You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@xerces.apache.org by sc...@apache.org on 2016/06/29 14:14:59 UTC

svn commit: r1750649 - in /xerces/c/branches/xerces-3.1/doc: html/secadv/CVE-2016-4463.txt secadv.xml

Author: scantor
Date: Wed Jun 29 14:14:59 2016
New Revision: 1750649

URL: http://svn.apache.org/viewvc?rev=1750649&view=rev
Log:
Add advisory to site

Added:
    xerces/c/branches/xerces-3.1/doc/html/secadv/CVE-2016-4463.txt
Modified:
    xerces/c/branches/xerces-3.1/doc/secadv.xml

Added: xerces/c/branches/xerces-3.1/doc/html/secadv/CVE-2016-4463.txt
URL: http://svn.apache.org/viewvc/xerces/c/branches/xerces-3.1/doc/html/secadv/CVE-2016-4463.txt?rev=1750649&view=auto
==============================================================================
--- xerces/c/branches/xerces-3.1/doc/html/secadv/CVE-2016-4463.txt (added)
+++ xerces/c/branches/xerces-3.1/doc/html/secadv/CVE-2016-4463.txt Wed Jun 29 14:14:59 2016
@@ -0,0 +1,58 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA256
+
+
+CVE-2016-4463: Apache Xerces-C XML Parser Crashes on Malformed DTD
+
+Severity: Important
+
+Vendor: The Apache Software Foundation
+
+Versions Affected: Apache Xerces-C XML Parser library versions
+prior to V3.1.4
+
+Description: The Xerces-C XML parser fails to successfully parse a
+DTD that is deeply nested, and this causes a stack overflow, which
+makes a denial of service attack against many applications possible
+by an unauthenticated attacker.
+
+Mitigation: Applications that are using library versions older than
+V3.1.4 should upgrade as soon as possible. Distributors of older
+versions should apply the patches from this subversion revision:
+
+http://svn.apache.org/viewvc?view=revision&revision=1747619
+
+Note that the nesting limit is currently implemented as a compile-time
+constant in order to maintain ABI-compatibility.
+
+In addition, a related enhancement was made to enable applications
+to fully disable DTD processing through the use of an environment
+variable. Distributors of older versions are urged to incorporate
+this patch to enable applications to more fully protect themselves
+from future issues if they do not require DTD support. This change
+is ABI-compatible and can be found in this subversion revision:
+
+http://svn.apache.org/viewvc?view=revision&revision=1747620
+
+Credit: This issue was reported by Brandon Perry.
+
+References:
+http://xerces.apache.org/xerces-c/secadv/CVE-2016-4463.txt
+
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2
+
+iQIcBAEBCAAGBQJXXqPQAAoJEDeLhFQCJ3liyRwQAI5aUjhKtZtw+51EgNizpuLa
+dvfEP27anUXLKwLXt+WIfogW3TLQ4HwyiszanO4YTlwz3qbKO3TJQXdT4kTQx6/k
+KhWr7+vsn7pBEPiiC7kj3lH7QHCd+T8/W+Xik/rKDFV1qAAKuoFgYJ31qED8I65z
+371Tdm+p2QE4Nh9M7k7LUs+yWu5XdwJIS61L3R/MpEptynuo7Onbp+sjF6OQCZHc
+u1KJ3zAlKzP4iwtxKjvoXqOnLgYwjtqC2p7nYBEXOEn4DA4Q/PMrfdYIebjUo/Wy
+CeIN5TGJ2aunMkVK0RgxCqjr0sl2cYqY8iegUqp9Iz4+rMpy5ZDLNyyjgbXgSY73
+8145xO2tscLs7bLXAXUGbLlOPxnDqVieGlYyHICFnl58I4ekfhwtMmd9d2WOlaVE
+7NEPTorFiHI+wdK2yebCLAMaJbL9KJQiJa/4xw9qvpZ4DQ7aein9jq7fklQ62crc
+Ff4h4icX4icM1/s1tvcEM1lZw8Td4UyXkwvoEmfZg7dVy4NW+XM/Kn4FUCPRnC9A
+XVAabL3K290Mz77YLqUTk733w1q/lFCxgOCJF18/OJef2azMn74QgFbLcBD16i2O
+FNxdtPsSRGNsfOGN08Uiwg9RN6uqoZ6Rxwq3hEcAiufYQHFiXldlS26koP2QMk03
+gNuHTr22AcR0ZgoW9GYP
+=eilz
+-----END PGP SIGNATURE-----

Modified: xerces/c/branches/xerces-3.1/doc/secadv.xml
URL: http://svn.apache.org/viewvc/xerces/c/branches/xerces-3.1/doc/secadv.xml?rev=1750649&r1=1750648&r2=1750649&view=diff
==============================================================================
--- xerces/c/branches/xerces-3.1/doc/secadv.xml (original)
+++ xerces/c/branches/xerces-3.1/doc/secadv.xml Wed Jun 29 14:14:59 2016
@@ -20,6 +20,14 @@
 
 <s1 title="Security Advisories">
 
+<s2 title="Addressed in 3.1.4 and Later Releases">
+<p>The following security advisories apply to versions of
+Xerces-C older than V3.1.4:</p>
+<ul>
+  <li><jump href="secadv/CVE-2016-4463.txt">CVE-2016-4463: Apache Xerces-C XML Parser Crashes on Malformed DTD</jump></li>
+</ul>
+</s2>
+
 <s2 title="Addressed in 3.1.3 and Later Releases">
 <p>The following security advisories apply to versions of
 Xerces-C older than V3.1.3:</p>



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@xerces.apache.org
For additional commands, e-mail: commits-help@xerces.apache.org