CentOS 7 update for libxml2



Published: 2021-11-17
Risk Medium
Patch available YES
Number of vulnerabilities 3
CVE-ID CVE-2019-19956
CVE-2019-20388
CVE-2020-7595
CWE-ID CWE-401
CWE-835
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
CentOS
Operating systems & Components / Operating system

Vendor CentOS Project

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Memory leak

EUVDB-ID: #VU24489

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2019-19956

CWE-ID: CWE-401 - Improper Release of Memory Before Removing Last Reference ('Memory Leak')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak in xmlParseBalancedChunkMemoryRecover in parser.c. A remote attacker can trigger a memory leak related to newDoc->oldNs and perform denial of service attack.

Mitigation

Update the affected packages.

Vulnerable software versions

CentOS: 7


CPE2.3 External links

http://lists.centos.org/pipermail/centos-announce/2021-November/048377.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Memory leak

EUVDB-ID: #VU24487

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2019-20388

CWE-ID: CWE-401 - Improper Release of Memory Before Removing Last Reference ('Memory Leak')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak in xmlSchemaPreRun in xmlschemas.c. A remote attacker can trigger a xmlSchemaValidateStream memory leak and perform denial of service attack.

Mitigation

Update the affected packages.

Vulnerable software versions

CentOS: 7


CPE2.3 External links

http://lists.centos.org/pipermail/centos-announce/2021-November/048377.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Infinite loop

EUVDB-ID: #VU24488

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-7595

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop in xmlStringLenDecodeEntities in parser.c. A remote attacker can consume all available system resources and cause denial of service conditions in a certain end-of-file situation.

Mitigation

Update the affected packages.

Vulnerable software versions

CentOS: 7


CPE2.3 External links

http://lists.centos.org/pipermail/centos-announce/2021-November/048377.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###