Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2010-2021 and is owned by Tenable, Inc. or an Affiliate thereof.DEBIAN_DSA-1861.NASL
HistoryFeb 24, 2010 - 12:00 a.m.

Debian DSA-1861-1 : libxml - several vulnerabilities

2010-02-2400:00:00
This script is Copyright (C) 2010-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
36

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

EPSS

0.009

Percentile

83.2%

JSON

Rauli Kaksonen, Tero Rontti and Jukka Taimisto discovered several vulnerabilities in libxml, a library for parsing and handling XML data files, which can lead to denial of service conditions or possibly arbitrary code execution in the application using the library. The Common Vulnerabilities and Exposures project identifies the following problems :

  • CVE-2009-2416 An XML document with specially crafted Notation or Enumeration attribute types in a DTD definition leads to the use of a pointers to memory areas which have already been freed.

  • CVE-2009-2414 Missing checks for the depth of ELEMENT DTD definitions when parsing child content can lead to extensive stack-growth due to a function recursion which can be triggered via a crafted XML document.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-1861. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(44726);
  script_version("1.22");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/04");

  script_cve_id("CVE-2009-2414", "CVE-2009-2416");
  script_bugtraq_id(36010);
  script_xref(name:"DSA", value:"1861");

  script_name(english:"Debian DSA-1861-1 : libxml - several vulnerabilities");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Rauli Kaksonen, Tero Rontti and Jukka Taimisto discovered several
vulnerabilities in libxml, a library for parsing and handling XML data
files, which can lead to denial of service conditions or possibly
arbitrary code execution in the application using the library. The
Common Vulnerabilities and Exposures project identifies the following
problems :

  - CVE-2009-2416
    An XML document with specially crafted Notation or
    Enumeration attribute types in a DTD definition leads to
    the use of a pointers to memory areas which have already
    been freed.

  - CVE-2009-2414
    Missing checks for the depth of ELEMENT DTD definitions
    when parsing child content can lead to extensive
    stack-growth due to a function recursion which can be
    triggered via a crafted XML document."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2009-2416"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2009-2414"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.debian.org/security/2009/dsa-1861"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the libxml packages.

For the oldstable distribution (etch), this problem has been fixed in
version 1.8.17-14+etch1.

The stable (lenny), testing (squeeze) and unstable (sid) distribution
do not contain libxml anymore but libxml2 for which DSA-1859-1 has
been released."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(119, 399);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libxml");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2009/08/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2010/02/24");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2010-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"4.0", prefix:"libxml-dev", reference:"1.8.17-14+etch1")) flag++;
if (deb_check(release:"4.0", prefix:"libxml1", reference:"1.8.17-14+etch1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
VendorProductVersionCPE
debiandebian_linuxlibxmlp-cpe:/a:debian:debian_linux:libxml
debiandebian_linux4.0cpe:/o:debian:debian_linux:4.0

Related

openvas 56
debian 2
f5 2
oraclelinux 1
redhat 1
nessus 36
securityvulns 2
fedora 5
osv 2
gentoo 1
seebug 2
altlinux 2
centos 1
chrome 1
ubuntu 1
cvelist 2
debiancve 2
nvd 2
freebsd 2
ubuntucve 2
cve 2
prion 2
threatpost 1
vmware 2
openvas
openvas
CentOS Update for libxml CESA-2009:1206 centos3 i386
2011-08-09 00:00:00
RedHat Security Advisory RHSA-2009:1206
2009-08-17 00:00:00
CentOS Update for libxml2 CESA-2009:1206 centos5 i386
2011-08-09 00:00:00
debian
debian
[SECURITY] [DSA 1859-1] New libxml2 packages fix several issues
2009-08-10 18:55:11
[SECURITY] [DSA 1861-1] New libxml packages fix several issues
2009-08-13 20:40:37
f5
f5
SOL15864 - libxml vulnerabilities CVE-2009-2414 and CVE-2009-2416
2014-11-25 00:00:00
K15864 : libxml vulnerabilities CVE-2009-2414 and CVE-2009-2416
2015-09-14 00:00:00
oraclelinux
oraclelinux
libxml and libxml2 security update
2009-08-10 00:00:00
redhat
redhat
(RHSA-2009:1206) Moderate: libxml and libxml2 security update
2009-08-10 00:00:00
nessus
nessus
Fedora 11 : libxml2-2.7.3-3.fc11 (2009-8498)
2009-08-12 00:00:00
openSUSE 10 Security Update : libxml (libxml-6477)
2009-10-06 00:00:00
SuSE9 Security Update : libxml.rpm (YOU Patch Number 12504)
2009-09-24 00:00:00
securityvulns
securityvulns
[SECURITY] [DSA 1859-1] New libxml2 packages fix several issues
2009-08-11 00:00:00
libxml multiple security vulnerability
2009-08-11 00:00:00
fedora
fedora
[SECURITY] Fedora 11 Update: libxml2-2.7.3-3.fc11
2009-08-11 22:40:10
[SECURITY] Fedora 11 Update: mingw32-libxml2-2.7.3-2.fc11
2009-08-15 08:17:15
[SECURITY] Fedora 11 Update: libxml-1.8.17-24.fc11
2009-08-15 08:18:18
osv
osv
libxml2 - several issues
2009-08-10 00:00:00
libxml - several issues
2009-08-13 00:00:00
gentoo
gentoo
libxml2: Denial of service
2010-09-21 00:00:00
seebug
seebug
libxml2栈溢出和释放后使用拒绝漏洞
2009-08-12 00:00:00
Safari 4.0.4版本修复多个安全漏洞
2009-11-13 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 9 package libxml2 version 1:2.7.3-alt2
2009-08-17 00:00:00
Security fix for the ALT Linux 5 package libxml2 version 1:2.7.3-alt2
2009-08-17 00:00:00
centos
centos
libxml, libxml2 security update
2009-08-10 21:37:50
chrome
chrome
Stable Update: Security fixes
2009-08-25 00:00:00
ubuntu
ubuntu
libxml2 vulnerabilities
2009-08-11 00:00:00
cvelist
cvelist
CVE-2009-2416
2009-08-11 18:00:00
CVE-2009-2414
2009-08-11 18:00:00
debiancve
debiancve
CVE-2009-2416
2009-08-11 18:30:00
CVE-2009-2414
2009-08-11 18:30:00
nvd
nvd
CVE-2009-2416
2009-08-11 18:30:00
CVE-2009-2414
2009-08-11 18:30:00
freebsd
freebsd
libxml -- Multiple use-after-free vulnerabilities
2009-08-03 00:00:00
libxml -- Stack consumption vulnerability
2009-08-03 00:00:00
ubuntucve
ubuntucve
CVE-2009-2416
2009-08-11 00:00:00
CVE-2009-2414
2009-08-11 00:00:00
cve
cve
CVE-2009-2416
2009-08-11 18:30:00
CVE-2009-2414
2009-08-11 18:30:00
prion
prion
Design/Logic Flaw
2009-08-11 18:30:00
Design/Logic Flaw
2009-08-11 18:30:00
threatpost
threatpost
Apple Patches Critical Safari Vulnerabilities
2009-11-11 21:45:09
vmware
vmware
VMware vCenter and ESX update release and vMA patch release address multiple security issues in third party components
2009-11-20 00:00:00
VMware vCenter and ESX update release and vMA patch release address multiple security issues in third party components.
2009-11-20 00:00:00

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

EPSS

0.009

Percentile

83.2%

JSON
Related for DEBIAN_DSA-1861.NASL
openvas56debian2f52oraclelinux1redhat1nessus36securityvulns2fedora5osv2gentoo1seebug2altlinux2centos1chrome1ubuntu1cvelist2debiancve2nvd2freebsd2ubuntucve2cve2prion2threatpost1vmware2