Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <DC701A09-7FAD-4064-8B6F-89D8202B65F9@osu.edu>
Date: Thu, 1 Mar 2018 02:26:43 +0000
From: "Cantor, Scott" <cantor.2@....edu>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Apache Xerces-C Security Advisory for versions < 3.2.1
  [CVE-2017-12627]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


CVE-2017-12627: Apache Xerces-C DTD vulnerability processing external paths

Severity: Medium

Vendor: The Apache Software Foundation

Versions Affected: Apache Xerces-C XML Parser library versions
prior to V3.2.1

Description: The Xerces-C XML parser mishandles certain kinds of external
DTD references, resulting in dereference of a NULL pointer while processing
the path to the DTD. The bug allows for a denial of service attack in
applications that allow DTD processing and do not prevent external DTD
usage, and could conceivably result in remote code execution.

Mitigation: Applications that are using library versions older than
V3.2.1 should upgrade as soon as possible. Distributors of older versions
should apply the patch from this subversion revision:

http://svn.apache.org/viewvc?view=revision&revision=1819998

Applications should strongly consider blocking remote entity resolution
and/or outright disabling of DTD processing in light of the continued
identification of bugs in this area of the library.

Credit: This issue was reported by Alberto Garcia, Francisco Oca,
and Suleman Ali of Offensive Research at Salesforce.com.

References:
http://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAlqXX9QACgkQN4uEVAIn
eWIQaBAAikR87i0rxicryFO8xVkhEnrneWn4AM1h55HZNlIdYXzkzfcQqeLbtVSO
bJey5xZIiL6lo+ybMKXyoIrqjtkD1LjqnHcyFPNCFZMD59vS+B47c86U2JU7jEPI
N+Q33U8g8H0fAPhdop0XnhUiXBBvfpWIflunUWefLE+ybd8J5/B7CK54feC0/8CK
Q47Lmj0aMKDtCM37gADbd6gI6PMJ7Kqjf5yb45okp2qhUZFp+8zrbczVmk/W9Opt
JcuoxJFx+yfquMvs+yEelOr0m8vGtVJSFEJILZYEpbiMjMFvvBbXNCSQsPp7c7B9
idLSect9ZDh5f/r3vEWKWq63dILxNBVm3D6K9PyEsYMk3rOTLeYin4KM5RRsmRV6
8QUC0LS5y7q8ZsE8ou3XoFnBNwckHY3yixZ99kplM7SnzAN7N1EHBlQsGYOsEoQ+
rqIWSPrbRE6Axdbrqo8FMjwq+kBB3zu4/AVl9VbUrV9o1dQGppWxqpRthUAIz6hS
7abqQXrdrpXwVOx/dPN9/VK8EwmiBLcvgGIGmloABkPrzt7DqgqQfUUeNSUbQlBD
exhckp4ivJre/F2lbdNcYq4ETSBybB++RCJF74DKhp6EwuFddCQfV5bqjeioCu9K
cYjTbzLboz8jVrXTiavqY1Rpazv2agp+bv1jTU+nV0WQVaoSd0c=
=4BQ4
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.