.9.0:rc1
  • XMLSoft Libxml2 2.9.1
    cpe:2.3:a:xmlsoft:libxml2:2.9.1
  • Debian Linux 7.0
    cpe:2.3:o:debian:debian_linux:7.0
  • Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:14.04:-:-:-:lts
  • Canonical Ubuntu Linux 12.04 LTS
    cpe:2.3:o:canonical:ubuntu_linux:12.04:-:-:-:lts
  • Canonical Ubuntu Linux 10.04 LTS
    cpe:2.3:o:canonical:ubuntu_linux:10.04:-:-:-:lts
  • Apple Mac OS X 10.10.4
    cpe:2.3:o:apple:mac_os_x:10.10.4
  • Red Hat Enterprise Linux 5.0
    cpe:2.3:o:redhat:enterprise_linux:5.0
CVSS
Base: 5.0 (as of 05-05-2016 - 11:29)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2015-0097.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - Update doc/redhat.gif in tarball - Add libxml2-oracle-enterprise.patch and update logos in tarball - CVE-2015-1819 Enforce the reader to run in constant memory(rhbz#1214163) - Stop parsing on entities boundaries errors - Fix missing entities after CVE-2014-3660 fix (rhbz#1149086) - CVE-2014-3660 denial of service via recursive entity expansion (rhbz#1149086) - Fix html serialization error and htmlSetMetaEncoding (rhbz#1004513)
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 85138
    published 2015-07-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85138
    title OracleVM 3.3 : libxml2 (OVMSA-2015-0097)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-151.NASL
    description It was discovered that the update released for libxml2 in DSA 2978 fixing CVE-2014-0191 was incomplete. This caused libxml2 to still fetch external entities regardless of whether entity substitution or validation is enabled. In addition, this update addresses a regression introduced in DSA 3057 by the patch fixing CVE-2014-3660. This caused libxml2 to not parse an entity when it's used first in another entity referenced from an attribute value. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-06
    plugin id 82134
    published 2015-03-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82134
    title Debian DLA-151-1 : libxml2 security update
  • NASL family Misc.
    NASL id APPLETV_7_2_1.NASL
    description According to its banner, the remote Apple TV device is a version prior to 7.2.1. It is, therefore, affected by multiple vulnerabilities in the following components : - bootp - CFPreferences - CloudKit - Code Signing - CoreMedia Playback - CoreText - DiskImages - FontParser - ImageIO - IOHIDFamily - IOKit - Kernel - Libc - Libinfo - libpthread - libxml2 - libxpc - libxslt - Location Framework - Office Viewer - QL Office - Sandbox_profiles - WebKit
    last seen 2019-02-21
    modified 2018-12-14
    plugin id 90315
    published 2016-04-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90315
    title Apple TV < 7.2.1 Multiple Vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-1885.NASL
    description Updated libxml2 packages that fix one security issue are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libxml2 library is a development toolbox providing the implementation of various XML standards. A denial of service flaw was found in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, would lead to excessive CPU consumption (denial of service) based on excessive entity substitutions, even if entity substitution was disabled, which is the parser default behavior. (CVE-2014-3660) All libxml2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. The desktop must be restarted (log out, then log back in) for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 79380
    published 2014-11-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79380
    title RHEL 5 : libxml2 (RHSA-2014:1885)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2014-1885.NASL
    description From Red Hat Security Advisory 2014:1885 : Updated libxml2 packages that fix one security issue are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libxml2 library is a development toolbox providing the implementation of various XML standards. A denial of service flaw was found in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, would lead to excessive CPU consumption (denial of service) based on excessive entity substitutions, even if entity substitution was disabled, which is the parser default behavior. (CVE-2014-3660) All libxml2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. The desktop must be restarted (log out, then log back in) for this update to take effect.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 79373
    published 2014-11-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79373
    title Oracle Linux 5 : libxml2 (ELSA-2014-1885)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2016-0063.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - Add libxml2-enterprise.patch - Replaced doc/redhat.gif in tarball with updated image - CVE-2014-3660 denial of service via recursive entity expansion (rhbz#1161841) - fixed one regexp bug and added a (rhbz#922450) - Another small change on the algorithm for the elimination of epsilon (rhbz#922450) - detect and stop excessive entities expansion upon replacement (rhbz#912573) - fix validation issues with some XSD (rhbz#877348) - xmlDOMWrapCloneNode discards namespace of the node parameter (rhbz#884707)
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 91745
    published 2016-06-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91745
    title OracleVM 3.2 : libxml2 (OVMSA-2016-0063)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2015-959.NASL
    description - update to 2.9.3 - full changelog: http://www.xmlsoft.org/news.html - fixed CVEs: CVE-2015-8242, CVE-2015-7500, CVE-2015-7499, CVE-2015-5312, CVE-2015-7497, CVE-2015-7498, CVE-2015-8035, CVE-2015-7942, CVE-2015-1819, CVE-2015-7941, CVE-2014-3660, CVE-2014-0191, CVE-2015-8241, CVE-2015-8317 - fixed bugs: [bsc#928193], [bsc#951734], [bsc#951735], [bsc#954429], [bsc#956018], [bsc#956021], [bsc#956260], [bsc#957105], [bsc#957106], [bsc#957107], [bsc#957109], [bsc#957110]
    last seen 2019-02-21
    modified 2016-05-16
    plugin id 87631
    published 2015-12-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87631
    title openSUSE Security Update : libxml2 (openSUSE-2015-959)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2014-0031.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - Update doc/redhat.gif in tarball - Add libxml2-oracle-enterprise.patch and update logos in tarball - CVE-2014-3660 denial of service via recursive entity expansion (rhbz#1149085) - Fix a set of regressions introduced in CVE-2014-0191 (rhbz#1105011) - Improve handling of xmlStopParser(CVE-2013-2877) - Do not fetch external parameter entities (CVE-2014-0191) - Fix a regression in 2.9.0 breaking validation while streaming (rhbz#863166) - detect and stop excessive entities expansion upon replacement (rhbz#912575)
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 79546
    published 2014-11-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79546
    title OracleVM 3.3 : libxml2 (OVMSA-2014-0031)
  • NASL family VMware ESX Local Security Checks
    NASL id VMWARE_VMSA-2015-0001.NASL
    description a. VMware ESXi, Workstation, Player, and Fusion host privilege escalation vulnerability VMware ESXi, Workstation, Player and Fusion contain an arbitrary file write issue. Exploitation this issue may allow for privilege escalation on the host. The vulnerability does not allow for privilege escalation from the guest Operating System to the host or vice-versa. This means that host memory can not be manipulated from the Guest Operating System. Mitigation For ESXi to be affected, permissions must have been added to ESXi (or a vCenter Server managing it) for a virtual machine administrator role or greater. VMware would like to thank Shanon Olsson for reporting this issue to us through JPCERT. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2014-8370 to this issue. b. VMware Workstation, Player, and Fusion Denial of Service vulnerability VMware Workstation, Player, and Fusion contain an input validation issue in the Host Guest File System (HGFS). This issue may allow for a Denial of Service of the Guest Operating system. VMware would like to thank Peter Kamensky from Digital Security for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-1043 to this issue. c. VMware ESXi, Workstation, and Player Denial of Service vulnerability VMware ESXi, Workstation, and Player contain an input validation issue in VMware Authorization process (vmware-authd). This issue may allow for a Denial of Service of the host. On VMware ESXi and on Workstation running on Linux the Denial of Service would be partial. VMware would like to thank Dmitry Yudin @ret5et for reporting this issue to us through HP's Zero Day Initiative. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-1044 to this issue. d. Update to VMware vCenter Server and ESXi for OpenSSL 1.0.1 and 0.9.8 package The OpenSSL library is updated to version 1.0.1j or 0.9.8zc to resolve multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2014-3513, CVE-2014-3567, CVE-2014-3566 (ìPOODLEî) and CVE-2014-3568 to these issues. e. Update to ESXi libxml2 package The libxml2 library is updated to version libxml2-2.7.6-17 to resolve a security issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-3660 to this issue.
    last seen 2019-02-21
    modified 2018-09-06
    plugin id 81079
    published 2015-01-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81079
    title VMSA-2015-0001 : VMware vCenter Server, ESXi, Workstation, Player, and Fusion updates address security issues (POODLE)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2015-111.NASL
    description Updated libxml2 packages fix security vulnerabilities : It was discovered that libxml2, a library providing support to read, modify and write XML files, incorrectly performs entity substituton in the doctype prolog, even if the application using libxml2 disabled any entity substitution. A remote attacker could provide a specially crafted XML file that, when processed, would lead to the exhaustion of CPU and memory resources or file descriptors (CVE-2014-0191). A denial of service flaw was found in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, would lead to excessive CPU consumption (denial of service) based on excessive entity substitutions, even if entity substitution was disabled, which is the parser default behavior (CVE-2014-3660).
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 82364
    published 2015-03-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82364
    title Mandriva Linux Security Advisory : libxml2 (MDVSA-2015:111)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2014-1655.NASL
    description From Red Hat Security Advisory 2014:1655 : Updated libxml2 packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libxml2 library is a development toolbox providing the implementation of various XML standards. A denial of service flaw was found in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, would lead to excessive CPU consumption (denial of service) based on excessive entity substitutions, even if entity substitution was disabled, which is the parser default behavior. (CVE-2014-3660) All libxml2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. The desktop must be restarted (log out, then log back in) for this update to take effect.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 78531
    published 2014-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78531
    title Oracle Linux 6 / 7 : libxml2 (ELSA-2014-1655)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3057.NASL
    description Sogeti found a denial of service flaw in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, would lead to excessive CPU consumption (denial of service) based on excessive entity substitutions, even if entity substitution was disabled, which is the parser default behavior. (CVE-2014-3660 ) In addition, this update addresses a misapplied chunk for a patch released in version 2.8.0+dfsg1-7+wheezy1 (#762864), and a memory leak regression (#765770) introduced in version 2.8.0+dfsg1-7+nmu3.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 78694
    published 2014-10-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78694
    title Debian DSA-3057-1 : libxml2 - security update
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2015-006.NASL
    description The remote host is running a version of Mac OS X 10.8.5 or 10.9.5 that is missing Security Update 2015-006. It is, therefore, affected by multiple vulnerabilities in the following components : - apache - apache_mod_php - CoreText - FontParser - Libinfo - libxml2 - OpenSSL - perl - PostgreSQL - QL Office - Quartz Composer Framework - QuickTime 7 - SceneKit Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 85409
    published 2015-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85409
    title Mac OS X Multiple Vulnerabilities (Security Update 2015-006)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2014-1655.NASL
    description Updated libxml2 packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libxml2 library is a development toolbox providing the implementation of various XML standards. A denial of service flaw was found in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, would lead to excessive CPU consumption (denial of service) based on excessive entity substitutions, even if entity substitution was disabled, which is the parser default behavior. (CVE-2014-3660) All libxml2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. The desktop must be restarted (log out, then log back in) for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 78605
    published 2014-10-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78605
    title CentOS 6 / 7 : libxml2 (CESA-2014:1655)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2014-444.NASL
    description A denial of service flaw was found in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, would lead to excessive CPU consumption (denial of service) based on excessive entity substitutions, even if entity substitution was disabled, which is the parser default behavior. (CVE-2014-3660)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 79293
    published 2014-11-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79293
    title Amazon Linux AMI : libxml2 (ALAS-2014-444)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-80.NASL
    description Sogeti found a denial of service flaw in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, would lead to excessive CPU consumption (denial of service) based on excessive entity substitutions, even if entity substitution was disabled, which is the parser default behavior. (CVE-2014-3660) In addition, this update addresses a misapplied chunk for a patch released the previous version (#762864). NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-09
    plugin id 82225
    published 2015-03-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82225
    title Debian DLA-80-1 : libxml2 security update
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-12995.NASL
    description New variants for the billion laugh DOS attacks Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 78570
    published 2014-10-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78570
    title Fedora 20 : libxml2-2.9.1-3.fc20 (2014-12995)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_LIBXML2-141020.NASL
    description This update fixes a denial of service via recursive entity expansion. (CVE-2014-3660)
    last seen 2018-09-01
    modified 2014-11-18
    plugin id 79309
    published 2014-11-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79309
    title SuSE 11.3 Security Update : libxml2 (SAT Patch Number 9914)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2014-204.NASL
    description A vulnerability has been found and corrected in libxml2 : A denial of service flaw was found in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, would lead to excessive CPU consumption (denial of service) based on excessive entity substitutions, even if entity substitution was disabled, which is the parser default behavior (CVE-2014-3660). The updated packages have been patched to correct this issue.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 78666
    published 2014-10-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78666
    title Mandriva Linux Security Advisory : libxml2 (MDVSA-2014:204)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-13047.NASL
    description New variants for the billion laugh DOS attacks Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 79390
    published 2014-11-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79390
    title Fedora 19 : libxml2-2.9.1-2.fc19 (2014-13047)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_10_10_5.NASL
    description The remote host is running a version of Mac OS X 10.10.x that is prior to 10.10.5. It is, therefore, affected by multiple vulnerabilities in the following components : - apache - apache_mod_php - Apple ID OD Plug-in - AppleGraphicsControl - Bluetooth - bootp - CloudKit - CoreMedia Playback - CoreText - curl - Data Detectors Engine - Date & Time pref pane - Dictionary Application - DiskImages - dyld - FontParser - groff - ImageIO - Install Framework Legacy - IOFireWireFamily - IOGraphics - IOHIDFamily - Kernel - Libc - Libinfo - libpthread - libxml2 - libxpc - mail_cmds - Notification Center OSX - ntfs - OpenSSH - OpenSSL - perl - PostgreSQL - python - QL Office - Quartz Composer Framework - Quick Look - QuickTime 7 - SceneKit - Security - SMBClient - Speech UI - sudo - tcpdump - Text Formats - udf Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen 2019-02-21
    modified 2018-07-16
    plugin id 85408
    published 2015-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85408
    title Mac OS X 10.10.x < 10.10.5 Multiple Vulnerabilities
  • NASL family Misc.
    NASL id VMWARE_ESXI_5_5_BUILD_2352327_REMOTE.NASL
    description The remote VMware ESXi host is version 5.5 prior to build 2352327. It is, therefore, affected by the following vulnerabilities : - An error exists related to DTLS SRTP extension handling and specially crafted handshake messages that can allow denial of service attacks via memory leaks. (CVE-2014-3513) - An error exists related to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. A man-in-the-middle attacker can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections. This is also known as the 'POODLE' issue. (CVE-2014-3566) - An error exists related to session ticket handling that can allow denial of service attacks via memory leaks. (CVE-2014-3567) - An error exists related to the build configuration process and the 'no-ssl3' build option that allows servers and clients to process insecure SSL 3.0 handshake messages. (CVE-2014-3568) - A denial of service vulnerability in libxml2 due to entity expansion even when entity substitution is disabled. A remote attacker, using a crafted XML document containing larger number of nested entity references, can cause the consumption of CPU resources. (CVE-2014-3660) - An unspecified privilege escalation vulnerability. (CVE-2014-8370) - An unspecified denial of service vulnerability due to an input validation issue in the VMware Authorization process (vmware-authd). (CVE-2015-1044)
    last seen 2019-02-21
    modified 2018-08-16
    plugin id 81085
    published 2015-01-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81085
    title ESXi 5.5 < Build 2352327 Multiple Vulnerabilities (remote check) (POODLE)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2389-1.NASL
    description It was discovered that libxml2 would incorrectly perform entity substitution even when requested not to. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause resource consumption, resulting in a denial of service. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 78698
    published 2014-10-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78698
    title Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS : libxml2 vulnerability (USN-2389-1)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20141016_LIBXML2_ON_SL6_X.NASL
    description A denial of service flaw was found in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, would lead to excessive CPU consumption (denial of service) based on excessive entity substitutions, even if entity substitution was disabled, which is the parser default behavior. (CVE-2014-3660) The desktop must be restarted (log out, then log back in) for this update to take effect.
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 78646
    published 2014-10-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78646
    title Scientific Linux Security Update : libxml2 on SL6.x, SL7.x i386/x86_64
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201412-06.NASL
    description The remote host is affected by the vulnerability described in GLSA-201412-06 (libxml2: Denial of Service) parser.c in libxml2 before 2.9.2 does not properly prevent entity expansion even when entity substitution has been disabled. Impact : A context-dependent attacker could entice a user to a specially crafted XML file using an application linked against libxml2, possibly resulting in a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2015-04-13
    plugin id 79959
    published 2014-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79959
    title GLSA-201412-06 : libxml2: Denial of Service
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-0003-1.NASL
    description This libxml2 update fixes the following security and non-security issues : - Fix a denial of service via recursive entity expansion. (CVE-2014-3660, bnc#901546, bgo#738805) - Fix a regression in xzlib compression support. (bnc#908376) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 83851
    published 2015-05-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83851
    title SUSE SLED12 / SLES12 Security Update : libxml2 (SUSE-SU-2015:0003-1)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_0642B06456C411E48B87BCAEC565249C.NASL
    description RedHat reports : A denial of service flaw was found in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, would lead to excessive CPU consumption (denial of service) based on excessive entity substitutions, even if entity substitution was disabled, which is the parser default behavior.
    last seen 2019-02-21
    modified 2018-12-19
    plugin id 78577
    published 2014-10-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78577
    title FreeBSD : libxml2 -- Denial of service (0642b064-56c4-11e4-8b87-bcaec565249c)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-1655.NASL
    description Updated libxml2 packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libxml2 library is a development toolbox providing the implementation of various XML standards. A denial of service flaw was found in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, would lead to excessive CPU consumption (denial of service) based on excessive entity substitutions, even if entity substitution was disabled, which is the parser default behavior. (CVE-2014-3660) All libxml2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. The desktop must be restarted (log out, then log back in) for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-26
    plugin id 78535
    published 2014-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78535
    title RHEL 6 / 7 : libxml2 (RHSA-2014:1655)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20141120_LIBXML2_ON_SL5_X.NASL
    description A denial of service flaw was found in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, would lead to excessive CPU consumption (denial of service) based on excessive entity substitutions, even if entity substitution was disabled, which is the parser default behavior. (CVE-2014-3660) The desktop must be restarted (log out, then log back in) for this update to take effect.
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 79381
    published 2014-11-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79381
    title Scientific Linux Security Update : libxml2 on SL5.x i386/x86_64
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2014-1885.NASL
    description Updated libxml2 packages that fix one security issue are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libxml2 library is a development toolbox providing the implementation of various XML standards. A denial of service flaw was found in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, would lead to excessive CPU consumption (denial of service) based on excessive entity substitutions, even if entity substitution was disabled, which is the parser default behavior. (CVE-2014-3660) All libxml2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. The desktop must be restarted (log out, then log back in) for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 79361
    published 2014-11-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79361
    title CentOS 5 : libxml2 (CESA-2014:1885)
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL15872.NASL
    description parser.c in libxml2 before 2.9.2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested entity references, a variant of the 'billion laughs' attack.
    last seen 2019-02-21
    modified 2019-01-04
    plugin id 79732
    published 2014-12-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79732
    title F5 Networks BIG-IP : libxml2 vulnerability (SOL15872)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-12915.NASL
    description New variants for the billion laugh DOS attacks Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 78794
    published 2014-11-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78794
    title Fedora 21 : libxml2-2.9.1-6.fc21 (2014-12915)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2014-606.NASL
    description This update fixes a denial of service vulnerability when expanding recursive entity (CVE-2014-3660) bnc#901546
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 78734
    published 2014-10-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78734
    title openSUSE Security Update : libxml2 (openSUSE-SU-2014:1330-1)
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL61570943.NASL
    description CVE-2015-5312 The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660. CVE-2015-7497 Heap-based buffer overflow in the xmlDictComputeFastQKey function in dict.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors. CVE-2015-7498 Heap-based buffer overflow in the xmlParseXmlDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors related to extracting errors after an encoding conversion failure. CVE-2015-7499 Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors. CVE-2015-7500 The xmlParseMisc function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (out-of-bounds heap read) via unspecified vectors related to incorrect entities boundaries and start tags. CVE-2015-7941 libxml2 2.9.2 does not properly stop parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and libxml2 crash) via crafted XML data to the (1) xmlParseEntityDecl or (2) xmlParseConditionalSections function in parser.c, as demonstrated by non-terminated entities. CVE-2015-7942 The xmlParseConditionalSections function in parser.c in libxml2 does not properly skip intermediary entities when it stops parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via crafted XML data, a different vulnerability than CVE-2015-7941. CVE-2015-8241 The xmlNextChar function in libxml2 2.9.2 does not properly check the state, which allows context-dependent attackers to cause a denial of service (heap-based buffer over-read and application crash) or obtain sensitive information via crafted XML data. CVE-2015-8242 The xmlSAX2TextNode function in SAX2.c in the push interface in the HTML parser in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (stack-based buffer over-read and application crash) or obtain sensitive information via crafted XML data. CVE-2015-8317 The xmlParseXMLDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive information via an (1) unterminated encoding value or (2) incomplete XML declaration in XML data, which triggers an out-of-bounds heap read.
    last seen 2019-02-21
    modified 2019-01-04
    plugin id 88742
    published 2016-02-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88742
    title F5 Networks BIG-IP : Multiple libXML2 vulnerabilities (K61570943)
redhat via4
advisories
  • bugzilla
    id 1149084
    title CVE-2014-3660 libxml2: denial of service via recursive entity expansion
    oval
    OR
    • AND
      • OR
        • comment Red Hat Enterprise Linux 7 Client is installed
          oval oval:com.redhat.rhba:tst:20150364001
        • comment Red Hat Enterprise Linux 7 Server is installed
          oval oval:com.redhat.rhba:tst:20150364002
        • comment Red Hat Enterprise Linux 7 Workstation is installed
          oval oval:com.redhat.rhba:tst:20150364003
        • comment Red Hat Enterprise Linux 7 ComputeNode is installed
          oval oval:com.redhat.rhba:tst:20150364004
      • OR
        • AND
          • comment libxml2 is earlier than 0:2.9.1-5.el7_0.1
            oval oval:com.redhat.rhsa:tst:20141655005
          • comment libxml2 is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20111749006
        • AND
          • comment libxml2-devel is earlier than 0:2.9.1-5.el7_0.1
            oval oval:com.redhat.rhsa:tst:20141655007
          • comment libxml2-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20111749012
        • AND
          • comment libxml2-python is earlier than 0:2.9.1-5.el7_0.1
            oval oval:com.redhat.rhsa:tst:20141655011
          • comment libxml2-python is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20111749010
        • AND
          • comment libxml2-static is earlier than 0:2.9.1-5.el7_0.1
            oval oval:com.redhat.rhsa:tst:20141655009
          • comment libxml2-static is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20111749008
    • AND
      • OR
        • comment Red Hat Enterprise Linux 6 Client is installed
          oval oval:com.redhat.rhba:tst:20111656001
        • comment Red Hat Enterprise Linux 6 Server is installed
          oval oval:com.redhat.rhba:tst:20111656002
        • comment Red Hat Enterprise Linux 6 Workstation is installed
          oval oval:com.redhat.rhba:tst:20111656003
        • comment Red Hat Enterprise Linux 6 ComputeNode is installed
          oval oval:com.redhat.rhba:tst:20111656004
      • OR
        • AND
          • comment libxml2 is earlier than 0:2.7.6-17.el6_6.1
            oval oval:com.redhat.rhsa:tst:20141655017
          • comment libxml2 is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20111749006
        • AND
          • comment libxml2-devel is earlier than 0:2.7.6-17.el6_6.1
            oval oval:com.redhat.rhsa:tst:20141655019
          • comment libxml2-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20111749012
        • AND
          • comment libxml2-python is earlier than 0:2.7.6-17.el6_6.1
            oval oval:com.redhat.rhsa:tst:20141655020
          • comment libxml2-python is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20111749010
        • AND
          • comment libxml2-static is earlier than 0:2.7.6-17.el6_6.1
            oval oval:com.redhat.rhsa:tst:20141655018
          • comment libxml2-static is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20111749008
    rhsa
    id RHSA-2014:1655
    released 2014-10-16
    severity Moderate
    title RHSA-2014:1655: libxml2 security update (Moderate)
  • bugzilla
    id 1149084
    title CVE-2014-3660 libxml2: denial of service via recursive entity expansion
    oval
    AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhba:tst:20070331001
    • OR
      • AND
        • comment libxml2 is earlier than 0:2.6.26-2.1.25.el5_11
          oval oval:com.redhat.rhsa:tst:20141885002
        • comment libxml2 is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080032014
      • AND
        • comment libxml2-devel is earlier than 0:2.6.26-2.1.25.el5_11
          oval oval:com.redhat.rhsa:tst:20141885004
        • comment libxml2-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080032016
      • AND
        • comment libxml2-python is earlier than 0:2.6.26-2.1.25.el5_11
          oval oval:com.redhat.rhsa:tst:20141885006
        • comment libxml2-python is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080032018
    rhsa
    id RHSA-2014:1885
    released 2014-11-20
    severity Moderate
    title RHSA-2014:1885: libxml2 security update (Moderate)
rpms
  • libxml2-0:2.9.1-5.el7_0.1
  • libxml2-devel-0:2.9.1-5.el7_0.1
  • libxml2-python-0:2.9.1-5.el7_0.1
  • libxml2-static-0:2.9.1-5.el7_0.1
  • libxml2-0:2.7.6-17.el6_6.1
  • libxml2-devel-0:2.7.6-17.el6_6.1
  • libxml2-python-0:2.7.6-17.el6_6.1
  • libxml2-static-0:2.7.6-17.el6_6.1
  • libxml2-0:2.6.26-2.1.25.el5_11
  • libxml2-devel-0:2.6.26-2.1.25.el5_11
  • libxml2-python-0:2.6.26-2.1.25.el5_11
refmap via4
apple
  • APPLE-SA-2015-08-13-2
  • APPLE-SA-2015-08-13-3
bid 70644
confirm
debian DSA-3057
mandriva MDVSA-2014:244
misc
mlist [oss-security] 20141017 libxml2 issue: billioun laughs variant (CVE-2014-3660)
secunia
  • 59903
  • 61965
  • 61966
  • 61991
suse
  • openSUSE-SU-2014:1330
  • openSUSE-SU-2015:2372
ubuntu USN-2389-1
vmware via4
description The libxml2 library is updated to version libxml2-2.7.6-17 to resolve a security issue.
id VMSA-2015-0001
last_updated 2015-01-27T00:00:00
published 2015-01-27T00:00:00
title Update to ESXi libxml2 package
workaround None
Last major update 07-12-2016 - 22:05
Published 04-11-2014 - 11:55
Back to Top