CVE-2016-9318

Publication date 15 November 2016

Last updated 24 July 2024


Ubuntu priority

Cvss 3 Severity Score

5.5 · Medium

Score breakdown

libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document.

Read the notes from the security team

Status

Package Ubuntu Release Status
libxml2 18.04 LTS bionic
Fixed 2.9.4+dfsg1-6.1ubuntu1.2
17.10 artful Ignored end of life
17.04 zesty Ignored end of life
16.10 yakkety Ignored end of life
16.04 LTS xenial
Fixed 2.9.3+dfsg1-1ubuntu0.6
14.04 LTS trusty
Fixed 2.9.1+dfsg1-3ubuntu4.13
12.04 LTS precise Ignored end of life

Notes


mdeslaur

patch introduced a new option that isn't enabled by default: https://git.gnome.org/browse/libxml2/commit/?id=2304078555896cf1638c628f50326aeef6f0e0d0 commit was later reverted in https://git.gnome.org/browse/libxml2/commit/?id=030b1f7a27c22f9237eddca49ec5e620b6258d7d commit listed below is new patch to fix this issue

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
libxml2

Severity score breakdown

Parameter Value
Base score 5.5 · Medium
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality High
Integrity impact None
Availability impact None
Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References

Related Ubuntu Security Notices (USN)

    • USN-3739-2
    • libxml2 vulnerabilities
    • 14 August 2018
    • USN-3739-1
    • libxml2 vulnerabilities
    • 14 August 2018

Other references