安全公告详情

NS-SA-2019-0072

2019-07-17 14:58:09

简介

moderate: xerces-c/wpa_supplicant security update

严重级别

moderate

主题

An update for xerces-c/wpa_supplicant is now available for NewStart CGSL MAIN 5.04/CGSL CORE 5.04.
NewStart Security has rated this update as having a security impact of moderate. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

xerces-c: Xerces-C is a validating XML parser written in a portable subset of C++. Xerces-C makes it easy to give your application the ability to read and write XML data. A shared library is provided for parsing, generating, manipulating, and validating XML documents. Xerces-C is faithful to the XML 1.0 recommendation and associated standards: XML 1.0 (Third Edition), XML 1.1 (First Edition), DOM Level 1, 2, 3 Core, DOM Level 2.0 Traversal and Range, DOM Level 3.0 Load and Save, SAX 1.0 and SAX 2.0, Namespaces in XML, Namespaces in XML 1.1, XML Schema, XML Inclusions).
wpa_supplicant: wpa_supplicant is a WPA Supplicant for Linux, BSD and Windows with support for WPA and WPA2 (IEEE 802.11i / RSN). Supplicant is the IEEE 802.1X/WPA component that is used in the client stations. It implements key negotiation with a WPA Authenticator and it controls the roaming and IEEE 802.11 authentication/association of the wlan driver.


Security Fix(es):
xerces-c: A stack exhaustion flaw was found in the way Xerces-C XML parser handled deeply nested DTDs. An attacker could potentially use this flaw to crash an application using Xerces-C by tricking it into processing specially crafted data.(CVE-2016-4463)
xerces-c: bugfix
wpa_supplicant: An issue was discovered in rsn_supp/wpa.c in wpa_supplicant 2.0 through 2.6. Under certain conditions, the integrity of EAPOL-Key messages is not checked, leading to a decryption oracle. An attacker within range of the Access Point and client can abuse the vulnerability to recover sensitive information.(CVE-2018-14526)
wpa_supplicant: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 5.04.F12.

影响组件

  • xerces-c
  • wpa_supplicant

影响产品

  • CGSL MAIN 5.04
  • CGSL CORE 5.04

更新包

{"fix":[{"product":"CGSL MAIN 5.04","pkgs":[{"binary":["xerces-c-3.1.1-9.el7.x86_64.rpm","xerces-c-debuginfo-3.1.1-9.el7.x86_64.rpm","xerces-c-devel-3.1.1-9.el7.x86_64.rpm","xerces-c-doc-3.1.1-9.el7.noarch.rpm"],"source":"xerces-c-3.1.1-9.el7.src.rpm"},{"binary":["wpa_supplicant-2.6-12.el7.x86_64.rpm","wpa_supplicant-debuginfo-2.6-12.el7.x86_64.rpm"],"source":"wpa_supplicant-2.6-12.el7.src.rpm"}]},{"product":"CGSL CORE 5.04","pkgs":[{"binary":["xerces-c-3.1.1-9.el7.x86_64.rpm","xerces-c-debuginfo-3.1.1-9.el7.x86_64.rpm","xerces-c-devel-3.1.1-9.el7.x86_64.rpm","xerces-c-doc-3.1.1-9.el7.noarch.rpm"],"source":"xerces-c-3.1.1-9.el7.src.rpm"},{"binary":["wpa_supplicant-2.6-12.el7.x86_64.rpm","wpa_supplicant-debuginfo-2.6-12.el7.x86_64.rpm"],"source":"wpa_supplicant-2.6-12.el7.src.rpm"}]}]}

CVE

参考