Security update for expat SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:0483-1 Final 1 1 2017-02-16T20:52:53Z current 2017-02-16T20:52:53Z 2017-02-16T20:52:53Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for expat This update for expat fixes the following security issues: - CVE-2012-6702: Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, made it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function. (bsc#983215) - CVE-2016-5300: The XML parser in Expat did not use sufficient entropy for hash initialization, which allowed context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876. (bsc#983216) This update was imported from the SUSE:SLE-12:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2017-02/msg00071.html E-Mail link for openSUSE-SU-2017:0483-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 openSUSE Leap 42.2 expat-2.1.0-19.1 libexpat-devel-2.1.0-19.1 libexpat-devel-32bit-2.1.0-19.1 libexpat1-2.1.0-19.1 libexpat1-32bit-2.1.0-19.1 expat-2.1.0-19.1 as a component of openSUSE Leap 42.1 libexpat-devel-2.1.0-19.1 as a component of openSUSE Leap 42.1 libexpat-devel-32bit-2.1.0-19.1 as a component of openSUSE Leap 42.1 libexpat1-2.1.0-19.1 as a component of openSUSE Leap 42.1 libexpat1-32bit-2.1.0-19.1 as a component of openSUSE Leap 42.1 expat-2.1.0-19.1 as a component of openSUSE Leap 42.2 libexpat-devel-2.1.0-19.1 as a component of openSUSE Leap 42.2 libexpat-devel-32bit-2.1.0-19.1 as a component of openSUSE Leap 42.2 libexpat1-2.1.0-19.1 as a component of openSUSE Leap 42.2 libexpat1-32bit-2.1.0-19.1 as a component of openSUSE Leap 42.2 Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function. CVE-2012-6702 openSUSE Leap 42.1:expat-2.1.0-19.1 openSUSE Leap 42.1:libexpat-devel-2.1.0-19.1 openSUSE Leap 42.1:libexpat-devel-32bit-2.1.0-19.1 openSUSE Leap 42.1:libexpat1-2.1.0-19.1 openSUSE Leap 42.1:libexpat1-32bit-2.1.0-19.1 openSUSE Leap 42.2:expat-2.1.0-19.1 openSUSE Leap 42.2:libexpat-devel-2.1.0-19.1 openSUSE Leap 42.2:libexpat-devel-32bit-2.1.0-19.1 openSUSE Leap 42.2:libexpat1-2.1.0-19.1 openSUSE Leap 42.2:libexpat1-32bit-2.1.0-19.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-02/msg00071.html https://www.suse.com/security/cve/CVE-2012-6702.html CVE-2012-6702 https://bugzilla.suse.com/983215 SUSE Bug 983215 https://bugzilla.suse.com/983216 SUSE Bug 983216 The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876. CVE-2016-5300 openSUSE Leap 42.1:expat-2.1.0-19.1 openSUSE Leap 42.1:libexpat-devel-2.1.0-19.1 openSUSE Leap 42.1:libexpat-devel-32bit-2.1.0-19.1 openSUSE Leap 42.1:libexpat1-2.1.0-19.1 openSUSE Leap 42.1:libexpat1-32bit-2.1.0-19.1 openSUSE Leap 42.2:expat-2.1.0-19.1 openSUSE Leap 42.2:libexpat-devel-2.1.0-19.1 openSUSE Leap 42.2:libexpat-devel-32bit-2.1.0-19.1 openSUSE Leap 42.2:libexpat1-2.1.0-19.1 openSUSE Leap 42.2:libexpat1-32bit-2.1.0-19.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-02/msg00071.html https://www.suse.com/security/cve/CVE-2016-5300.html CVE-2016-5300 https://bugzilla.suse.com/983216 SUSE Bug 983216