| -----BEGIN PGP SIGNED MESSAGE----- |
| Hash: SHA256 |
| |
| |
| CVE-2016-4463: Apache Xerces-C XML Parser Crashes on Malformed DTD |
| |
| Severity: Important |
| |
| Vendor: The Apache Software Foundation |
| |
| Versions Affected: Apache Xerces-C XML Parser library versions |
| prior to V3.1.4 |
| |
| Description: The Xerces-C XML parser fails to successfully parse a |
| DTD that is deeply nested, and this causes a stack overflow, which |
| makes a denial of service attack against many applications possible |
| by an unauthenticated attacker. |
| |
| Mitigation: Applications that are using library versions older than |
| V3.1.4 should upgrade as soon as possible. Distributors of older |
| versions should apply the patches from this subversion revision: |
| |
| http://svn.apache.org/viewvc?view=revision&revision=1747619 |
| |
| Note that the nesting limit is currently implemented as a compile-time |
| constant in order to maintain ABI-compatibility. |
| |
| In addition, a related enhancement was made to enable applications |
| to fully disable DTD processing through the use of an environment |
| variable. Distributors of older versions are urged to incorporate |
| this patch to enable applications to more fully protect themselves |
| from future issues if they do not require DTD support. This change |
| is ABI-compatible and can be found in this subversion revision: |
| |
| http://svn.apache.org/viewvc?view=revision&revision=1747620 |
| |
| Credit: This issue was reported by Brandon Perry. |
| |
| References: |
| http://xerces.apache.org/xerces-c/secadv/CVE-2016-4463.txt |
| |
| -----BEGIN PGP SIGNATURE----- |
| Version: GnuPG v2 |
| |
| iQIcBAEBCAAGBQJXXqPQAAoJEDeLhFQCJ3liyRwQAI5aUjhKtZtw+51EgNizpuLa |
| dvfEP27anUXLKwLXt+WIfogW3TLQ4HwyiszanO4YTlwz3qbKO3TJQXdT4kTQx6/k |
| KhWr7+vsn7pBEPiiC7kj3lH7QHCd+T8/W+Xik/rKDFV1qAAKuoFgYJ31qED8I65z |
| 371Tdm+p2QE4Nh9M7k7LUs+yWu5XdwJIS61L3R/MpEptynuo7Onbp+sjF6OQCZHc |
| u1KJ3zAlKzP4iwtxKjvoXqOnLgYwjtqC2p7nYBEXOEn4DA4Q/PMrfdYIebjUo/Wy |
| CeIN5TGJ2aunMkVK0RgxCqjr0sl2cYqY8iegUqp9Iz4+rMpy5ZDLNyyjgbXgSY73 |
| 8145xO2tscLs7bLXAXUGbLlOPxnDqVieGlYyHICFnl58I4ekfhwtMmd9d2WOlaVE |
| 7NEPTorFiHI+wdK2yebCLAMaJbL9KJQiJa/4xw9qvpZ4DQ7aein9jq7fklQ62crc |
| Ff4h4icX4icM1/s1tvcEM1lZw8Td4UyXkwvoEmfZg7dVy4NW+XM/Kn4FUCPRnC9A |
| XVAabL3K290Mz77YLqUTk733w1q/lFCxgOCJF18/OJef2azMn74QgFbLcBD16i2O |
| FNxdtPsSRGNsfOGN08Uiwg9RN6uqoZ6Rxwq3hEcAiufYQHFiXldlS26koP2QMk03 |
| gNuHTr22AcR0ZgoW9GYP |
| =eilz |
| -----END PGP SIGNATURE----- |