[jira] [Comment Edited] (XERCESC-2188) Use-after-free on external DTD scan
[ https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17738217#comment-17738217 ] Benjamin Fritz edited comment on XERCESC-2188 at 6/30/23 10:35 PM: --- FYI [~ilatypov] updates to CVEs in NVD can be requested here: https://cveform.mitre.org/ (sometimes they respond with a different place to report instead, I will try to remember to update if this is the case for this one) I have gone ahead and requested the affected versions be updated to reflect that there is currently no fixed version, referencing this issue page and the advisory, since at this time version 3.2.3 is still listed as the last impacted version in NVD. Edit: I have been instructed to forward my request to secur...@apache.org because Apache is the CNA for this CVE. I have done so. was (Author: JIRAUSER295541): FYI [~ilatypov] updates to CVEs in NVD can be requested here: https://cveform.mitre.org/ (sometimes they respond with a different place to report instead, I will try to remember to update if this is the case for this one) I have gone ahead and requested the affected versions be updated to reflect that there is currently no fixed version, referencing this issue page and the advisory, since at this time version 3.2.3 is still listed as the last impacted version in NVD. > Use-after-free on external DTD scan > --- > > Key: XERCESC-2188 > URL: https://issues.apache.org/jira/browse/XERCESC-2188 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD) >Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3, > 3.1.4, 3.2.1, 3.2.2 >Reporter: Scott Cantor >Priority: Major > Attachments: Apache-496067-disclosure-report.pdf > > > This is a record of an unfixed bug reported in 2018 in the DTD scanner, per > the attached PDF, corresponding to CVE-2018-1311. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Comment Edited] (XERCESC-2188) Use-after-free on external DTD scan
[ https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17738217#comment-17738217 ] Benjamin Fritz edited comment on XERCESC-2188 at 6/28/23 5:07 PM: -- FYI [~ilatypov] updates to CVEs in NVD can be requested here: https://cveform.mitre.org/ (sometimes they respond with a different place to report instead, I will try to remember to update if this is the case for this one) I have gone ahead and requested the affected versions be updated to reflect that there is currently no fixed version, referencing this issue page and the advisory, since at this time version 3.2.3 is still listed as the last impacted version in NVD. was (Author: JIRAUSER295541): FYI updates to CVEs in NVD can be requested here: https://cveform.mitre.org/ (sometimes they respond with a different place to report instead, I will try to remember to update if this is the case for this one) I have gone ahead and requested the affected versions be updated to reflect that there is currently no fixed version, referencing this issue page and the advisory, since at this time version 3.2.3 is still listed as the last impacted version in NVD. > Use-after-free on external DTD scan > --- > > Key: XERCESC-2188 > URL: https://issues.apache.org/jira/browse/XERCESC-2188 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD) >Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3, > 3.1.4, 3.2.1, 3.2.2 >Reporter: Scott Cantor >Priority: Major > Attachments: Apache-496067-disclosure-report.pdf > > > This is a record of an unfixed bug reported in 2018 in the DTD scanner, per > the attached PDF, corresponding to CVE-2018-1311. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Comment Edited] (XERCESC-2188) Use-after-free on external DTD scan
[ https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17716910#comment-17716910 ] Scott Cantor edited comment on XERCESC-2188 at 4/26/23 8:50 PM: I will update the advisory tonight or tomorrow with some information about it but it's not going to keep getting updated like this because some scanner is broken and misused. Since patches are infrequent, hopefully that will hold it for a while. ETA: this is done. was (Author: canto...@osu.edu): I will update the advisory tonight or tomorrow with some information about it but it's not going to keep getting updated like this because some scanner is broken and misused. Since patches are infrequent, hopefully that will hold it for a while. > Use-after-free on external DTD scan > --- > > Key: XERCESC-2188 > URL: https://issues.apache.org/jira/browse/XERCESC-2188 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD) >Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3, > 3.1.4, 3.2.1, 3.2.2 >Reporter: Scott Cantor >Priority: Major > Attachments: Apache-496067-disclosure-report.pdf > > > This is a record of an unfixed bug reported in 2018 in the DTD scanner, per > the attached PDF, corresponding to CVE-2018-1311. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Comment Edited] (XERCESC-2188) Use-after-free on external DTD scan
[ https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17716851#comment-17716851 ] Ilguiz Latypov edited comment on XERCESC-2188 at 4/26/23 8:33 PM: -- Since year 2019, the NIST record of this bug included the upper boundary for the Xerces C version, 3.2.2 (probably because it was the last known version of the product). It was updated to include 3.2.3 in years 2020 (in the human-readable description) and 2022 (in the machine-readable one). https://nvd.nist.gov/vuln/detail/CVE-2018-1311#VulnChangeHistorySection Now that 3.2.4 is released, it shows as clean from the CVE despite still being vulnerable. This makes the component scan users miss the danger. Is there a way to remove the upper boundary from the CVE? I can see the change history at NIST extends to this year. Hopefully a breaking change (4.0?) can be free from the vulnerability, at which point the CVE record could add the proper upper boundary. was (Author: ilatypov): Since year 2019, the NIST record of this bug included the upper boundary for the Xerces C version, 3.2.3 (probably because it was the last known version of the product). https://nvd.nist.gov/vuln/detail/CVE-2018-1311#VulnChangeHistorySection Now that 3.2.4 is released, it shows as clean from the CVE despite still being vulnerable. This makes the component scan users miss the danger. Is there a way to remove the upper boundary from the CVE? I can see the change history at NIST extends to this year. Hopefully a breaking change (4.0?) can be free from the vulnerability, at which point the CVE record could add the proper upper boundary. > Use-after-free on external DTD scan > --- > > Key: XERCESC-2188 > URL: https://issues.apache.org/jira/browse/XERCESC-2188 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD) >Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3, > 3.1.4, 3.2.1, 3.2.2 >Reporter: Scott Cantor >Priority: Major > Attachments: Apache-496067-disclosure-report.pdf > > > This is a record of an unfixed bug reported in 2018 in the DTD scanner, per > the attached PDF, corresponding to CVE-2018-1311. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org