CVE-2015-0252.txt releases_plan.xml secadv.xml

scantor Fri, 20 Mar 2015 11:23:42 -0700

Author: scantor
Date: Fri Mar 20 18:23:01 2015
New Revision: 1668110

URL: http://svn.apache.org/r1668110
Log:
Commit secadv to branch, and other post-release fixes to site


Added:
    xerces/c/branches/xerces-3.1/doc/html/secadv/
    xerces/c/branches/xerces-3.1/doc/html/secadv/CVE-2015-0252.txt
Modified:
    xerces/c/branches/xerces-3.1/doc/releases_plan.xml
    xerces/c/branches/xerces-3.1/doc/secadv.xml

Added: xerces/c/branches/xerces-3.1/doc/html/secadv/CVE-2015-0252.txt
URL: 
http://svn.apache.org/viewvc/xerces/c/branches/xerces-3.1/doc/html/secadv/CVE-2015-0252.txt?rev=1668110&view=auto
==============================================================================
--- xerces/c/branches/xerces-3.1/doc/html/secadv/CVE-2015-0252.txt (added)
+++ xerces/c/branches/xerces-3.1/doc/html/secadv/CVE-2015-0252.txt Fri Mar 20 
18:23:01 2015
@@ -0,0 +1,51 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+
+CVE-2015-0252: Apache Xerces-C XML Parser Crashes on Malformed Input
+
+Severity: Important
+
+Vendor: The Apache Software Foundation
+
+Versions Affected: Apache Xerces-C XML Parser library versions
+prior to V3.1.2
+
+Description: The Xerces-C XML parser mishandles certain kinds of
+malformed input documents, resulting in a segmentation fault during
+a parse operation. The bug does not appear to allow for remote code
+execution, but is a denial of service attack that in many applications
+may allow for an unauthenticated attacker to supply malformed input
+and cause a crash.
+
+Mitigation: Applications that are using library versions older than
+V3.1.2 should upgrade as soon as possible. Distributors of older versions
+should apply the patches from this subversion revision:
+
+http://svn.apache.org/viewvc?view=revision&revision=1667870
+
+Credit: This issue was reported independently by Anton Rager and Jonathan
+Brossard from the Salesforce.com Product Security Team and by Ben Laurie
+of Google.
+
+References:
+http://xerces.apache.org/xerces-c/secadv/CVE-2015-0252.txt
+
+
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iQIcBAEBCgAGBQJVCzmVAAoJEDeLhFQCJ3lipRoP/RLr+6EyyUBp7PxXi31pHYbv
+z7E1GZLZ+349BydmI+28y6QXSjjQIeU1VXHaRdBCpfNqv2rIe7n+s/PvojprdHGZ
+Ocxg7iPs+mQTxtkTJht1JqT1d4s96BN+DgPDRf7vUzMsu7u6mf9E+Ds2Yajddqgh
+zxmsv5YFJlppeAOKDbyaWPfivJS7ubjDK7SQ8Il5N7XHSmVcdGMjGh0Zmbn0mlzk
+iTp13aoEknYI3M+4OpIgtszOgbsMQnhRwOgAX+0jBHxrWkK4MBNlotY6oPtx6zWt
+DjM/JRr9+V59BsQKrNmE/D0csoEf4OeBEgeqmNTjpy8EO+gOgVHWMowUUAVQkMqu
+37njc8IyR/JXStdtzJpHsj4HO2PE9ZE1Uy69DCqCDEeGWl61qx4+sg7Ul783dAab
+hCAvAO0zLiyPgkNdydmBQWGymHsle+niydNAi+EGj47rEJ7lDhJhl9qVQ0zyMXr4
+O1//QwV7BUaRcgQhcbvd71KeDkPBBNvwpYLAXxIpDkI1/2qjo8ANHxzu/EMP8weK
+N+KoIEugAab+t1s1qWpgneYXHLy3uE3KvVeNvb/iHsl5nzzFVBkPe+2OCZfWoedJ
+t7gAXaZ2htrF2BQl6g/5hm13/6ajmrtNcX0hBjx2VB4VACOtt0bqextaW/w2Vvb4
+AcsopfNHOGvXLDJ3JkHS
+=l9vC
+-----END PGP SIGNATURE-----

Modified: xerces/c/branches/xerces-3.1/doc/releases_plan.xml
URL: 
http://svn.apache.org/viewvc/xerces/c/branches/xerces-3.1/doc/releases_plan.xml?rev=1668110&r1=1668109&r2=1668110&view=diff
==============================================================================
--- xerces/c/branches/xerces-3.1/doc/releases_plan.xml (original)
+++ xerces/c/branches/xerces-3.1/doc/releases_plan.xml Fri Mar 20 18:23:01 2015
@@ -23,12 +23,9 @@
 <s2 title="&XercesCName; Future Releases Plan">
 <p>This document highlights the release plan for &XercesCName;.</p>
 
-<s3 title="Current Status"><p>&XercesCName; &XercesCLatest; - released on 
April 27, 2010.</p></s3>
+<s3 title="Current Status"><p>&XercesCName; &XercesCLatest; - released on 
March 19, 2015.</p></s3>
 
 <s3 title="Next Target Release">
-       <p>The next release will be 3.1.2 and
-        will include bug fixes, with no ABI changes.</p>
-
         <p>There are feature additions checked into the trunk for
         inclusion in a future 3.2.0 release, but there is no timetable
         for this release.</p>

Modified: xerces/c/branches/xerces-3.1/doc/secadv.xml
URL: 
http://svn.apache.org/viewvc/xerces/c/branches/xerces-3.1/doc/secadv.xml?rev=1668110&r1=1668109&r2=1668110&view=diff
==============================================================================
--- xerces/c/branches/xerces-3.1/doc/secadv.xml (original)
+++ xerces/c/branches/xerces-3.1/doc/secadv.xml Fri Mar 20 18:23:01 2015
@@ -20,6 +20,12 @@
 
 <s1 title="Security Advisories">
 
-<p>This is a place-holder for any future security advisories issued by the 
project.</p>
+<s2 title="Addressed in 3.1.2 and Later Releases">
+<p>The following security advisories apply to versions of
+Xerces-C older than V3.1.2:</p>
+<ul>
+  <li><jump href="secadv/CVE-2015-0252.txt">CVE-2015-0252: Apache Xerces-C XML 
Parser Crashes on Malformed Input</jump></li>
+</ul>
+</s2>
 
 </s1>



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

svn commit: r1668110 - in /xerces/c/branches/xerces-3.1/doc: html/secadv/ html/secadv/CVE-2015-0252.txt releases_plan.xml secadv.xml

Reply via email to