[SECURITY] [DLA 1328-1] xerces-c security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 1328-1] xerces-c security update
From: Markus Koschany <apo@debian.org>
Date: Thu, 29 Mar 2018 23:49:55 +0200
Message-id: <[🔎] 58f4b1d2-8984-ffd0-29c1-62358050aff1@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : xerces-c
Version        : 3.1.1-3+deb7u5
CVE ID         : CVE-2017-12627
Debian Bug     : 894050

Alberto Garcia, Francisco Oca and Suleman Ali of Offensive Research
discovered that the Xerces-C XML parser mishandles certain kinds of
external DTD references, resulting in dereference of a NULL pointer
while processing the path to the DTD. The bug allows for a denial of
service attack in applications that allow DTD processing and do not
prevent external DTD usage, and could conceivably result in remote code
execution.

For Debian 7 "Wheezy", these problems have been fixed in version
3.1.1-3+deb7u5.

We recommend that you upgrade your xerces-c packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlq9X4JfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeQhAhAAmSVauso8Mxcal4Q/Pc3hwKzi0fDUz2UFHwpbuXlMb3G2ivmHaznYBi9X
xgyTaMsQqH54md5aPsJ3kE2NaWUxNpJmckfNPd6332ROREizMGkN9iBc/L5DDsAd
b9gfMySkWbXdOVHbErrWkHH6OI15MEMdrA7JMo0ERsv/KDn8B4gsPWMh1vC/58Qf
ZdEt+uM1tmr9ZXJoTq7CVO0ksOWSrJQ3EA37zYRuVCW9+3dXJQeteC6gwOo8qg9D
IeLDkjwO488eeafx4wHlSE95B/hPbxxscHPiRTN0rEmyrJuYyQCuE+Z34DEpMAFM
bkH0B6FCBrYYvBqMXl9FCQM/e1YiVuI2i4lJK56/42xUJQcW83iLCdm/g2Fx44Xp
Wmgz+GAc1k/bppD5MBgn/Mf4kzwQjhopJoeJ5ysFmenKBF6xnf7shV86ddzYykVU
ZIuEagdwUUxOSUsqFvjoyUwXF7qW80yumS3olGCLlBICWQLfumAFbKjGbuQCf+8B
8trlXa2B6rUE1DpYKA/ZUAfybRzMZsUtUj6F4PqCSAawwvWYTzqbc53XBmOB+pLg
Tnec1/Tbr9g2j0bsC/gX9YJ2gQnlzONUUqmCapbrB9sTPti1yshgZ6OHZQY2hhDF
9FlD/WagMRcNmH17H12DCC2IJPkyCGdQif7mAXidZHYxyyioHT8=
=fosM
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 1329-1] memcached security update
Next by Date: [SECURITY] [DLA 1330-1] openssl security update
Previous by thread: [SECURITY] [DLA 1329-1] memcached security update
Next by thread: [SECURITY] [DLA 1330-1] openssl security update
Index(es):
- Date
- Thread