Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 23 Aug 2019 16:45:10 +0100
From: Colm O hEigeartaigh <coheigea@...che.org>
To: oss-security@...ts.openwall.com
Subject: [CVE-2019-12400] Apache Santuario potentially loads XML parsing code
 from an untrusted source

The following security advisory is announced for the Apache Santuario - XML
Security for Java project, which is fixed in the recent 2.1.4 release.

[CVEID]:CVE-2019-12400
[PRODUCT]:Apache Santuario - XML Security for Java
[VERSION]:All 2.0.x releases from 2.0.3, all 2.1.x releases before 2.1.4.
[PROBLEMTYPE]:Process Control
[REFERENCES]:
http://santuario.apache.org/secadv.data/CVE-2019-12400.asc?version=1&modificationDate=1566573083000&api=v2
[DESCRIPTION]:In version 2.0.3 of Apache Santuario XML Security for Java, a
caching mechanism
              was introduced to speed up creating new XML documents using a
static pool of
              DocumentBuilders.

              However, if some untrusted code can register a malicious
implementation with
              the thread context class loader first, then this
implementation might be
              cached and re-used by Apache Santuario - XML Security for
Java, leading to
              potential security flaws when validating signed documents,
etc.

For more information, please see the security advisories page of Apache
Santuario: http://santuario.apache.org/secadv.html

-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.