| -----BEGIN PGP SIGNED MESSAGE----- |
| Hash: SHA512 |
| |
| |
| CVE-2015-0252: Apache Xerces-C XML Parser Crashes on Malformed Input |
| |
| Severity: Important |
| |
| Vendor: The Apache Software Foundation |
| |
| Versions Affected: Apache Xerces-C XML Parser library versions |
| prior to V3.1.2 |
| |
| Description: The Xerces-C XML parser mishandles certain kinds of |
| malformed input documents, resulting in a segmentation fault during |
| a parse operation. The bug does not appear to allow for remote code |
| execution, but is a denial of service attack that in many applications |
| may allow for an unauthenticated attacker to supply malformed input |
| and cause a crash. |
| |
| Mitigation: Applications that are using library versions older than |
| V3.1.2 should upgrade as soon as possible. Distributors of older versions |
| should apply the patches from this subversion revision: |
| |
| http://svn.apache.org/viewvc?view=revision&revision=1667870 |
| |
| Credit: This issue was reported independently by Anton Rager and Jonathan |
| Brossard from the Salesforce.com Product Security Team and by Ben Laurie |
| of Google. |
| |
| References: |
| http://xerces.apache.org/xerces-c/secadv/CVE-2015-0252.txt |
| |
| |
| -----BEGIN PGP SIGNATURE----- |
| Version: GnuPG v1 |
| |
| iQIcBAEBCgAGBQJVCzmVAAoJEDeLhFQCJ3lipRoP/RLr+6EyyUBp7PxXi31pHYbv |
| z7E1GZLZ+349BydmI+28y6QXSjjQIeU1VXHaRdBCpfNqv2rIe7n+s/PvojprdHGZ |
| Ocxg7iPs+mQTxtkTJht1JqT1d4s96BN+DgPDRf7vUzMsu7u6mf9E+Ds2Yajddqgh |
| zxmsv5YFJlppeAOKDbyaWPfivJS7ubjDK7SQ8Il5N7XHSmVcdGMjGh0Zmbn0mlzk |
| iTp13aoEknYI3M+4OpIgtszOgbsMQnhRwOgAX+0jBHxrWkK4MBNlotY6oPtx6zWt |
| DjM/JRr9+V59BsQKrNmE/D0csoEf4OeBEgeqmNTjpy8EO+gOgVHWMowUUAVQkMqu |
| 37njc8IyR/JXStdtzJpHsj4HO2PE9ZE1Uy69DCqCDEeGWl61qx4+sg7Ul783dAab |
| hCAvAO0zLiyPgkNdydmBQWGymHsle+niydNAi+EGj47rEJ7lDhJhl9qVQ0zyMXr4 |
| O1//QwV7BUaRcgQhcbvd71KeDkPBBNvwpYLAXxIpDkI1/2qjo8ANHxzu/EMP8weK |
| N+KoIEugAab+t1s1qWpgneYXHLy3uE3KvVeNvb/iHsl5nzzFVBkPe+2OCZfWoedJ |
| t7gAXaZ2htrF2BQl6g/5hm13/6ajmrtNcX0hBjx2VB4VACOtt0bqextaW/w2Vvb4 |
| AcsopfNHOGvXLDJ3JkHS |
| =l9vC |
| -----END PGP SIGNATURE----- |