Ubuntu Security Notice 6102-1 - It was discovered that xmldom incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause unexpected syntactic changes during XML processing. This issue only affected Ubuntu 20.04 LTS. It was discovered that xmldom incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service.
c0f3d3b7a1df8b0f75eb632b6da37c5c1d862021fe9e8af90823b2b72b7197d3
==========================================================================
Ubuntu Security Notice USN-6102-1
May 24, 2023
node-xmldom vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in xmldom.
Software Description:
- node-xmldom: A pure JavaScript W3C standard-based `DOMParser` and
`XMLSerializer` module.
Details:
It was discovered that xmldom incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to cause
unexpected syntactic changes during XML processing. This issue only affected
Ubuntu 20.04 LTS. (CVE-2021-21366)
It was discovered that xmldom incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to cause a
denial of service. (CVE-2022-37616, CVE-2022-39353)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.10:
node-xmldom 0.7.5-1ubuntu0.22.10.1
Ubuntu 22.04 LTS:
node-xmldom 0.7.5-1ubuntu0.22.04.1
Ubuntu 20.04 LTS:
node-xmldom 0.1.27+ds-1+deb10u2build0.20.04.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6102-1
CVE-2021-21366, CVE-2022-37616, CVE-2022-39353
Package Information:
https://launchpad.net/ubuntu/+source/node-xmldom/0.7.5-1ubuntu0.22.10.1
https://launchpad.net/ubuntu/+source/node-xmldom/0.7.5-1ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/node-xmldom/0.1.27+ds-1+deb10u2build0.20.04.1