Author: scantor
Date: Thu Mar 1 02:13:40 2018
New Revision: 1825617
URL: http://svn.apache.org/viewvc?rev=1825617&view=rev
Log:
Add latest advisory.
Added:
xerces/site/trunk/production/xerces-c/secadv/CVE-2017-12627.txt
Modified:
xerces/site/trunk/production/xerces-c/secadv.html
Modified: xerces/site/trunk/production/xerces-c/secadv.html
URL:
http://svn.apache.org/viewvc/xerces/site/trunk/production/xerces-c/secadv.html?rev=1825617&r1=1825616&r2=1825617&view=diff
==============================================================================
--- xerces/site/trunk/production/xerces-c/secadv.html (original)
+++ xerces/site/trunk/production/xerces-c/secadv.html Thu Mar 1 02:13:40 2018
@@ -69,6 +69,14 @@
<IMG border="0" height="14" hspace="0" src="resources/close.gif" vspace="0"
width="120"><BR></TD><TD align="left" valign="top" width="500"><TABLE
border="0" cellpadding="3" cellspacing="0"><TR><TD>
+<TABLE border="0" cellpadding="0" cellspacing="0" width="494"><TR><TD
bgcolor="ffffff" colspan="2" width="494"><TABLE border="0" cellpadding="0"
cellspacing="0" width="494"><TR><TD bgcolor="#039acc" height="1" width="1"><IMG
border="0" height="1" hspace="0" src="resources/void.gif" vspace="0"
width="1"></TD><TD bgcolor="#039acc" height="1" width="492"><IMG border="0"
height="1" hspace="0" src="resources/void.gif" vspace="0" width="492"></TD><TD
bgcolor="#0086b2" height="1" width="1"><IMG border="0" height="1" hspace="0"
src="resources/void.gif" vspace="0" width="1"></TD></TR><TR><TD
bgcolor="#039acc" width="1"><IMG border="0" height="1" hspace="0"
src="resources/void.gif" vspace="0" width="1"></TD><TD bgcolor="#0086b2"
width="492"><FONT color="#ffffff" face="arial,helvetica,sanserif"
size="+1"><IMG border="0" height="2" hspace="0" src="resources/void.gif"
vspace="0" width="2"><B>Addressed in 3.2.1 and Later
Releases</B></FONT></TD><TD bgcolor="#017299" width="1"><IMG border="0" heig
ht="1" hspace="0" src="resources/void.gif" vspace="0"
width="1"></TD></TR><TR><TD bgcolor="#0086b2" height="1" width="1"><IMG
border="0" height="1" hspace="0" src="resources/void.gif" vspace="0"
width="1"></TD><TD bgcolor="#017299" height="1" width="492"><IMG border="0"
height="1" hspace="0" src="resources/void.gif" vspace="0" width="492"></TD><TD
bgcolor="#017299" height="1" width="1"><IMG border="0" height="1" hspace="0"
src="resources/void.gif" vspace="0"
width="1"></TD></TR></TABLE></TD></TR><TR><TD width="10"> </TD><TD
width="484"><FONT color="#000000" face="arial,helvetica,sanserif">
+<P>The following security advisories apply to versions of
+Xerces-C older than V3.2.1:</P>
+<UL>
+ <LI><A href="secadv/CVE-2017-12627.txt">CVE-2017-12627: Apache Xerces-C DTD
vulnerability processing external paths</A></LI>
+</UL>
+</FONT></TD></TR></TABLE><BR>
+
<TABLE border="0" cellpadding="0" cellspacing="0" width="494"><TR><TD
bgcolor="ffffff" colspan="2" width="494"><TABLE border="0" cellpadding="0"
cellspacing="0" width="494"><TR><TD bgcolor="#039acc" height="1" width="1"><IMG
border="0" height="1" hspace="0" src="resources/void.gif" vspace="0"
width="1"></TD><TD bgcolor="#039acc" height="1" width="492"><IMG border="0"
height="1" hspace="0" src="resources/void.gif" vspace="0" width="492"></TD><TD
bgcolor="#0086b2" height="1" width="1"><IMG border="0" height="1" hspace="0"
src="resources/void.gif" vspace="0" width="1"></TD></TR><TR><TD
bgcolor="#039acc" width="1"><IMG border="0" height="1" hspace="0"
src="resources/void.gif" vspace="0" width="1"></TD><TD bgcolor="#0086b2"
width="492"><FONT color="#ffffff" face="arial,helvetica,sanserif"
size="+1"><IMG border="0" height="2" hspace="0" src="resources/void.gif"
vspace="0" width="2"><B>Addressed in 3.1.4 and Later
Releases</B></FONT></TD><TD bgcolor="#017299" width="1"><IMG border="0" heig
ht="1" hspace="0" src="resources/void.gif" vspace="0"
width="1"></TD></TR><TR><TD bgcolor="#0086b2" height="1" width="1"><IMG
border="0" height="1" hspace="0" src="resources/void.gif" vspace="0"
width="1"></TD><TD bgcolor="#017299" height="1" width="492"><IMG border="0"
height="1" hspace="0" src="resources/void.gif" vspace="0" width="492"></TD><TD
bgcolor="#017299" height="1" width="1"><IMG border="0" height="1" hspace="0"
src="resources/void.gif" vspace="0"
width="1"></TD></TR></TABLE></TD></TR><TR><TD width="10"> </TD><TD
width="484"><FONT color="#000000" face="arial,helvetica,sanserif">
<P>The following security advisories apply to versions of
Xerces-C older than V3.1.4:</P>
Added: xerces/site/trunk/production/xerces-c/secadv/CVE-2017-12627.txt
URL:
http://svn.apache.org/viewvc/xerces/site/trunk/production/xerces-c/secadv/CVE-2017-12627.txt?rev=1825617&view=auto
==============================================================================
--- xerces/site/trunk/production/xerces-c/secadv/CVE-2017-12627.txt (added)
+++ xerces/site/trunk/production/xerces-c/secadv/CVE-2017-12627.txt Thu Mar 1
02:13:40 2018
@@ -0,0 +1,51 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+
+CVE-2017-12627: Apache Xerces-C DTD vulnerability processing external paths
+
+Severity: Medium
+
+Vendor: The Apache Software Foundation
+
+Versions Affected: Apache Xerces-C XML Parser library versions
+prior to V3.2.1
+
+Description: The Xerces-C XML parser mishandles certain kinds of external
+DTD references, resulting in dereference of a NULL pointer while processing
+the path to the DTD. The bug allows for a denial of service attack in
+applications that allow DTD processing and do not prevent external DTD
+usage, and could conceivably result in remote code execution.
+
+Mitigation: Applications that are using library versions older than
+V3.2.1 should upgrade as soon as possible. Distributors of older versions
+should apply the patch from this subversion revision:
+
+http://svn.apache.org/viewvc?view=revision&revision=1819998
+
+Applications should strongly consider blocking remote entity resolution
+and/or outright disabling of DTD processing in light of the continued
+identification of bugs in this area of the library.
+
+Credit: This issue was reported by Alberto Garcia, Francisco Oca,
+and Suleman Ali of Offensive Research at Salesforce.com.
+
+References:
+http://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAlqXX9QACgkQN4uEVAIn
+eWIQaBAAikR87i0rxicryFO8xVkhEnrneWn4AM1h55HZNlIdYXzkzfcQqeLbtVSO
+bJey5xZIiL6lo+ybMKXyoIrqjtkD1LjqnHcyFPNCFZMD59vS+B47c86U2JU7jEPI
+N+Q33U8g8H0fAPhdop0XnhUiXBBvfpWIflunUWefLE+ybd8J5/B7CK54feC0/8CK
+Q47Lmj0aMKDtCM37gADbd6gI6PMJ7Kqjf5yb45okp2qhUZFp+8zrbczVmk/W9Opt
+JcuoxJFx+yfquMvs+yEelOr0m8vGtVJSFEJILZYEpbiMjMFvvBbXNCSQsPp7c7B9
+idLSect9ZDh5f/r3vEWKWq63dILxNBVm3D6K9PyEsYMk3rOTLeYin4KM5RRsmRV6
+8QUC0LS5y7q8ZsE8ou3XoFnBNwckHY3yixZ99kplM7SnzAN7N1EHBlQsGYOsEoQ+
+rqIWSPrbRE6Axdbrqo8FMjwq+kBB3zu4/AVl9VbUrV9o1dQGppWxqpRthUAIz6hS
+7abqQXrdrpXwVOx/dPN9/VK8EwmiBLcvgGIGmloABkPrzt7DqgqQfUUeNSUbQlBD
+exhckp4ivJre/F2lbdNcYq4ETSBybB++RCJF74DKhp6EwuFddCQfV5bqjeioCu9K
+cYjTbzLboz8jVrXTiavqY1Rpazv2agp+bv1jTU+nV0WQVaoSd0c=
+=4BQ4
+-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
