BugTraq
Back to list
|
Post reply
Xerces-C Security Advisory [CVE-2015-0252]
Mar 19 2015 10:40PM
Cantor, Scott (cantor 2 osu edu)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
CVE-2015-0252: Apache Xerces-C XML Parser Crashes on Malformed Input
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: Apache Xerces-C XML Parser library versions
prior to V3.1.2
Description: The Xerces-C XML parser mishandles certain kinds of
malformed input documents, resulting in a segmentation fault during
a parse operation. The bug does not appear to allow for remote code
execution, but is a denial of service attack that in many applications
may allow for an unauthenticated attacker to supply malformed input
and cause a crash.
Mitigation: Applications that are using library versions older than
V3.1.2 should upgrade as soon as possible. Distributors of older versions
should apply the patches from this subversion revision:
http://svn.apache.org/viewvc?view=revision&revision=1667870
Credit: This issue was reported independently by Anton Rager and Jonathan
Brossard from the Salesforce.com Product Security Team and by Ben Laurie
of Google.
References:
http://xerces.apache.org/xerces-c/secadv/CVE-2015-0252.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVCzmVAAoJEDeLhFQCJ3lipRoP/RLr+6EyyUBp7PxXi31pHYbv
z7E1GZLZ+349BydmI+28y6QXSjjQIeU1VXHaRdBCpfNqv2rIe7n+s/PvojprdHGZ
Ocxg7iPs+mQTxtkTJht1JqT1d4s96BN+DgPDRf7vUzMsu7u6mf9E+Ds2Yajddqgh
zxmsv5YFJlppeAOKDbyaWPfivJS7ubjDK7SQ8Il5N7XHSmVcdGMjGh0Zmbn0mlzk
iTp13aoEknYI3M+4OpIgtszOgbsMQnhRwOgAX+0jBHxrWkK4MBNlotY6oPtx6zWt
DjM/JRr9+V59BsQKrNmE/D0csoEf4OeBEgeqmNTjpy8EO+gOgVHWMowUUAVQkMqu
37njc8IyR/JXStdtzJpHsj4HO2PE9ZE1Uy69DCqCDEeGWl61qx4+sg7Ul783dAab
hCAvAO0zLiyPgkNdydmBQWGymHsle+niydNAi+EGj47rEJ7lDhJhl9qVQ0zyMXr4
O1//QwV7BUaRcgQhcbvd71KeDkPBBNvwpYLAXxIpDkI1/2qjo8ANHxzu/EMP8weK
N+KoIEugAab+t1s1qWpgneYXHLy3uE3KvVeNvb/iHsl5nzzFVBkPe+2OCZfWoedJ
t7gAXaZ2htrF2BQl6g/5hm13/6ajmrtNcX0hBjx2VB4VACOtt0bqextaW/w2Vvb4
AcsopfNHOGvXLDJ3JkHS
=l9vC
-----END PGP SIGNATURE-----
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Hash: SHA512
CVE-2015-0252: Apache Xerces-C XML Parser Crashes on Malformed Input
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: Apache Xerces-C XML Parser library versions
prior to V3.1.2
Description: The Xerces-C XML parser mishandles certain kinds of
malformed input documents, resulting in a segmentation fault during
a parse operation. The bug does not appear to allow for remote code
execution, but is a denial of service attack that in many applications
may allow for an unauthenticated attacker to supply malformed input
and cause a crash.
Mitigation: Applications that are using library versions older than
V3.1.2 should upgrade as soon as possible. Distributors of older versions
should apply the patches from this subversion revision:
http://svn.apache.org/viewvc?view=revision&revision=1667870
Credit: This issue was reported independently by Anton Rager and Jonathan
Brossard from the Salesforce.com Product Security Team and by Ben Laurie
of Google.
References:
http://xerces.apache.org/xerces-c/secadv/CVE-2015-0252.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVCzmVAAoJEDeLhFQCJ3lipRoP/RLr+6EyyUBp7PxXi31pHYbv
z7E1GZLZ+349BydmI+28y6QXSjjQIeU1VXHaRdBCpfNqv2rIe7n+s/PvojprdHGZ
Ocxg7iPs+mQTxtkTJht1JqT1d4s96BN+DgPDRf7vUzMsu7u6mf9E+Ds2Yajddqgh
zxmsv5YFJlppeAOKDbyaWPfivJS7ubjDK7SQ8Il5N7XHSmVcdGMjGh0Zmbn0mlzk
iTp13aoEknYI3M+4OpIgtszOgbsMQnhRwOgAX+0jBHxrWkK4MBNlotY6oPtx6zWt
DjM/JRr9+V59BsQKrNmE/D0csoEf4OeBEgeqmNTjpy8EO+gOgVHWMowUUAVQkMqu
37njc8IyR/JXStdtzJpHsj4HO2PE9ZE1Uy69DCqCDEeGWl61qx4+sg7Ul783dAab
hCAvAO0zLiyPgkNdydmBQWGymHsle+niydNAi+EGj47rEJ7lDhJhl9qVQ0zyMXr4
O1//QwV7BUaRcgQhcbvd71KeDkPBBNvwpYLAXxIpDkI1/2qjo8ANHxzu/EMP8weK
N+KoIEugAab+t1s1qWpgneYXHLy3uE3KvVeNvb/iHsl5nzzFVBkPe+2OCZfWoedJ
t7gAXaZ2htrF2BQl6g/5hm13/6ajmrtNcX0hBjx2VB4VACOtt0bqextaW/w2Vvb4
AcsopfNHOGvXLDJ3JkHS
=l9vC
-----END PGP SIGNATURE-----
[ reply ]