| -----BEGIN PGP SIGNED MESSAGE----- |
| Hash: SHA256 |
| |
| CVE-2016-0729: Apache Xerces-C XML Parser Crashes on Malformed Input |
| |
| Severity: Critical |
| |
| Vendor: The Apache Software Foundation |
| |
| Versions Affected: Apache Xerces-C XML Parser library versions |
| prior to V3.1.3 |
| |
| Description: The Xerces-C XML parser mishandles certain kinds of malformed |
| input documents, resulting in buffer overlows during processing and error |
| reporting. The overflows can manifest as a segmentation fault or as memory |
| corruption during a parse operation. The bugs allow for a denial of service |
| attack in many applications by an unauthenticated attacker, and could |
| conceivably result in remote code execution. |
| |
| Mitigation: Applications that are using library versions older than |
| V3.1.3 should upgrade as soon as possible. Distributors of older versions |
| should apply the patches from this subversion revision: |
| |
| http://svn.apache.org/viewvc?view=revision&revision=1727978 |
| |
| Credit: This issue was reported by Gustavo Grieco. |
| |
| References: |
| http://xerces.apache.org/xerces-c/secadv/CVE-2016-0729.txt |
| |
| -----BEGIN PGP SIGNATURE----- |
| Version: GnuPG v2 |
| |
| iQIcBAEBCAAGBQJWzlsyAAoJEDeLhFQCJ3liUAsP/Rr4rBKVPxOw3+5JDiQWT27y |
| /TT1kLFV+u6LtuBL3q6rwOIANquEMP1nJPVuYtceNF66xHi7eX6HZ8jZch6T+uvZ |
| Bt+kUTOfG4PW1RLm83W1kof58PTI5mIYBWofAQzXm9TSyvoHF5GXWqzNyGOKauYN |
| pto5xvJzEN5gM7DjbXF8OoIesNVaqCnr+9A2WmCCdNGNzSQLlUVDg9kDvXUdDvHD |
| +TXHDfgP8OSEYl5e3B3P5OV6SzUi2xdATR6zQgb1QANJy7FoK/FOP5+2J8ccultu |
| mXlVHpsGlPoIi85nyKVykK3hTT4DyhqSwCa9ek3D5i7lIEk2dXxeevh90is3y/Al |
| 0GSUoG7yXbfe7xmlcUUghdYeYBP6JSOiOqAREUsKfY6nYo4XpGwvJRz/Xgk7iw9y |
| p39sCIKuJBpqe1Vgy8ONeTFc0WZkkriq23n2oZ4zxoOImF5k44f01olZhA/wmE1P |
| Wi6Qrafn6myUtp1TAXWoakfxJo0DgHfH6fazlmYSPHIyfLShrAcG6aETDn92KsDp |
| gy4a5ulP/qpkncJrF2+XeM1wgQSTpUln2664fSwRw5whqg/PW/qGx+/1sltwOSQe |
| l4bvQhr9xvkv+W++aPFgmJF3HW0Gnsglty6KQAcQ/RqheZ+/vL9buCqWw2xg4bkN |
| BQJ4QvN4uaHIUxhzVfiL |
| =vI5o |
| -----END PGP SIGNATURE----- |
| |