The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of expat: denial of service via hash collision

Synthesis of the vulnerability 

An attacker can trigger collisions in hash tables, in order to reduce performances of applications using expat.
Vulnerable products: Debian, BIG-IP Hardware, TMOS, Fedora, Android OS, Notes by IBM, openSUSE Leap, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle Internet Directory, Tuxedo, WebLogic, Python, Slackware, Nessus, Ubuntu.
Severity of this weakness: 2/4.
Creation date: 08/06/2016.
Références of this bulletin: 1990421, 1990658, CERTFR-2018-AVI-288, cpujul2018, CVE-2016-5300, DLA-508-1, DSA-3597-1, FEDORA-2016-0fd6ca526a, FEDORA-2016-60889583ab, FEDORA-2016-7c6e7a9265, K70938105, openSUSE-SU-2017:0483-1, SOL70938105, SSA:2016-359-01, SSA:2018-124-01, TNS-2018-08, USN-3010-1, USN-3013-1, VIGILANCE-VUL-19836.

Description of the vulnerability 

An attacker can trigger collisions in hash tables, in order to reduce performances of applications using expat. The origin vulnerability is described in VIGILANCE-VUL-11420.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This security bulletin impacts software or systems such as Debian, BIG-IP Hardware, TMOS, Fedora, Android OS, Notes by IBM, openSUSE Leap, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle Internet Directory, Tuxedo, WebLogic, Python, Slackware, Nessus, Ubuntu.

Our Vigil@nce team determined that the severity of this cybersecurity announce is medium.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this vulnerability alert.

Solutions for this threat 

Android OS: patch 2016-11-05.
A patch is indicated in information sources.

Debian: new expat packages.
New packages are available:
  Debian 8: expat 2.1.0-6+deb8u3
  Debian 7: expat 2.1.0-1+deb7u4

F5 BIG-IP: fixed versions for Expat.
Fixed versions are indicated in information sources.

Fedora: new expat packages.
New packages are available:
  Fedora 22: expat 2.1.1-2.fc22
  Fedora 23: expat 2.1.1-2.fc23
  Fedora 24: expat 2.1.1-2.fc24

IBM Notes: patch for expat.
A patch is indicated in information sources.

Nessus: version 7.1.1.
The version 7.1.1 is fixed:
  https://www.tenable.com/downloads/nessus

openSUSE Leap: new expat packages.
New packages are available:
  openSUSE Leap 42.1: expat 2.1.0-20.1
  openSUSE Leap 42.2: expat 2.1.0-19.1

Oracle Fusion Middleware: CPU of July 2018.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2394520.1

Python: version 2.7.14.
The version 2.7.14 is fixed:
  https://www.python.org/downloads/release/python-2714/

Python: version 3.6.2.
The version 3.6.2 is fixed:
  https://www.python.org/

Slackware: new expat packages.
New packages are available:
  Slackware 13.0: expat 2.2.0-*-1_slack13.0
  Slackware 13.1: expat 2.2.0-*-1_slack13.1
  Slackware 13.37: expat 2.2.0-*-1_slack13.37
  Slackware 14.0: expat 2.2.0-*-1_slack14.0
  Slackware 14.1: expat 2.2.0-*-1_slack14.1
  Slackware 14.2: expat 2.2.0-*-1_slack14.2

Slackware: new python packages (07/05/2018).
New packages are available:
  Slackware 14.0: python 2.7.15-*-1_slack14.0
  Slackware 14.1: python 2.7.15-*-1_slack14.1
  Slackware 14.2: python 2.7.15-*-1_slack14.2

Ubuntu: new expat packages.
New packages are available:
  Ubuntu 16.04 LTS: libexpat1 2.1.0-7ubuntu0.16.04.2
  Ubuntu 15.10: libexpat1 2.1.0-7ubuntu0.15.10.2
  Ubuntu 14.04 LTS: libexpat1 2.1.0-4ubuntu1.3
  Ubuntu 12.04 LTS: libexpat1 2.0.1-7.2ubuntu1.4

Ubuntu: new xmlrpc-c packages.
New packages are available:
  Ubuntu 12.04 LTS: libxmlrpc-c++4 1.16.33-3.1ubuntu5.2, libxmlrpc-core-c3 1.16.33-3.1ubuntu5.2
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a system vulnerability workaround. The Vigil@nce vulnerability database contains several thousand vulnerabilities.