Bug 518215 (CVE-2009-2473)
| Summary: | CVE-2009-2473 neon: billion laughs DoS attack | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | low | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | unspecified | CC: | jorton, kreilly, tbzatek, vdanen | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| URL: | http://lists.manyfish.co.uk/pipermail/neon/2009-August/001045.html | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2013-01-08 06:08:39 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 521786, 521787, 521788, 521789, 540548, 795936 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
|
Description
Jan Lieskovsky
2009-08-19 14:33:34 UTC
Information about affected Neon versions from Joe Orton: ------------------------------------------------------- All versions of neon older than 0.28.6 are affected, where linked against expat. This issue does not affect versions of neon which are compiled to use libxml2 instead of expat, provided the libxml2 version is 2.6.32 or greater. Created attachment 357950 [details] Upstream Neon CVE-2009-2473 patch Retrieved via: -------------- svn diff -c 1688 http://svn.webdav.org/repos/projects/neon/tags/0.28.6 > neon-CVE-2009-2473.patch MITRE's CVE-2009-2473 record: ----------------------------- neon before 0.28.6, when expat is used, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. References: ----------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2473 http://lists.manyfish.co.uk/pipermail/neon/2009-August/001045.html http://lists.manyfish.co.uk/pipermail/neon/2009-August/001044.html https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00924.html https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00945.html http://secunia.com/advisories/36371 Update availability information for embedded copy of neon package as present in gnome-vfs2 package: ------------------------------------------------- The Red Hat Security Response Team has rated this issue as having low security impact, a future gnome-vfs2 package update may address this flaw in Red Hat Enterprise Linux 4 and Red Hat Enterprise Linux 5. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Via RHSA-2009:1452 https://rhn.redhat.com/errata/RHSA-2009-1452.html This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2013:0131 https://rhn.redhat.com/errata/RHSA-2013-0131.html |