972950 – (CVE-2016-3674) VUL-0: CVE-2016-3674: xstream: XXE vulnerability

Bug 972950 (CVE-2016-3674) - VUL-0: CVE-2016-3674: xstream: XXE vulnerability

Summary: VUL-0: CVE-2016-3674: xstream: XXE vulnerability

Status:	RESOLVED FIXED

Alias:	CVE-2016-3674

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P5 - None Severity: Normal
Target Milestone:	---
Assignee:	Silvio Moioli
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/164870/
Whiteboard:	CVSSv2:RedHat:CVE-2016-3674:5.0:(AV...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-03-29 08:29 UTC by Victor Pereira
Modified:	2021-06-04 16:45 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Victor Pereira 2016-03-29 08:29:16 UTC

CVE-2016-3674

from the Changelog (1.4.9)

#25: Fix XXE vulnerability: Fixed affected drivers were Dom4JDriver, DomDriver, JDomDriver, JDom2Driver, SjsxpDriver, StandardStaxDriver and WstxDriver. Still vulnerable are BEAStaxDriver and XomDriver. Processing of (external) entities has been disabled. See FAQ for more information.

References:
http://x-stream.github.io/changes.html#1.4.9
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3674
http://seclists.org/oss-sec/2016/q1/703

Comment 1 Silvio Moioli 2016-03-29 13:05:57 UTC

Updated to 1.4.9, closing.

https://build.suse.de/package/show/Devel:Galaxy:Manager:Head:SLE12_Products_Test/xstream


Thanks for reporting this, Victor!!!

Comment 2 Silvio Moioli 2016-03-29 13:06:27 UTC

Actually closing.