[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DSA 3610-1] xerces-c security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3610-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 29, 2016                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : xerces-c
CVE ID         : CVE-2016-4463
Debian Bug     : 828990

Brandon Perry discovered that xerces-c, a validating XML parser library
for C++, fails to successfully parse a DTD that is deeply nested,
causing a stack overflow. A remote unauthenticated attacker can take
advantage of this flaw to cause a denial of service against applications
using the xerces-c library.

Additionally this update includes an enhancement to enable applications
to fully disable DTD processing through the use of an environment
variable (XERCES_DISABLE_DTD).

For the stable distribution (jessie), this problem has been fixed in
version 3.1.1-5.1+deb8u3.

We recommend that you upgrade your xerces-c packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJXdCslAAoJEAVMuPMTQ89EBXUP/1wAze1hP0PcbqqkMsBDevp4
N/+3a8ZYpq4XmcjDcZYVKwekYABJtOWnHTg/7h23dCyJUDjd28atk+DkiOtqbG19
5+SpnRnLAiRj6+2Ua8Bf7dh+ZyO3EoMMyQ0QVByADaRP/N4BIdYtImjDJcBCNyZd
2zwWhAEiIB55u30GAhvDCWsGwN5ucngOsjBI32MzKDGoYGM5gH1igTMz+21O0j7J
411BuZynQK/ZFOaQNnNRQh5Ne1ULCWHFlZOdaLv3Zietdtm9XrVaJZ6NnwK9HYvR
UTXXVj5JpJR0XOS85fmYogpjoL2aUUao8zVeGRPlSeg2rPg7IjS/fQXWAWjBVpt8
xkDMiPOo+ED+MNNGPSrsMdncNoD8PhdOGjOwhyHHD3e2wDq3p+6WoVRDU/pTLAc0
eNmMwcvbjugxzEhXMInTtRu9D++X65H/dVWoH/UWw9bMoQfz810+8AUBrc3Tgj3F
roFdmhvl2GJtoLtPYc9fIMuORuxe4cejMshhAweUJd0dZhtjQhQUj8jfeBSSaRJs
ova3BXgiegGbpl4liT2ds6ZUucJg9mZFSoRwEnZk3iXiBFM0G42BU8kajx6r+XWb
5N89ltkPa+QaRknhAGOcQGKZOtchYo4vb2jsryU99C2g1XZv81wrmqUnsdwbCSD5
2X7QhWMcTqpGgfm605x7
=6vFH
-----END PGP SIGNATURE-----


Reply to: