USN-3010-1 Expat vulnerabilities




expat - XML parsing C library, Canonical Ubuntu

Versions Affected
  • Canonical Ubuntu 14.04 LTS

It was discovered that Expat unexpectedly called srand in certain circumstances. This could reduce the security of calling applications. (CVE-2012-6702)

It was discovered that Expat incorrectly handled seeding the random number generator. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-5300)

Affected Pivotal Products and Versions

Severity is medium unless otherwise noted.

  • All versions of Cloud Foundry cflinuxfs2 prior to v.1.67.0
  • Pivotal Elastic Runtime 1.6.x versions prior to 1.6.33 AND 1.7.x versions prior to 1.7.11

Users are strongly encouraged to follow the mitigation below:

  • The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 v.1.67.0 or later versions
  • Upgrade Pivotal Elastic Runtime 1.6.x versions to 1.6.33 OR 1.7.x versions to 1.7.11