Security update for libxml2

Announcement ID:	SUSE-SU-2017:1587-1
Rating:	moderate
References:	bsc#1039063 bsc#1039064 bsc#1039066 bsc#1039069 bsc#1039661
Cross-References:	CVE-2017-9047 CVE-2017-9048 CVE-2017-9049 CVE-2017-9050
CVSS scores:	CVE-2017-9047 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2017-9047 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-9048 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2017-9048 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-9049 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2017-9049 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-9050 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2017-9050 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 LTSS 12 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP1 LTSS 12-SP1 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Server for SAP Applications 12 SP1

An update that solves four vulnerabilities and has one security fix can now be installed.

Description:

This update for libxml2 fixes the following issues:

• CVE-2017-9050: heap-based buffer overflow (xmlDictAddString func) [bsc#1039069, bsc#1039661]
• CVE-2017-9049: heap-based buffer overflow (xmlDictComputeFastKey func) [bsc#1039066]
• CVE-2017-9048: stack overflow vulnerability (xmlSnprintfElementContent func) [bsc#1039063]
• CVE-2017-9047: stack overflow vulnerability (xmlSnprintfElementContent func) [bsc#1039064]

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server for SAP Applications 12 SP1
  zypper in -t patch SUSE-SLE-SAP-12-SP1-2017-975=1
• SUSE Linux Enterprise Server for SAP Applications 12
  zypper in -t patch SUSE-SLE-SAP-12-2017-975=1
• SUSE Linux Enterprise Server 12 LTSS 12
  zypper in -t patch SUSE-SLE-SERVER-12-2017-975=1
• SUSE Linux Enterprise Server 12 SP1 LTSS 12-SP1
  zypper in -t patch SUSE-SLE-SERVER-12-SP1-2017-975=1

Package List:

• SUSE Linux Enterprise Server for SAP Applications 12 SP1 (ppc64le x86_64)
  • libxml2-tools-2.9.1-26.15.1
  • libxml2-2-debuginfo-2.9.1-26.15.1
  • libxml2-tools-debuginfo-2.9.1-26.15.1
  • libxml2-debugsource-2.9.1-26.15.1
  • python-libxml2-2.9.1-26.15.1
  • python-libxml2-debuginfo-2.9.1-26.15.1
  • python-libxml2-debugsource-2.9.1-26.15.1
  • libxml2-2-2.9.1-26.15.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP1 (noarch)
  • libxml2-doc-2.9.1-26.15.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP1 (x86_64)
  • libxml2-2-32bit-2.9.1-26.15.1
  • libxml2-2-debuginfo-32bit-2.9.1-26.15.1
• SUSE Linux Enterprise Server for SAP Applications 12 (x86_64)
  • libxml2-tools-2.9.1-26.15.1
  • libxml2-2-debuginfo-2.9.1-26.15.1
  • libxml2-tools-debuginfo-2.9.1-26.15.1
  • libxml2-debugsource-2.9.1-26.15.1
  • python-libxml2-2.9.1-26.15.1
  • python-libxml2-debuginfo-2.9.1-26.15.1
  • libxml2-2-debuginfo-32bit-2.9.1-26.15.1
  • python-libxml2-debugsource-2.9.1-26.15.1
  • libxml2-2-2.9.1-26.15.1
  • libxml2-2-32bit-2.9.1-26.15.1
• SUSE Linux Enterprise Server for SAP Applications 12 (noarch)
  • libxml2-doc-2.9.1-26.15.1
• SUSE Linux Enterprise Server 12 LTSS 12 (ppc64le s390x x86_64)
  • libxml2-tools-2.9.1-26.15.1
  • libxml2-2-debuginfo-2.9.1-26.15.1
  • libxml2-tools-debuginfo-2.9.1-26.15.1
  • libxml2-debugsource-2.9.1-26.15.1
  • python-libxml2-2.9.1-26.15.1
  • python-libxml2-debuginfo-2.9.1-26.15.1
  • python-libxml2-debugsource-2.9.1-26.15.1
  • libxml2-2-2.9.1-26.15.1
• SUSE Linux Enterprise Server 12 LTSS 12 (noarch)
  • libxml2-doc-2.9.1-26.15.1
• SUSE Linux Enterprise Server 12 LTSS 12 (s390x x86_64)
  • libxml2-2-32bit-2.9.1-26.15.1
  • libxml2-2-debuginfo-32bit-2.9.1-26.15.1
• SUSE Linux Enterprise Server 12 SP1 LTSS 12-SP1 (ppc64le s390x x86_64)
  • libxml2-tools-2.9.1-26.15.1
  • libxml2-2-debuginfo-2.9.1-26.15.1
  • libxml2-tools-debuginfo-2.9.1-26.15.1
  • libxml2-debugsource-2.9.1-26.15.1
  • python-libxml2-2.9.1-26.15.1
  • python-libxml2-debuginfo-2.9.1-26.15.1
  • python-libxml2-debugsource-2.9.1-26.15.1
  • libxml2-2-2.9.1-26.15.1
• SUSE Linux Enterprise Server 12 SP1 LTSS 12-SP1 (noarch)
  • libxml2-doc-2.9.1-26.15.1
• SUSE Linux Enterprise Server 12 SP1 LTSS 12-SP1 (s390x x86_64)
  • libxml2-2-32bit-2.9.1-26.15.1
  • libxml2-2-debuginfo-32bit-2.9.1-26.15.1

References:

• https://www.suse.com/security/cve/CVE-2017-9047.html
• https://www.suse.com/security/cve/CVE-2017-9048.html
• https://www.suse.com/security/cve/CVE-2017-9049.html
• https://www.suse.com/security/cve/CVE-2017-9050.html
• https://bugzilla.suse.com/show_bug.cgi?id=1039063
• https://bugzilla.suse.com/show_bug.cgi?id=1039064
• https://bugzilla.suse.com/show_bug.cgi?id=1039066
• https://bugzilla.suse.com/show_bug.cgi?id=1039069
• https://bugzilla.suse.com/show_bug.cgi?id=1039661