Date: Thu, 1 Mar 2018 02:26:43 +0000 From: "Cantor, Scott" <cantor.2@....edu> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: Apache Xerces-C Security Advisory for versions < 3.2.1 [CVE-2017-12627] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 CVE-2017-12627: Apache Xerces-C DTD vulnerability processing external paths Severity: Medium Vendor: The Apache Software Foundation Versions Affected: Apache Xerces-C XML Parser library versions prior to V3.2.1 Description: The Xerces-C XML parser mishandles certain kinds of external DTD references, resulting in dereference of a NULL pointer while processing the path to the DTD. The bug allows for a denial of service attack in applications that allow DTD processing and do not prevent external DTD usage, and could conceivably result in remote code execution. Mitigation: Applications that are using library versions older than V3.2.1 should upgrade as soon as possible. Distributors of older versions should apply the patch from this subversion revision: http://svn.apache.org/viewvc?view=revision&revision=1819998 Applications should strongly consider blocking remote entity resolution and/or outright disabling of DTD processing in light of the continued identification of bugs in this area of the library. Credit: This issue was reported by Alberto Garcia, Francisco Oca, and Suleman Ali of Offensive Research at Salesforce.com. References: http://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAlqXX9QACgkQN4uEVAIn eWIQaBAAikR87i0rxicryFO8xVkhEnrneWn4AM1h55HZNlIdYXzkzfcQqeLbtVSO bJey5xZIiL6lo+ybMKXyoIrqjtkD1LjqnHcyFPNCFZMD59vS+B47c86U2JU7jEPI N+Q33U8g8H0fAPhdop0XnhUiXBBvfpWIflunUWefLE+ybd8J5/B7CK54feC0/8CK Q47Lmj0aMKDtCM37gADbd6gI6PMJ7Kqjf5yb45okp2qhUZFp+8zrbczVmk/W9Opt JcuoxJFx+yfquMvs+yEelOr0m8vGtVJSFEJILZYEpbiMjMFvvBbXNCSQsPp7c7B9 idLSect9ZDh5f/r3vEWKWq63dILxNBVm3D6K9PyEsYMk3rOTLeYin4KM5RRsmRV6 8QUC0LS5y7q8ZsE8ou3XoFnBNwckHY3yixZ99kplM7SnzAN7N1EHBlQsGYOsEoQ+ rqIWSPrbRE6Axdbrqo8FMjwq+kBB3zu4/AVl9VbUrV9o1dQGppWxqpRthUAIz6hS 7abqQXrdrpXwVOx/dPN9/VK8EwmiBLcvgGIGmloABkPrzt7DqgqQfUUeNSUbQlBD exhckp4ivJre/F2lbdNcYq4ETSBybB++RCJF74DKhp6EwuFddCQfV5bqjeioCu9K cYjTbzLboz8jVrXTiavqY1Rpazv2agp+bv1jTU+nV0WQVaoSd0c= =4BQ4 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ