CVE-2014-0191
CVE-2014-0191, security advisory, novell, suse linux, suse, security, cve

CVE-2014-0191

Common Vulnerabilities and Exposures

[Previous] [Index] [Next]

Upstream information

CVE-2014-0191 at MITRE

Description

The xmlParserHandlePEReference function in parser.c in libxml2 before 2.9.2, as used in Web Listener in Oracle HTTP Server in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 and other products, loads external parameter entities regardless of whether entity substitution or validation is enabled, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XML document.

SUSE information

CVSS v2 Scores
  National Vulnerability Database SUSE
Base Score 4.30 7.12
Vector AV:N/AC:M/Au:N/C:N/I:N/A:P AV:N/AC:M/Au:N/C:N/I:N/A:C
Access Vector Network Network
Access Complexity Medium Medium
Authentication None None
Confidentiality Impact None None
Integrity Impact None None
Availability Impact Partial Complete

This issue is currently rated as having moderate severity.

SUSE Bugzilla entries: 876652 [ASSIGNED], 877506 [VERIFIED / INVALID]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
openSUSE 12.3
  • libxml2 >= 2.9.0-2.29.1
  • libxml2-2 >= 2.9.0-2.29.1
  • libxml2-2-32bit >= 2.9.0-2.29.1
  • libxml2-2-debuginfo >= 2.9.0-2.29.1
  • libxml2-2-debuginfo-32bit >= 2.9.0-2.29.1
  • libxml2-debugsource >= 2.9.0-2.29.1
  • libxml2-devel >= 2.9.0-2.29.1
  • libxml2-devel-32bit >= 2.9.0-2.29.1
  • libxml2-doc >= 2.9.0-2.29.1
  • libxml2-tools >= 2.9.0-2.29.1
  • libxml2-tools-debuginfo >= 2.9.0-2.29.1
  • python-libxml2 >= 2.9.0-2.29.1
  • python-libxml2-debuginfo >= 2.9.0-2.29.1
  • python-libxml2-debugsource >= 2.9.0-2.29.1
Patchnames:
openSUSE-2014-363
openSUSE-2014-394
openSUSE-2014-409
openSUSE 13.1
  • libxml2 >= 2.9.3-2.19.1
  • libxml2-2 >= 2.9.3-2.19.1
  • libxml2-2-32bit >= 2.9.3-2.19.1
  • libxml2-2-debuginfo >= 2.9.3-2.19.1
  • libxml2-2-debuginfo-32bit >= 2.9.3-2.19.1
  • libxml2-debugsource >= 2.9.3-2.19.1
  • libxml2-devel >= 2.9.3-2.19.1
  • libxml2-devel-32bit >= 2.9.3-2.19.1
  • libxml2-doc >= 2.9.3-2.19.1
  • libxml2-tools >= 2.9.3-2.19.1
  • libxml2-tools-debuginfo >= 2.9.3-2.19.1
  • python-libxml2 >= 2.9.3-2.19.1
  • python-libxml2-debuginfo >= 2.9.3-2.19.1
  • python-libxml2-debugsource >= 2.9.3-2.19.1
Patchnames:
openSUSE-2014-363
openSUSE-2014-394
openSUSE-2014-409
openSUSE-2015-959
openSUSE 13.2
  • libxml2 >= 2.9.3-7.4.1
  • libxml2-2 >= 2.9.3-7.4.1
  • libxml2-2-32bit >= 2.9.3-7.4.1
  • libxml2-2-debuginfo >= 2.9.3-7.4.1
  • libxml2-2-debuginfo-32bit >= 2.9.3-7.4.1
  • libxml2-debugsource >= 2.9.3-7.4.1
  • libxml2-devel >= 2.9.3-7.4.1
  • libxml2-devel-32bit >= 2.9.3-7.4.1
  • libxml2-doc >= 2.9.3-7.4.1
  • libxml2-tools >= 2.9.3-7.4.1
  • libxml2-tools-debuginfo >= 2.9.3-7.4.1
  • python-libxml2 >= 2.9.3-7.4.1
  • python-libxml2-debuginfo >= 2.9.3-7.4.1
  • python-libxml2-debugsource >= 2.9.3-7.4.1
Patchnames:
openSUSE-2015-959
openSUSE Evergreen 11.4
  • libxml2 >= 2.7.8-53.1
  • libxml2-32bit >= 2.7.8-53.1
  • libxml2-debuginfo >= 2.7.8-53.1
  • libxml2-debuginfo-32bit >= 2.7.8-53.1
  • libxml2-debuginfo-x86 >= 2.7.8-53.1
  • libxml2-debugsource >= 2.7.8-53.1
  • libxml2-devel >= 2.7.8-53.1
  • libxml2-devel-32bit >= 2.7.8-53.1
  • libxml2-doc >= 2.7.8-53.1
  • libxml2-x86 >= 2.7.8-53.1
Patchnames:
2014-53
2014-56


The following information is the current evaluation information for this security issue. It might neither be accurate nor complete, Use at own risk.
Package/Codestreams planned to be updated:
libxml2: SLED-10-SP3,SLES-10-SP3,SLES-11-SP3,SLES-for-VMware-11-SP3,sle-sdk-11-SP3,SLED-11-SP3,SLES_LTSS-11-SP1,sap-aio-11-SP1,SLES-11-SP1,sle-sdk-11-SP1,SLED-11-SP1