Date: Thu, 1 Mar 2018 02:26:43 +0000 From: "Cantor, Scott" <cantor.2@....edu> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: Apache Xerces-C Security Advisory for versions < 3.2.1 [CVE-2017-12627] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 CVE-2017-12627: Apache Xerces-C DTD vulnerability processing external paths Severity: Medium Vendor: The Apache Software Foundation Versions Affected: Apache Xerces-C XML Parser library versions prior to V3.2.1 Description: The Xerces-C XML parser mishandles certain kinds of external DTD references, resulting in dereference of a NULL pointer while processing the path to the DTD. The bug allows for a denial of service attack in applications that allow DTD processing and do not prevent external DTD usage, and could conceivably result in remote code execution. Mitigation: Applications that are using library versions older than V3.2.1 should upgrade as soon as possible. Distributors of older versions should apply the patch from this subversion revision: http://svn.apache.org/viewvc?view=revision&revision=1819998 Applications should strongly consider blocking remote entity resolution and/or outright disabling of DTD processing in light of the continued identification of bugs in this area of the library. Credit: This issue was reported by Alberto Garcia, Francisco Oca, and Suleman Ali of Offensive Research at Salesforce.com. References: http://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAlqXX9QACgkQN4uEVAIn eWIQaBAAikR87i0rxicryFO8xVkhEnrneWn4AM1h55HZNlIdYXzkzfcQqeLbtVSO bJey5xZIiL6lo+ybMKXyoIrqjtkD1LjqnHcyFPNCFZMD59vS+B47c86U2JU7jEPI N+Q33U8g8H0fAPhdop0XnhUiXBBvfpWIflunUWefLE+ybd8J5/B7CK54feC0/8CK Q47Lmj0aMKDtCM37gADbd6gI6PMJ7Kqjf5yb45okp2qhUZFp+8zrbczVmk/W9Opt JcuoxJFx+yfquMvs+yEelOr0m8vGtVJSFEJILZYEpbiMjMFvvBbXNCSQsPp7c7B9 idLSect9ZDh5f/r3vEWKWq63dILxNBVm3D6K9PyEsYMk3rOTLeYin4KM5RRsmRV6 8QUC0LS5y7q8ZsE8ou3XoFnBNwckHY3yixZ99kplM7SnzAN7N1EHBlQsGYOsEoQ+ rqIWSPrbRE6Axdbrqo8FMjwq+kBB3zu4/AVl9VbUrV9o1dQGppWxqpRthUAIz6hS 7abqQXrdrpXwVOx/dPN9/VK8EwmiBLcvgGIGmloABkPrzt7DqgqQfUUeNSUbQlBD exhckp4ivJre/F2lbdNcYq4ETSBybB++RCJF74DKhp6EwuFddCQfV5bqjeioCu9K cYjTbzLboz8jVrXTiavqY1Rpazv2agp+bv1jTU+nV0WQVaoSd0c= =4BQ4 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.