[jira] [Comment Edited] (XERCESC-2188) Use-after-free on external DTD scan

Fri, 30 Jun 2023 15:36:05 -0700 


    [ 
https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17738217#comment-17738217
 ] 

Benjamin Fritz edited comment on XERCESC-2188 at 6/30/23 10:35 PM:
-------------------------------------------------------------------

FYI [~ilatypov] updates to CVEs in NVD can be requested here: 
https://cveform.mitre.org/ (sometimes they respond with a different place to 
report instead, I will try to remember to update if this is the case for this 
one)

I have gone ahead and requested the affected versions be updated to reflect 
that there is currently no fixed version, referencing this issue page and the 
advisory, since at this time version 3.2.3 is still listed as the last impacted 
version in NVD.

Edit: I have been instructed to forward my request to secur...@apache.org 
because Apache is the CNA for this CVE. I have done so.


was (Author: JIRAUSER295541):
FYI [~ilatypov] updates to CVEs in NVD can be requested here: 
https://cveform.mitre.org/ (sometimes they respond with a different place to 
report instead, I will try to remember to update if this is the case for this 
one)

I have gone ahead and requested the affected versions be updated to reflect 
that there is currently no fixed version, referencing this issue page and the 
advisory, since at this time version 3.2.3 is still listed as the last impacted 
version in NVD.

> Use-after-free on external DTD scan
> -----------------------------------
>
>                 Key: XERCESC-2188
>                 URL: https://issues.apache.org/jira/browse/XERCESC-2188
>             Project: Xerces-C++
>          Issue Type: Bug
>          Components: Validating Parser (DTD)
>    Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3, 
> 3.1.4, 3.2.1, 3.2.2
>            Reporter: Scott Cantor
>            Priority: Major
>         Attachments: Apache-496067-disclosure-report.pdf
>
>
> This is a record of an unfixed bug reported in 2018 in the DTD scanner, per 
> the attached PDF, corresponding to CVE-2018-1311.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org
For additional commands, e-mail: c-dev-h...@xerces.apache.org

Reply via email to