Security update for expat SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2017:2299-1 Final 1 1 2017-08-30T13:38:55Z current 2017-08-30T13:38:55Z 2017-08-30T13:38:55Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for expat This update for expat fixes the following issues: - CVE-2016-9063: Possible integer overflow to fix inside XML_Parse leading to unexpected behaviour (bsc#1047240) - CVE-2017-9233: External Entity Vulnerability could lead to denial of service (bsc#1047236) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-CAASP-ALL-2017-1419,SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2017-1419,SUSE-SLE-DESKTOP-12-SP2-2017-1419,SUSE-SLE-DESKTOP-12-SP3-2017-1419,SUSE-SLE-RPI-12-SP2-2017-1419,SUSE-SLE-SDK-12-SP2-2017-1419,SUSE-SLE-SDK-12-SP3-2017-1419,SUSE-SLE-SERVER-12-SP2-2017-1419,SUSE-SLE-SERVER-12-SP3-2017-1419 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2017/suse-su-20172299-1/ Link for SUSE-SU-2017:2299-1 https://lists.suse.com/pipermail/sle-security-updates/2017-August/003169.html E-Mail link for SUSE-SU-2017:2299-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1047236 SUSE Bug 1047236 https://bugzilla.suse.com/1047240 SUSE Bug 1047240 https://www.suse.com/security/cve/CVE-2016-9063/ SUSE CVE CVE-2016-9063 page https://www.suse.com/security/cve/CVE-2017-9233/ SUSE CVE CVE-2017-9233 page SUSE Linux Enterprise Desktop 12 SP2 SUSE Linux Enterprise Desktop 12 SP3 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Software Development Kit 12 SP2 SUSE Linux Enterprise Software Development Kit 12 SP3 expat-2.1.0-21.3.1 libexpat1-2.1.0-21.3.1 libexpat1-32bit-2.1.0-21.3.1 libexpat-devel-2.1.0-21.3.1 expat-2.1.0-21.3.1 as a component of SUSE Linux Enterprise Desktop 12 SP2 libexpat1-2.1.0-21.3.1 as a component of SUSE Linux Enterprise Desktop 12 SP2 libexpat1-32bit-2.1.0-21.3.1 as a component of SUSE Linux Enterprise Desktop 12 SP2 expat-2.1.0-21.3.1 as a component of SUSE Linux Enterprise Desktop 12 SP3 libexpat1-2.1.0-21.3.1 as a component of SUSE Linux Enterprise Desktop 12 SP3 libexpat1-32bit-2.1.0-21.3.1 as a component of SUSE Linux Enterprise Desktop 12 SP3 expat-2.1.0-21.3.1 as a component of SUSE Linux Enterprise Server 12 SP2 libexpat1-2.1.0-21.3.1 as a component of SUSE Linux Enterprise Server 12 SP2 libexpat1-32bit-2.1.0-21.3.1 as a component of SUSE Linux Enterprise Server 12 SP2 expat-2.1.0-21.3.1 as a component of SUSE Linux Enterprise Server 12 SP3 libexpat1-2.1.0-21.3.1 as a component of SUSE Linux Enterprise Server 12 SP3 libexpat1-32bit-2.1.0-21.3.1 as a component of SUSE Linux Enterprise Server 12 SP3 expat-2.1.0-21.3.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 libexpat1-2.1.0-21.3.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 expat-2.1.0-21.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 libexpat1-2.1.0-21.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 libexpat1-32bit-2.1.0-21.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 expat-2.1.0-21.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP3 libexpat1-2.1.0-21.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP3 libexpat1-32bit-2.1.0-21.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP3 libexpat-devel-2.1.0-21.3.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2 libexpat-devel-2.1.0-21.3.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP3 An integer overflow during the parsing of XML using the Expat library. This vulnerability affects Firefox < 50. CVE-2016-9063 SUSE Linux Enterprise Desktop 12 SP2:expat-2.1.0-21.3.1 SUSE Linux Enterprise Desktop 12 SP2:libexpat1-2.1.0-21.3.1 SUSE Linux Enterprise Desktop 12 SP2:libexpat1-32bit-2.1.0-21.3.1 SUSE Linux Enterprise Desktop 12 SP3:expat-2.1.0-21.3.1 SUSE Linux Enterprise Desktop 12 SP3:libexpat1-2.1.0-21.3.1 SUSE Linux Enterprise Desktop 12 SP3:libexpat1-32bit-2.1.0-21.3.1 SUSE Linux Enterprise Server 12 SP2:expat-2.1.0-21.3.1 SUSE Linux Enterprise Server 12 SP2:libexpat1-2.1.0-21.3.1 SUSE Linux Enterprise Server 12 SP2:libexpat1-32bit-2.1.0-21.3.1 SUSE Linux Enterprise Server 12 SP3:expat-2.1.0-21.3.1 SUSE Linux Enterprise Server 12 SP3:libexpat1-2.1.0-21.3.1 SUSE Linux Enterprise Server 12 SP3:libexpat1-32bit-2.1.0-21.3.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:expat-2.1.0-21.3.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:libexpat1-2.1.0-21.3.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:expat-2.1.0-21.3.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:libexpat1-2.1.0-21.3.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:libexpat1-32bit-2.1.0-21.3.1 SUSE Linux Enterprise Server for SAP Applications 12 SP3:expat-2.1.0-21.3.1 SUSE Linux Enterprise Server for SAP Applications 12 SP3:libexpat1-2.1.0-21.3.1 SUSE Linux Enterprise Server for SAP Applications 12 SP3:libexpat1-32bit-2.1.0-21.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:libexpat-devel-2.1.0-21.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:libexpat-devel-2.1.0-21.3.1 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20172299-1/ https://www.suse.com/security/cve/CVE-2016-9063.html CVE-2016-9063 https://bugzilla.suse.com/1009026 SUSE Bug 1009026 https://bugzilla.suse.com/1010424 SUSE Bug 1010424 https://bugzilla.suse.com/1047240 SUSE Bug 1047240 https://bugzilla.suse.com/1123115 SUSE Bug 1123115 XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD. CVE-2017-9233 SUSE Linux Enterprise Desktop 12 SP2:expat-2.1.0-21.3.1 SUSE Linux Enterprise Desktop 12 SP2:libexpat1-2.1.0-21.3.1 SUSE Linux Enterprise Desktop 12 SP2:libexpat1-32bit-2.1.0-21.3.1 SUSE Linux Enterprise Desktop 12 SP3:expat-2.1.0-21.3.1 SUSE Linux Enterprise Desktop 12 SP3:libexpat1-2.1.0-21.3.1 SUSE Linux Enterprise Desktop 12 SP3:libexpat1-32bit-2.1.0-21.3.1 SUSE Linux Enterprise Server 12 SP2:expat-2.1.0-21.3.1 SUSE Linux Enterprise Server 12 SP2:libexpat1-2.1.0-21.3.1 SUSE Linux Enterprise Server 12 SP2:libexpat1-32bit-2.1.0-21.3.1 SUSE Linux Enterprise Server 12 SP3:expat-2.1.0-21.3.1 SUSE Linux Enterprise Server 12 SP3:libexpat1-2.1.0-21.3.1 SUSE Linux Enterprise Server 12 SP3:libexpat1-32bit-2.1.0-21.3.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:expat-2.1.0-21.3.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:libexpat1-2.1.0-21.3.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:expat-2.1.0-21.3.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:libexpat1-2.1.0-21.3.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:libexpat1-32bit-2.1.0-21.3.1 SUSE Linux Enterprise Server for SAP Applications 12 SP3:expat-2.1.0-21.3.1 SUSE Linux Enterprise Server for SAP Applications 12 SP3:libexpat1-2.1.0-21.3.1 SUSE Linux Enterprise Server for SAP Applications 12 SP3:libexpat1-32bit-2.1.0-21.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:libexpat-devel-2.1.0-21.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:libexpat-devel-2.1.0-21.3.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20172299-1/ https://www.suse.com/security/cve/CVE-2017-9233.html CVE-2017-9233 https://bugzilla.suse.com/1030296 SUSE Bug 1030296 https://bugzilla.suse.com/1047236 SUSE Bug 1047236 https://bugzilla.suse.com/1073350 SUSE Bug 1073350 https://bugzilla.suse.com/1123115 SUSE Bug 1123115 https://bugzilla.suse.com/983216 SUSE Bug 983216