[3.4] expat: Multiple issues (CVE-2012-6702, CVE-2016-5300)
CVE-2012-6702: Using XML_Parse before rand() results into non-random output
Reference:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6702
CVE-2016-5300: Little entropy used for hash initialization
The XML parser in Expat does not use sufficient entropy for hash
initialization, which allows context-dependent attackers to cause a
denial of service
(CPU consumption) via crafted identifiers in an XML document. NOTE: this
vulnerability exists because of an incomplete fix for CVE-2012-0876.
References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5300
(from redmine: issue id 6890, created on 2017-02-17, closed on 2017-08-28)
- Relations:
- parent #6889 (closed)
- Changesets:
- Revision f601fbb6 by Natanael Copa on 2017-02-17T13:57:45Z:
main/expat: security upgrade to 2.2.0 (CVE-2016-5300,CVE-2012-6702)
fixes #6890