Bugzilla – Bug 985860
VUL-0: CVE-2016-4463: xerces-c: Apache Xerces-C XML Parser Crashes on Malformed DTD
Last modified: 2018-10-26 06:39:43 UTC
bugbot adjusting priority
All sr#s should be done.
This is an autogenerated message for OBS integration: This bug (985860) was mentioned in https://build.opensuse.org/request/show/406725 Factory / xerces-c https://build.opensuse.org/request/show/406726 13.2 / xerces-c
is public http://seclists.org/oss-sec/2016/q2/625 CVE-2016-4463: Apache Xerces-C XML Parser Crashes on Malformed DTD Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Xerces-C XML Parser library versions prior to V3.1.4 Description: The Xerces-C XML parser fails to successfully parse a DTD that is deeply nested, and this causes a stack overflow, which makes a denial of service attack against many applications possible by an unauthenticated attacker. Mitigation: Applications that are using library versions older than V3.1.4 should upgrade as soon as possible. Distributors of older versions should apply the patches from this subversion revision: http://svn.apache.org/viewvc?view=revision&revision=1747619 Note that the nesting limit is currently implemented as a compile-time constant in order to maintain ABI-compatibility. In addition, a related enhancement was made to enable applications to fully disable DTD processing through the use of an environment variable. Distributors of older versions are urged to incorporate this patch to enable applications to more fully protect themselves from future issues if they do not require DTD support. This change is ABI-compatible and can be found in this subversion revision: http://svn.apache.org/viewvc?view=revision&revision=1747620 Credit: This issue was reported by Brandon Perry. References: http://xerces.apache.org/xerces-c/secadv/CVE-2016-4463.txt
openSUSE-SU-2016:1808-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 979208,985860 CVE References: CVE-2016-0729,CVE-2016-2099,CVE-2016-4463 Sources used: openSUSE 13.2 (src): xerces-c-3.1.4-13.9.2
SUSE-SU-2016:2154-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 979208,985860 CVE References: CVE-2016-2099,CVE-2016-4463 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): xerces-c-3.1.1-12.3 SUSE Linux Enterprise Server 12-SP1 (src): xerces-c-3.1.1-12.3 SUSE Linux Enterprise Desktop 12-SP1 (src): xerces-c-3.1.1-12.3
openSUSE-SU-2016:2232-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 979208,985860 CVE References: CVE-2016-2099,CVE-2016-4463 Sources used: openSUSE Leap 42.1 (src): xerces-c-3.1.1-19.1
released
SUSE-SU-2018:3277-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1083630,985860 CVE References: CVE-2016-4463,CVE-2017-12627 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): Xerces-c-2.8.0-29.17.5.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): Xerces-c-2.8.0-29.17.5.1