{"id":"USN-2994-1","summary":"libxml2 vulnerabilities","details":"It was discovered that libxml2 incorrectly handled certain malformed\ndocuments. If a user or automated system were tricked into opening a\nspecially crafted document, an attacker could possibly cause libxml2 to\ncrash, resulting in a denial of service. (CVE-2015-8806, CVE-2016-2073,\nCVE-2016-3627, CVE-2016-3705, CVE-2016-4447)\n\nIt was discovered that libxml2 incorrectly handled certain malformed\ndocuments. If a user or automated system were tricked into opening a\nspecially crafted document, an attacker could cause libxml2 to crash,\nresulting in a denial of service, or possibly execute arbitrary code.\n(CVE-2016-1762, CVE-2016-1834)\n\nMateusz Jurczyk discovered that libxml2 incorrectly handled certain\nmalformed documents. If a user or automated system were tricked into\nopening a specially crafted document, an attacker could cause libxml2 to\ncrash, resulting in a denial of service, or possibly execute arbitrary\ncode. (CVE-2016-1833, CVE-2016-1838, CVE-2016-1839)\n\nWei Lei and Liu Yang discovered that libxml2 incorrectly handled certain\nmalformed documents. If a user or automated system were tricked into\nopening a specially crafted document, an attacker could cause libxml2 to\ncrash, resulting in a denial of service, or possibly execute arbitrary\ncode. (CVE-2016-1835, CVE-2016-1837)\n\nWei Lei and Liu Yang discovered that libxml2 incorrectly handled certain\nmalformed documents. If a user or automated system were tricked into\nopening a specially crafted document, an attacker could cause libxml2 to\ncrash, resulting in a denial of service, or possibly execute arbitrary\ncode. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 15.10 and\nUbuntu 16.04 LTS. (CVE-2016-1836)\n\nKostya Serebryany discovered that libxml2 incorrectly handled certain\nmalformed documents. If a user or automated system were tricked into\nopening a specially crafted document, an attacker could cause libxml2 to\ncrash, resulting in a denial of service, or possibly execute arbitrary\ncode. (CVE-2016-1840)\n\nIt was discovered that libxml2 would load certain XML external entities. If\na user or automated system were tricked into opening a specially crafted\ndocument, an attacker could possibly obtain access to arbitrary files or\ncause resource consumption. (CVE-2016-4449)\n\nGustavo Grieco discovered that libxml2 incorrectly handled certain\nmalformed documents. If a user or automated system were tricked into\nopening a specially crafted document, an attacker could possibly cause\nlibxml2 to crash, resulting in a denial of service. (CVE-2016-4483)\n","modified":"2026-04-22T09:25:46.534551Z","published":"2016-06-06T16:43:37Z","related":["UBUNTU-CVE-2015-8806","UBUNTU-CVE-2016-1762","UBUNTU-CVE-2016-1833","UBUNTU-CVE-2016-1834","UBUNTU-CVE-2016-1835","UBUNTU-CVE-2016-1836","UBUNTU-CVE-2016-1837","UBUNTU-CVE-2016-1838","UBUNTU-CVE-2016-1839","UBUNTU-CVE-2016-1840","UBUNTU-CVE-2016-2073","UBUNTU-CVE-2016-3627","UBUNTU-CVE-2016-3705","UBUNTU-CVE-2016-4447","UBUNTU-CVE-2016-4449","UBUNTU-CVE-2016-4483"],"upstream":["CVE-2015-8806","CVE-2016-1762","CVE-2016-1833","CVE-2016-1834","CVE-2016-1835","CVE-2016-1836","CVE-2016-1837","CVE-2016-1838","CVE-2016-1839","CVE-2016-1840","CVE-2016-2073","CVE-2016-3627","CVE-2016-3705","CVE-2016-4447","CVE-2016-4449","CVE-2016-4483","UBUNTU-CVE-2015-8806","UBUNTU-CVE-2016-1762","UBUNTU-CVE-2016-1833","UBUNTU-CVE-2016-1834","UBUNTU-CVE-2016-1835","UBUNTU-CVE-2016-1836","UBUNTU-CVE-2016-1837","UBUNTU-CVE-2016-1838","UBUNTU-CVE-2016-1839","UBUNTU-CVE-2016-1840","UBUNTU-CVE-2016-2073","UBUNTU-CVE-2016-3627","UBUNTU-CVE-2016-3705","UBUNTU-CVE-2016-4447","UBUNTU-CVE-2016-4449","UBUNTU-CVE-2016-4483"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-2994-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-8806"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2016-1762"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2016-1833"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2016-1834"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2016-1835"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2016-1836"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2016-1837"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2016-1838"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2016-1839"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2016-1840"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2016-2073"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2016-3627"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2016-3705"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2016-4447"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2016-4449"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2016-4483"}],"affected":[{"package":{"name":"libxml2","ecosystem":"Ubuntu:14.04:LTS","purl":"pkg:deb/ubuntu/libxml2@2.9.1+dfsg1-3ubuntu4.8?arch=source&distro=trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.9.1+dfsg1-3ubuntu4.8"}]}],"versions":["2.9.1+dfsg1-3ubuntu2","2.9.1+dfsg1-3ubuntu3","2.9.1+dfsg1-3ubuntu4","2.9.1+dfsg1-3ubuntu4.1","2.9.1+dfsg1-3ubuntu4.2","2.9.1+dfsg1-3ubuntu4.3","2.9.1+dfsg1-3ubuntu4.4","2.9.1+dfsg1-3ubuntu4.5","2.9.1+dfsg1-3ubuntu4.6","2.9.1+dfsg1-3ubuntu4.7"],"ecosystem_specific":{"binaries":[{"binary_name":"libxml2","binary_version":"2.9.1+dfsg1-3ubuntu4.8"},{"binary_name":"libxml2-utils","binary_version":"2.9.1+dfsg1-3ubuntu4.8"},{"binary_name":"python-libxml2","binary_version":"2.9.1+dfsg1-3ubuntu4.8"}],"availability":"No subscription required"},"database_specific":{"cves_map":{"cves":[{"id":"CVE-2015-8806","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2016-1762","severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2016-1833","severity":[{"score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2016-1834","severity":[{"score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2016-1835","severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2016-1836","severity":[{"score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2016-1837","severity":[{"score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2016-1838","severity":[{"score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2016-1839","severity":[{"score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2016-1840","severity":[{"score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2016-2073","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2016-3627","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2016-3705","severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2016-4447","severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2016-4449","severity":[{"score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2016-4483","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]}],"ecosystem":"Ubuntu:14.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-2994-1.json"}},{"package":{"name":"libxml2","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/libxml2@2.9.3+dfsg1-1ubuntu0.1?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.9.3+dfsg1-1ubuntu0.1"}]}],"versions":["2.9.2+zdfsg1-4","2.9.2+zdfsg1-4ubuntu1","2.9.2+zdfsg1-4ubuntu2","2.9.2+zdfsg1-4ubuntu3","2.9.3+dfsg1-1"],"ecosystem_specific":{"binaries":[{"binary_name":"libxml2","binary_version":"2.9.3+dfsg1-1ubuntu0.1"},{"binary_name":"libxml2-utils","binary_version":"2.9.3+dfsg1-1ubuntu0.1"},{"binary_name":"python-libxml2","binary_version":"2.9.3+dfsg1-1ubuntu0.1"}],"availability":"No subscription required"},"database_specific":{"cves_map":{"cves":[{"id":"CVE-2015-8806","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2016-1762","severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2016-1833","severity":[{"score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2016-1834","severity":[{"score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2016-1835","severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2016-1836","severity":[{"score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2016-1837","severity":[{"score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2016-1838","severity":[{"score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2016-1839","severity":[{"score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2016-1840","severity":[{"score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2016-2073","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2016-3627","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2016-3705","severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2016-4447","severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2016-4449","severity":[{"score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2016-4483","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]}],"ecosystem":"Ubuntu:16.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-2994-1.json"}}],"schema_version":"1.7.5"}