The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Expat: integer overflow of XML

Synthesis of the vulnerability 

An attacker can generate an integer overflow in the XML parser of Expat, in order to trigger a denial of service, and possibly to run code.
Vulnerable systems: APR-util, Debian, BIG-IP Hardware, TMOS, FreeBSD, Android OS, Domino by IBM, Notes by IBM, Tivoli System Automation, WebSphere AS Traditional, Juniper EX-Series, Juniper J-Series, Junos OS, SRX-Series, openSUSE, openSUSE Leap, Solaris, pfSense, Python, Slackware, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity of this threat: 2/4.
Creation date: 27/07/2015.
Références of this weakness: 1964428, 1965444, 1967199, 1969062, 1990421, 1990658, bulletinjul2016, CVE-2015-1283, DSA-3318-1, FreeBSD-SA-15:20.expat, JSA10904, K15104541, openSUSE-SU-2016:1441-1, openSUSE-SU-2016:1523-1, SOL15104541, SSA:2016-359-01, SUSE-SU-2016:1508-1, SUSE-SU-2016:1512-1, USN-2726-1, USN-3013-1, VIGILANCE-VUL-17498.

Description of the vulnerability 

An attacker can generate an integer overflow in the XML parser of Expat, in order to trigger a denial of service, and possibly to run code.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This security threat impacts software or systems such as APR-util, Debian, BIG-IP Hardware, TMOS, FreeBSD, Android OS, Domino by IBM, Notes by IBM, Tivoli System Automation, WebSphere AS Traditional, Juniper EX-Series, Juniper J-Series, Junos OS, SRX-Series, openSUSE, openSUSE Leap, Solaris, pfSense, Python, Slackware, SUSE Linux Enterprise Desktop, SLES, Ubuntu.

Our Vigil@nce team determined that the severity of this computer weakness note is medium.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this computer threat alert.

Solutions for this threat 

Android OS: patch 2016-11-05.
A patch is indicated in information sources.

Debian: new expat packages.
New packages are available:
  Debian 7: expat 2.1.0-1+deb7u2
  Debian 8: expat 2.1.0-6+deb8u1

F5 BIG-IP: fixed versions for Expat.
Fixed versions are indicated in information sources.

FreeBSD: patch for expat.
A patch is available:
  https://security.FreeBSD.org/patches/SA-15:20/expat.patch

IBM Domino: patch for HTTP Server.
A patch is indicated in information sources.

IBM Notes: patch for expat.
A patch is indicated in information sources.

IBM Tivoli System Automation: patch for Expat.
A patch is available:
  http://www-01.ibm.com/support/docview.wss?uid=swg21964428
  VIGILANCE-SOL-42856

Junos OS: fixed versions for expat.
Fixed versions are indicated in information sources.

openSUSE: new expat packages.
New packages are available:
  openSUSE 13.2: expat 2.1.0-14.3.1
  openSUSE Leap 42.1: expat 2.1.0-17.1

pfSense: version 2.2.5.
The version 2.2.5 is fixed:
  https://pfsense.org/download/

Python: version 2.7.12.
The version 2.7.12 is fixed:
  https://www.python.org/downloads/release/python-2712/

Python: version 3.4.5.
The version 3.4.5 is fixed:
  https://www.python.org/ftp/python/3.4.5/Python-3.4.5.tgz

Python: version 3.5.2.
The version 3.5.2 is fixed:
  https://www.python.org/ftp/python/3.5.2/Python-3.5.2.tgz

Slackware: new expat packages.
New packages are available:
  Slackware 13.0: expat 2.2.0-*-1_slack13.0
  Slackware 13.1: expat 2.2.0-*-1_slack13.1
  Slackware 13.37: expat 2.2.0-*-1_slack13.37
  Slackware 14.0: expat 2.2.0-*-1_slack14.0
  Slackware 14.1: expat 2.2.0-*-1_slack14.1
  Slackware 14.2: expat 2.2.0-*-1_slack14.2

Solaris: patch for third party software of July 2016 v2.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

SUSE LE: new expat packages.
New packages are available:
  SUSE LE 12 SP1: expat 2.1.0-17.1
  SUSE LE 11 SP4: expat 2.0.1-88.38.1

Ubuntu: new libexpat packages.
New packages are available:
  Ubuntu 15.04: lib64expat1 2.1.0-6ubuntu1.1, libexpat1 2.1.0-6ubuntu1.1
  Ubuntu 14.04 LTS: lib64expat1 2.1.0-4ubuntu1.1, libexpat1 2.1.0-4ubuntu1.1
  Ubuntu 12.04 LTS: lib64expat1 2.0.1-7.2ubuntu1.2, libexpat1 2.0.1-7.2ubuntu1.2

Ubuntu: new xmlrpc-c packages.
New packages are available:
  Ubuntu 12.04 LTS: libxmlrpc-c++4 1.16.33-3.1ubuntu5.2, libxmlrpc-core-c3 1.16.33-3.1ubuntu5.2

WebSphere AS: patch for Expat.
A patch is indicated in information sources.

WebSphere AS: version 8.5.5.7.
The version 8.5.5.7 is fixed:
  https://www-304.ibm.com/support/docview.wss?uid=swg24040533
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a systems vulnerabilities alert. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.