oss-sec mailing list archives
Re: Re: libxml2 "ampproblem" DoS
From: "Steven M. Christey" <coley () linus mitre org>
Date: Tue, 7 Oct 2008 14:33:24 -0400 (EDT)
On Mon, 6 Oct 2008, Tomas Hoger wrote:
CVE-2008-4409 is public on NVD site, CVE-2008-4422 in Gentoo BZ and here... CVE-2008-4422 should probably be rejected.
Agreed. - Steve ====================================================== Name: CVE-2008-4409 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4409 Reference: MLIST:[oss-security] 20081002 libxml2 "ampproblem" DoS Reference: URL:http://openwall.com/lists/oss-security/2008/10/02/4 Reference: CONFIRM:http://bugzilla.gnome.org/show_bug.cgi?id=554660 libxml2 2.7.0 and 2.7.1 does not properly handle "predefined entities definitions" in entities, which allows context-dependent attackers to cause a denial of service (memory consumption and application crash), as demonstrated by use of xmllint on a certain XML document, a different vulnerability than CVE-2003-1564 and CVE-2008-3281. ====================================================== Name: CVE-2008-4422 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4422 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2008-4409. Reason: This candidate is a duplicate of CVE-2008-4409. Notes: All CVE users should reference CVE-2008-4409 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
Current thread:
- libxml2 "ampproblem" DoS Robert Buchholz (Oct 02)
- Re: libxml2 "ampproblem" DoS Daniel Veillard (Oct 03)
- Re: Re: libxml2 "ampproblem" DoS Robert Buchholz (Oct 03)
- Re: Re: libxml2 "ampproblem" DoS Steven M. Christey (Oct 03)
- Re: Re: libxml2 "ampproblem" DoS Tomas Hoger (Oct 06)
- Re: Re: libxml2 "ampproblem" DoS Robert Buchholz (Oct 06)
- Re: Re: libxml2 "ampproblem" DoS Steven M. Christey (Oct 07)
- Re: libxml2 "ampproblem" DoS Daniel Veillard (Oct 03)