CVE-2016-4449

Published: 30 May 2016

XML external entity (XXE) vulnerability in the xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.4, when not in validating mode, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors.

Priority

CVSS 3 base score: 7.1

Status

Package	Release	Status
libxml2 Launchpad, Ubuntu, Debian	Upstream	Released (2.9.4)





	Ubuntu 16.04 ESM (Xenial Xerus)	Released (2.9.3+dfsg1-1ubuntu0.1)
	Ubuntu 14.04 ESM (Trusty Tahr)	Released (2.9.1+dfsg1-3ubuntu4.8)
	Patches: Upstream: https://git.gnome.org/browse/libxml2/commit/?id=b1d34de46a11323fccffa9fadeb33be670d602f5

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4449
https://ubuntu.com/security/notices/USN-2994-1
NVD
Launchpad
Debian

Bugs

https://bugzilla.gnome.org/show_bug.cgi?id=761430

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›