You are viewing a plain text version of this content. The canonical link for it is here.
Posted to c-users@xerces.apache.org by "Cantor, Scott" <ca...@osu.edu> on 2018/03/01 02:15:08 UTC
Xerces-C Security Advisory [CVE-2017-12627]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
CVE-2017-12627: Apache Xerces-C DTD vulnerability processing external paths
Severity: Medium
Vendor: The Apache Software Foundation
Versions Affected: Apache Xerces-C XML Parser library versions
prior to V3.2.1
Description: The Xerces-C XML parser mishandles certain kinds of external
DTD references, resulting in dereference of a NULL pointer while processing
the path to the DTD. The bug allows for a denial of service attack in
applications that allow DTD processing and do not prevent external DTD
usage, and could conceivably result in remote code execution.
Mitigation: Applications that are using library versions older than
V3.2.1 should upgrade as soon as possible. Distributors of older versions
should apply the patch from this subversion revision:
http://svn.apache.org/viewvc?view=revision&revision=1819998
Applications should strongly consider blocking remote entity resolution
and/or outright disabling of DTD processing in light of the continued
identification of bugs in this area of the library.
Credit: This issue was reported by Alberto Garcia, Francisco Oca,
and Suleman Ali of Offensive Research at Salesforce.com.
References:
http://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAlqXX9QACgkQN4uEVAIn
eWIQaBAAikR87i0rxicryFO8xVkhEnrneWn4AM1h55HZNlIdYXzkzfcQqeLbtVSO
bJey5xZIiL6lo+ybMKXyoIrqjtkD1LjqnHcyFPNCFZMD59vS+B47c86U2JU7jEPI
N+Q33U8g8H0fAPhdop0XnhUiXBBvfpWIflunUWefLE+ybd8J5/B7CK54feC0/8CK
Q47Lmj0aMKDtCM37gADbd6gI6PMJ7Kqjf5yb45okp2qhUZFp+8zrbczVmk/W9Opt
JcuoxJFx+yfquMvs+yEelOr0m8vGtVJSFEJILZYEpbiMjMFvvBbXNCSQsPp7c7B9
idLSect9ZDh5f/r3vEWKWq63dILxNBVm3D6K9PyEsYMk3rOTLeYin4KM5RRsmRV6
8QUC0LS5y7q8ZsE8ou3XoFnBNwckHY3yixZ99kplM7SnzAN7N1EHBlQsGYOsEoQ+
rqIWSPrbRE6Axdbrqo8FMjwq+kBB3zu4/AVl9VbUrV9o1dQGppWxqpRthUAIz6hS
7abqQXrdrpXwVOx/dPN9/VK8EwmiBLcvgGIGmloABkPrzt7DqgqQfUUeNSUbQlBD
exhckp4ivJre/F2lbdNcYq4ETSBybB++RCJF74DKhp6EwuFddCQfV5bqjeioCu9K
cYjTbzLboz8jVrXTiavqY1Rpazv2agp+bv1jTU+nV0WQVaoSd0c=
=4BQ4
-----END PGP SIGNATURE-----
Re: Xerces-C Security Advisory [CVE-2017-12627]
Posted by DK <dk...@gmail.com>.
Please delete this account from the thread. My father passed away last
year.
On 1 March 2018 at 02:15, Cantor, Scott <ca...@osu.edu> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
>
> CVE-2017-12627: Apache Xerces-C DTD vulnerability processing external paths
>
> Severity: Medium
>
> Vendor: The Apache Software Foundation
>
> Versions Affected: Apache Xerces-C XML Parser library versions
> prior to V3.2.1
>
> Description: The Xerces-C XML parser mishandles certain kinds of external
> DTD references, resulting in dereference of a NULL pointer while processing
> the path to the DTD. The bug allows for a denial of service attack in
> applications that allow DTD processing and do not prevent external DTD
> usage, and could conceivably result in remote code execution.
>
> Mitigation: Applications that are using library versions older than
> V3.2.1 should upgrade as soon as possible. Distributors of older versions
> should apply the patch from this subversion revision:
>
> http://svn.apache.org/viewvc?view=revision&revision=1819998
>
> Applications should strongly consider blocking remote entity resolution
> and/or outright disabling of DTD processing in light of the continued
> identification of bugs in this area of the library.
>
> Credit: This issue was reported by Alberto Garcia, Francisco Oca,
> and Suleman Ali of Offensive Research at Salesforce.com.
>
> References:
> http://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt
>
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAlqXX9QACgkQN4uEVAIn
> eWIQaBAAikR87i0rxicryFO8xVkhEnrneWn4AM1h55HZNlIdYXzkzfcQqeLbtVSO
> bJey5xZIiL6lo+ybMKXyoIrqjtkD1LjqnHcyFPNCFZMD59vS+B47c86U2JU7jEPI
> N+Q33U8g8H0fAPhdop0XnhUiXBBvfpWIflunUWefLE+ybd8J5/B7CK54feC0/8CK
> Q47Lmj0aMKDtCM37gADbd6gI6PMJ7Kqjf5yb45okp2qhUZFp+8zrbczVmk/W9Opt
> JcuoxJFx+yfquMvs+yEelOr0m8vGtVJSFEJILZYEpbiMjMFvvBbXNCSQsPp7c7B9
> idLSect9ZDh5f/r3vEWKWq63dILxNBVm3D6K9PyEsYMk3rOTLeYin4KM5RRsmRV6
> 8QUC0LS5y7q8ZsE8ou3XoFnBNwckHY3yixZ99kplM7SnzAN7N1EHBlQsGYOsEoQ+
> rqIWSPrbRE6Axdbrqo8FMjwq+kBB3zu4/AVl9VbUrV9o1dQGppWxqpRthUAIz6hS
> 7abqQXrdrpXwVOx/dPN9/VK8EwmiBLcvgGIGmloABkPrzt7DqgqQfUUeNSUbQlBD
> exhckp4ivJre/F2lbdNcYq4ETSBybB++RCJF74DKhp6EwuFddCQfV5bqjeioCu9K
> cYjTbzLboz8jVrXTiavqY1Rpazv2agp+bv1jTU+nV0WQVaoSd0c=
> =4BQ4
> -----END PGP SIGNATURE-----
>
>