FS#49353 - [xerces-c] CVE-2016-2099: use-after-free in DTDScanner
Attached to Project:
Arch Linux
Opened by Remi Gacogne (rgacogne) - Monday, 16 May 2016, 07:45 GMT
Last edited by Lukas Fleischer (lfleischer) - Saturday, 25 June 2016, 11:51 GMT
Opened by Remi Gacogne (rgacogne) - Monday, 16 May 2016, 07:45 GMT
Last edited by Lukas Fleischer (lfleischer) - Saturday, 25 June 2016, 11:51 GMT
|
Details
Hello,
A security issue has been reported [1][2] in xerces-c <= 3.1.3. It's a heap use-after-free so at least a denial of service, but could lead to code execution. A patch is available at [1] but it doesn't look like a new version is going to be released soon. Debian has already applied this patch to stretch and sid [3], and IMHO we should do the same. Thanks! [1]: https://issues.apache.org/jira/browse/XERCESC-2066 [2]: http://www.openwall.com/lists/oss-security/2016/05/09/7 [4]: https://sources.debian.net/patches/xerces-c/3.1.3%2Bdebian-2/ |
This task depends upon
Closed by Lukas Fleischer (lfleischer)
Saturday, 25 June 2016, 11:51 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed in 3.1.3-2.
Saturday, 25 June 2016, 11:51 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed in 3.1.3-2.