svn commit: r1825616 - in /xerces/c/trunk/doc: html/secadv/CVE-2017-12627.txt secadv.xml

[sc...@apache.org]

Author: scantor
Date: Thu Mar  1 02:12:45 2018
New Revision: 1825616

URL: http://svn.apache.org/viewvc?rev=1825616&view=rev
Log:
Add latest advisory.

Added:
    xerces/c/trunk/doc/html/secadv/CVE-2017-12627.txt
Modified:
    xerces/c/trunk/doc/secadv.xml

Added: xerces/c/trunk/doc/html/secadv/CVE-2017-12627.txt
URL: http://svn.apache.org/viewvc/xerces/c/trunk/doc/html/secadv/CVE-2017-12627.txt?rev=1825616&view=auto
==============================================================================
--- xerces/c/trunk/doc/html/secadv/CVE-2017-12627.txt (added)
+++ xerces/c/trunk/doc/html/secadv/CVE-2017-12627.txt Thu Mar  1 02:12:45 2018
@@ -0,0 +1,51 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+
+CVE-2017-12627: Apache Xerces-C DTD vulnerability processing external paths
+
+Severity: Medium
+
+Vendor: The Apache Software Foundation
+
+Versions Affected: Apache Xerces-C XML Parser library versions
+prior to V3.2.1
+
+Description: The Xerces-C XML parser mishandles certain kinds of external
+DTD references, resulting in dereference of a NULL pointer while processing
+the path to the DTD. The bug allows for a denial of service attack in
+applications that allow DTD processing and do not prevent external DTD
+usage, and could conceivably result in remote code execution.
+
+Mitigation: Applications that are using library versions older than
+V3.2.1 should upgrade as soon as possible. Distributors of older versions
+should apply the patch from this subversion revision:
+
+http://svn.apache.org/viewvc?view=revision&revision=1819998
+
+Applications should strongly consider blocking remote entity resolution
+and/or outright disabling of DTD processing in light of the continued
+identification of bugs in this area of the library.
+
+Credit: This issue was reported by Alberto Garcia, Francisco Oca,
+and Suleman Ali of Offensive Research at Salesforce.com.
+
+References:
+http://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAlqXX9QACgkQN4uEVAIn
+eWIQaBAAikR87i0rxicryFO8xVkhEnrneWn4AM1h55HZNlIdYXzkzfcQqeLbtVSO
+bJey5xZIiL6lo+ybMKXyoIrqjtkD1LjqnHcyFPNCFZMD59vS+B47c86U2JU7jEPI
+N+Q33U8g8H0fAPhdop0XnhUiXBBvfpWIflunUWefLE+ybd8J5/B7CK54feC0/8CK
+Q47Lmj0aMKDtCM37gADbd6gI6PMJ7Kqjf5yb45okp2qhUZFp+8zrbczVmk/W9Opt
+JcuoxJFx+yfquMvs+yEelOr0m8vGtVJSFEJILZYEpbiMjMFvvBbXNCSQsPp7c7B9
+idLSect9ZDh5f/r3vEWKWq63dILxNBVm3D6K9PyEsYMk3rOTLeYin4KM5RRsmRV6
+8QUC0LS5y7q8ZsE8ou3XoFnBNwckHY3yixZ99kplM7SnzAN7N1EHBlQsGYOsEoQ+
+rqIWSPrbRE6Axdbrqo8FMjwq+kBB3zu4/AVl9VbUrV9o1dQGppWxqpRthUAIz6hS
+7abqQXrdrpXwVOx/dPN9/VK8EwmiBLcvgGIGmloABkPrzt7DqgqQfUUeNSUbQlBD
+exhckp4ivJre/F2lbdNcYq4ETSBybB++RCJF74DKhp6EwuFddCQfV5bqjeioCu9K
+cYjTbzLboz8jVrXTiavqY1Rpazv2agp+bv1jTU+nV0WQVaoSd0c=
+=4BQ4
+-----END PGP SIGNATURE-----

Modified: xerces/c/trunk/doc/secadv.xml
URL: http://svn.apache.org/viewvc/xerces/c/trunk/doc/secadv.xml?rev=1825616&r1=1825615&r2=1825616&view=diff
==============================================================================
--- xerces/c/trunk/doc/secadv.xml (original)
+++ xerces/c/trunk/doc/secadv.xml Thu Mar  1 02:12:45 2018
@@ -20,6 +20,14 @@
 
 <s1 title="Security Advisories">
 
+<s2 title="Addressed in 3.2.1 and Later Releases">
+<p>The following security advisories apply to versions of
+Xerces-C older than V3.2.1:</p>
+<ul>
+  <li><jump href="secadv/CVE-2017-12627.txt">CVE-2017-12627: Apache Xerces-C DTD vulnerability processing external paths</jump></li>
+</ul>
+</s2>
+
 <s2 title="Addressed in 3.1.4 and Later Releases">
 <p>The following security advisories apply to versions of
 Xerces-C older than V3.1.4:</p>



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@xerces.apache.org
For additional commands, e-mail: commits-help@xerces.apache.org