doc/html/secadv/CVE-2017-12627.txt - xerces-c - Git at Google

 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512


 CVE-2017-12627: Apache Xerces-C DTD vulnerability processing external paths

 Severity: Medium

 Vendor: The Apache Software Foundation

 Versions Affected: Apache Xerces-C XML Parser library versions
 prior to V3.2.1

 Description: The Xerces-C XML parser mishandles certain kinds of external
 DTD references, resulting in dereference of a NULL pointer while processing
 the path to the DTD. The bug allows for a denial of service attack in
 applications that allow DTD processing and do not prevent external DTD
 usage, and could conceivably result in remote code execution.

 Mitigation: Applications that are using library versions older than
 V3.2.1 should upgrade as soon as possible. Distributors of older versions
 should apply the patch from this subversion revision:

 http://svn.apache.org/viewvc?view=revision&revision=1819998

 Applications should strongly consider blocking remote entity resolution
 and/or outright disabling of DTD processing in light of the continued
 identification of bugs in this area of the library.

 Credit: This issue was reported by Alberto Garcia, Francisco Oca,
 and Suleman Ali of Offensive Research at Salesforce.com.

 References:
 http://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt

 -----BEGIN PGP SIGNATURE-----

 iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAlqXX9QACgkQN4uEVAIn
 eWIQaBAAikR87i0rxicryFO8xVkhEnrneWn4AM1h55HZNlIdYXzkzfcQqeLbtVSO
 bJey5xZIiL6lo+ybMKXyoIrqjtkD1LjqnHcyFPNCFZMD59vS+B47c86U2JU7jEPI
 N+Q33U8g8H0fAPhdop0XnhUiXBBvfpWIflunUWefLE+ybd8J5/B7CK54feC0/8CK
 Q47Lmj0aMKDtCM37gADbd6gI6PMJ7Kqjf5yb45okp2qhUZFp+8zrbczVmk/W9Opt
 JcuoxJFx+yfquMvs+yEelOr0m8vGtVJSFEJILZYEpbiMjMFvvBbXNCSQsPp7c7B9
 idLSect9ZDh5f/r3vEWKWq63dILxNBVm3D6K9PyEsYMk3rOTLeYin4KM5RRsmRV6
 8QUC0LS5y7q8ZsE8ou3XoFnBNwckHY3yixZ99kplM7SnzAN7N1EHBlQsGYOsEoQ+
 rqIWSPrbRE6Axdbrqo8FMjwq+kBB3zu4/AVl9VbUrV9o1dQGppWxqpRthUAIz6hS
 7abqQXrdrpXwVOx/dPN9/VK8EwmiBLcvgGIGmloABkPrzt7DqgqQfUUeNSUbQlBD
 exhckp4ivJre/F2lbdNcYq4ETSBybB++RCJF74DKhp6EwuFddCQfV5bqjeioCu9K
 cYjTbzLboz8jVrXTiavqY1Rpazv2agp+bv1jTU+nV0WQVaoSd0c=
 =4BQ4
 -----END PGP SIGNATURE-----
	-----BEGIN PGP SIGNED MESSAGE-----
	Hash: SHA512


	CVE-2017-12627: Apache Xerces-C DTD vulnerability processing external paths

	Severity: Medium

	Vendor: The Apache Software Foundation

	Versions Affected: Apache Xerces-C XML Parser library versions
	prior to V3.2.1

	Description: The Xerces-C XML parser mishandles certain kinds of external
	DTD references, resulting in dereference of a NULL pointer while processing
	the path to the DTD. The bug allows for a denial of service attack in
	applications that allow DTD processing and do not prevent external DTD
	usage, and could conceivably result in remote code execution.

	Mitigation: Applications that are using library versions older than
	V3.2.1 should upgrade as soon as possible. Distributors of older versions
	should apply the patch from this subversion revision:

	http://svn.apache.org/viewvc?view=revision&revision=1819998

	Applications should strongly consider blocking remote entity resolution
	and/or outright disabling of DTD processing in light of the continued
	identification of bugs in this area of the library.

	Credit: This issue was reported by Alberto Garcia, Francisco Oca,
	and Suleman Ali of Offensive Research at Salesforce.com.

	References:
	http://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt

	-----BEGIN PGP SIGNATURE-----

	iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAlqXX9QACgkQN4uEVAIn
	eWIQaBAAikR87i0rxicryFO8xVkhEnrneWn4AM1h55HZNlIdYXzkzfcQqeLbtVSO
	bJey5xZIiL6lo+ybMKXyoIrqjtkD1LjqnHcyFPNCFZMD59vS+B47c86U2JU7jEPI
	N+Q33U8g8H0fAPhdop0XnhUiXBBvfpWIflunUWefLE+ybd8J5/B7CK54feC0/8CK
	Q47Lmj0aMKDtCM37gADbd6gI6PMJ7Kqjf5yb45okp2qhUZFp+8zrbczVmk/W9Opt
	JcuoxJFx+yfquMvs+yEelOr0m8vGtVJSFEJILZYEpbiMjMFvvBbXNCSQsPp7c7B9
	idLSect9ZDh5f/r3vEWKWq63dILxNBVm3D6K9PyEsYMk3rOTLeYin4KM5RRsmRV6
	8QUC0LS5y7q8ZsE8ou3XoFnBNwckHY3yixZ99kplM7SnzAN7N1EHBlQsGYOsEoQ+
	rqIWSPrbRE6Axdbrqo8FMjwq+kBB3zu4/AVl9VbUrV9o1dQGppWxqpRthUAIz6hS
	7abqQXrdrpXwVOx/dPN9/VK8EwmiBLcvgGIGmloABkPrzt7DqgqQfUUeNSUbQlBD
	exhckp4ivJre/F2lbdNcYq4ETSBybB++RCJF74DKhp6EwuFddCQfV5bqjeioCu9K
	cYjTbzLboz8jVrXTiavqY1Rpazv2agp+bv1jTU+nV0WQVaoSd0c=
	=4BQ4
	-----END PGP SIGNATURE-----