ASA-201611-2 generated external raw

[ASA-201611-2] libxml2: arbitrary code execution
Arch Linux Security Advisory ASA-201611-2 ========================================= Severity: Critical Date : 2016-11-01 CVE-ID : CVE-2016-4658 CVE-2016-5131 Package : libxml2 Type : arbitrary code execution Remote : Yes Link : Summary ======= The package libxml2 before version 2.9.4+12+ge905f08-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 2.9.4+12+ge905f08-1. # pacman -Syu "libxml2>=2.9.4+12+ge905f08-1" The problems have been fixed upstream but no release is available yet. Workaround ========== None. Description =========== - CVE-2016-4658 (arbitrary code execution) A use-after-free vulnerability via namespace nodes in XPointer ranges was found in libxml2. - CVE-2016-5131 (arbitrary code execution) Bugs in xmlXPathEvalExpr and xmlXPtrRangeToFunction can lead to a use- after-free and allow control of the instruction pointer. Impact ====== A remote attacker is able to use a specially crafted XPath payload to execute arbitrary code. References ==========