ALAS2-2019-1301

Affecting libxml2 package, versions <2.9.1-6.amzn2.3.3

Report new vulnerabilities
medium severity
Do your applications use this vulnerable package? Test your applications

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2017-16931: parser.c in libxml2 before 2.9.5 mishandles parameter-entity references because the NEXTL macro calls the xmlParserHandlePEReference function in the case of a '%' character in a DTD name. 1517307: CVE-2017-16931 libxml2: Mishandling parameter-entity references CVE-2016-4658: 1384424: CVE-2016-4658 libxml2: Use after free via namespace node in XPointer ranges xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3, and other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory corruption) via a crafted XML document.

References

CVE
ALAS2-2019-1301
Snyk ID
SNYK-AMZN2-LIBXML2-487070
Published
13 Nov, 2019