(xerces-c) branch xerces-3.3 updated: website: improve security page

Wed, 05 Mar 2025 05:45:57 -0800 

This is an automated email from the ASF dual-hosted git repository.

scantor pushed a commit to branch xerces-3.3
in repository https://gitbox.apache.org/repos/asf/xerces-c.git


The following commit(s) were added to refs/heads/xerces-3.3 by this push:
     new f52acc01a website: improve security page
f52acc01a is described below

commit f52acc01adb420faf8b77d706cf4774ca5ae2821
Author: Arnout Engelen <arn...@bzzt.net>
AuthorDate: Mon Feb 24 15:14:07 2025 +0100

    website: improve security page
    
    Add reference to CVE-2012-0880, security model, and reporting
    guidelines.
---
 doc/Makefile.am                   |  3 +++
 doc/html/secadv/CVE-2012-0880.txt | 14 ++++++++++++++
 doc/readme.xml                    |  6 ++++--
 doc/secadv.xml                    | 19 ++++++++++++++++++-
 doc/xerces-c_book.xml             |  2 +-
 5 files changed, 40 insertions(+), 4 deletions(-)

diff --git a/doc/Makefile.am b/doc/Makefile.am
index 0de016a34..cbdde7757 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -105,9 +105,12 @@ EXTRA_DIST = CMakeLists.txt \
              faq-parse.xml \
              feedback.xml \
              html/ApacheDOMC++Binding.html \
+             html/secadv/CVE-2012-0880.txt \
              html/secadv/CVE-2015-0252.txt \
              html/secadv/CVE-2016-0729.txt \
              html/secadv/CVE-2016-4463.txt \
+             html/secadv/CVE-2017-12627.txt \
+             html/secadv/CVE-2018-1311.txt \
              install.xml \
              mailing-lists.xml \
              memparse.xml \
diff --git a/doc/html/secadv/CVE-2012-0880.txt 
b/doc/html/secadv/CVE-2012-0880.txt
new file mode 100644
index 000000000..cf17cf445
--- /dev/null
+++ b/doc/html/secadv/CVE-2012-0880.txt
@@ -0,0 +1,14 @@
+CVE-2012-0880 xml: xerces-c hash table collisions CPU usage DoS 
(oCERT-2011-003)
+
+Vendor: Red Hat, Inc
+
+Versions Affected: all
+
+Description: Apache Xerces-C++ allows remote attackers to cause a denial of 
service (CPU consumption) via a crafted message sent to an XML service that 
causes hash table collisions.
+
+Xerces project note: Exploitation of this issue is not trivial. We are not 
aware of any well-known method to attack the hash function we use, but 
mathematically speaking we should assume it to be possible.
+
+References:
+https://bugzilla.redhat.com/show_bug.cgi?id=787103
+https://seclists.org/oss-sec/2014/q3/96
+https://ocert.org/advisories/ocert-2011-003.html
diff --git a/doc/readme.xml b/doc/readme.xml
index a03d553e2..4307261e3 100644
--- a/doc/readme.xml
+++ b/doc/readme.xml
@@ -39,8 +39,10 @@
         portability, care has been taken to make minimal use of templates and 
minimal use of
         #ifdefs.</p>
 
-        <note>Please note that &XercesCName; currently lacks active 
maintainers and
-        therefore may not be able to promptly address bugs and security 
vulnerabilities.</note>
+        <note>Please note that Xerces-C++ currently lacks active maintainers 
and therefore may
+        not be able to promptly address all bugs and security risks. See the
+        <jump href="secadv.html">Security page</jump> for important 
information about using
+        Xerces-C++ securely.</note>
     </s2>
 
     <s2 title="Applications of the &XercesCProjectName; Parser">
diff --git a/doc/secadv.xml b/doc/secadv.xml
index fca26990a..09ec6e517 100644
--- a/doc/secadv.xml
+++ b/doc/secadv.xml
@@ -18,13 +18,30 @@
 
 <!DOCTYPE s1 SYSTEM "sbk:/style/dtd/document.dtd">
 
-<s1 title="Security Advisories">
+<s1 title="Security">
+
+<s2 title="Security Model">
+
+<p>Apache Xerces-C++ currently lacks active maintainers and therefore needs to 
tightly scope what security guarantees it provides.</p>
+
+<p>We recommend that users that process untrusted input take their own 
precautions to make sure their applications fail gracefully when the input 
takes inappropriate amounts of memory or CPU to process.</p>
+
+<p>Therefore we will no longer accept Denial of Service reports as security 
vulnerabilities. We will still consider reports where Xerces-C++ processes 
external paths (when it is correctly configured not to), or where it allows 
arbitrary code execution.</p>
+
+</s2>
+
+<s2 title="Reporting">
+
+<p>To report a problem where Xerces-C++ behaves in a way that violates the 
security model described above, please use the <jump 
href="https://security.apache.org/report-code/";>ASF-wide reporting 
process</jump>.</p>
+
+</s2>
 
 <s2 title="Addressed in 3.2.5 and Later Releases">
 <p>The following security advisories apply to versions of
 Xerces-C older than V3.2.5:</p>
 <ul>
   <li><jump href="secadv/CVE-2018-1311.txt">CVE-2018-1311: Apache Xerces-C 
use-after-free vulnerability scanning external DTD</jump></li>
+  <li><jump href="secadv/CVE-2012-0880.txt">CVE-2012-0880: Apache Xerces-C 
hash table collisions CPU usage DoS</jump></li>
 </ul>
 </s2>
 
diff --git a/doc/xerces-c_book.xml b/doc/xerces-c_book.xml
index 1ae300640..41c5a4b6d 100644
--- a/doc/xerces-c_book.xml
+++ b/doc/xerces-c_book.xml
@@ -27,7 +27,7 @@
      <document id="index"       label="Overview"         source="readme.xml"/>
      <document id="charter"     label="Charter"          source="charter.xml"/>
      <document id="releases"    label="Release Info"     
source="releases.xml"/>
-     <document id="secadv"      label="Advisories"       source="secadv.xml"/>
+     <document id="secadv"      label="Security"         source="secadv.xml"/>
      <hidden id="releases_archive"                   
source="releases_archive.xml"/>
      <hidden id="releases_plan" source="releases_plan.xml"/>
      <external href="http://&XercesDistDir;";              label="Download"/>


---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org
For additional commands, e-mail: c-dev-h...@xerces.apache.org

Reply via email to