========================================================================== Ubuntu Security Notice USN-4991-1 June 17, 2021 libxml2 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 21.04 - Ubuntu 20.10 - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 ESM - Ubuntu 14.04 ESM Summary: Several security issues were fixed in libxml2. Software Description: - libxml2: GNOME XML library Details: Yunho Kim discovered that libxml2 incorrectly handled certain error conditions. A remote attacker could exploit this with a crafted XML file to cause a denial of service, or possibly cause libxml2 to expose sensitive information. This issue only affected Ubuntu 14.04 ESM, and Ubuntu 16.04 ESM. (CVE-2017-8872) Zhipeng Xie discovered that libxml2 incorrectly handled certain XML schemas. A remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, and Ubuntu 18.04 LTS. (CVE-2019-20388) It was discovered that libxml2 incorrectly handled invalid UTF-8 input. A remote attacker could possibly exploit this with a crafted XML file to cause libxml2 to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 20.10. (CVE-2020-24977) It was discovered that libxml2 incorrectly handled invalid UTF-8 input. A remote attacker could possibly exploit this with a crafted XML file to cause libxml2 to crash, resulting in a denial of service. (CVE-2021-3517) It was discovered that libxml2 did not properly handle certain crafted XML files. A local attacker could exploit this with a crafted input to cause libxml2 to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2021-3516, CVE-2021-3518) It was discovered that libxml2 incorrectly handled error states. A remote attacker could exploit this with a crafted XML file to cause libxml2 to crash, resulting in a denial of service. (CVE-2021-3537) Sebastian Pipping discovered that libxml2 did not properly handle certain crafted XML files. A remote attacker could exploit this with a crafted XML file to cause libxml2 to crash, resulting in a denial of service. This issue only affected Ubuntu 20.04 LTS, Ubuntu 20.10, and Ubuntu 21.04. (CVE-2021-3541) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 21.04: libxml2 2.9.10+dfsg-6.3ubuntu0.1 libxml2-utils 2.9.10+dfsg-6.3ubuntu0.1 Ubuntu 20.10: libxml2 2.9.10+dfsg-5ubuntu0.20.10.2 libxml2-utils 2.9.10+dfsg-5ubuntu0.20.10.2 Ubuntu 20.04 LTS: libxml2 2.9.10+dfsg-5ubuntu0.20.04.1 libxml2-utils 2.9.10+dfsg-5ubuntu0.20.04.1 Ubuntu 18.04 LTS: libxml2 2.9.4+dfsg1-6.1ubuntu1.4 libxml2-utils 2.9.4+dfsg1-6.1ubuntu1.4 Ubuntu 16.04 ESM: libxml2 2.9.3+dfsg1-1ubuntu0.7+esm1 libxml2-utils 2.9.3+dfsg1-1ubuntu0.7+esm1 Ubuntu 14.04 ESM: libxml2 2.9.1+dfsg1-3ubuntu4.13+esm2 libxml2-utils 2.9.1+dfsg1-3ubuntu4.13+esm2 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-4991-1 CVE-2017-8872, CVE-2019-20388, CVE-2020-24977, CVE-2021-3516, CVE-2021-3517, CVE-2021-3518, CVE-2021-3537, CVE-2021-3541 Package Information: https://launchpad.net/ubuntu/+source/libxml2/2.9.10+dfsg-6.3ubuntu0.1 https://launchpad.net/ubuntu/+source/libxml2/2.9.10+dfsg-5ubuntu0.20.10.2 https://launchpad.net/ubuntu/+source/libxml2/2.9.10+dfsg-5ubuntu0.20.04.1 https://launchpad.net/ubuntu/+source/libxml2/2.9.4+dfsg1-6.1ubuntu1.4