[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1Mhoh7-00006i-6Q@titan.mandriva.com>
Date: Sun, 30 Aug 2009 20:00:00 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2009:223 ] xerces-c
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2009:223
http://www.mandriva.com/security/
_______________________________________________________________________
Package : xerces-c
Date : August 30, 2009
Affected: 2008.1, 2009.0, 2009.1, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
A vulnerability has been found and corrected in xerces-c:
Stack consumption vulnerability in validators/DTD/DTDScanner.cpp in
Apache Xerces C++ 2.7.0 and 2.8.0 allows context-dependent attackers to
cause a denial of service (application crash) via vectors involving
nested parentheses and invalid byte values in simply nested DTD
structures, as demonstrated by the Codenomicon XML fuzzing framework
(CVE-2009-1885).
This update provides a solution to this vulnerability.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1885
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.1:
6fe1343e12872cfb72600cda610a7156 2008.1/i586/libxerces-c0-2.7.0-7.1mdv2008.1.i586.rpm
52a88c588964e773d06aee149431db62 2008.1/i586/libxerces-c0-devel-2.7.0-7.1mdv2008.1.i586.rpm
bc2033e182f9431de38591c61a79d04e 2008.1/i586/xerces-c-doc-2.7.0-7.1mdv2008.1.i586.rpm
f1650c04f1226497c237b9df8ca52914 2008.1/SRPMS/xerces-c-2.7.0-7.1mdv2008.1.src.rpm
Mandriva Linux 2008.1/X86_64:
b443ce3f0d4b6dd9b788f2f5e5dc5018 2008.1/x86_64/lib64xerces-c0-2.7.0-7.1mdv2008.1.x86_64.rpm
0721b1c2c3c3cc3778cfab91e74e80de 2008.1/x86_64/lib64xerces-c0-devel-2.7.0-7.1mdv2008.1.x86_64.rpm
d19e80b801f968cb7aacd440e25e87fd 2008.1/x86_64/xerces-c-doc-2.7.0-7.1mdv2008.1.x86_64.rpm
f1650c04f1226497c237b9df8ca52914 2008.1/SRPMS/xerces-c-2.7.0-7.1mdv2008.1.src.rpm
Mandriva Linux 2009.0:
456a414a9b9198e635656662a7e94aba 2009.0/i586/libxerces-c0-2.7.0-7.1mdv2009.0.i586.rpm
1f3b5377f035b888ce9ae44032315996 2009.0/i586/libxerces-c0-devel-2.7.0-7.1mdv2009.0.i586.rpm
35bf505f9c495ad6ea524769efd3daa7 2009.0/i586/libxerces-c28-2.8.0-2.1mdv2009.0.i586.rpm
b380105dbd43b807d2e221f2629a7e14 2009.0/i586/libxerces-c-devel-2.8.0-2.1mdv2009.0.i586.rpm
edb9336631ab0cb1b93d512218fd7154 2009.0/i586/xerces-c-doc-2.7.0-7.1mdv2009.0.i586.rpm
f598ff70574e18cbe2a1fd1f4e37db35 2009.0/i586/xerces-c-doc-2.8.0-2.1mdv2009.0.i586.rpm
a13a2e170b253495cbbc5ce6771e617b 2009.0/SRPMS/xerces-c-2.7.0-7.1mdv2009.0.src.rpm
76d86a6868412ee03be540e0451f6ef3 2009.0/SRPMS/xerces-c-2.8.0-2.1mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
05bd3f1dec9e2ff7d4737e145998587e 2009.0/x86_64/lib64xerces-c0-2.7.0-7.1mdv2009.0.x86_64.rpm
17ef57d1bee9cd1b80f020f9a01a5c78 2009.0/x86_64/lib64xerces-c0-devel-2.7.0-7.1mdv2009.0.x86_64.rpm
ebec80803cf8add9a94ae02a6045f1fd 2009.0/x86_64/lib64xerces-c28-2.8.0-2.1mdv2009.0.x86_64.rpm
85ea70a0737137061741b11af8f3720b 2009.0/x86_64/lib64xerces-c-devel-2.8.0-2.1mdv2009.0.x86_64.rpm
3649d09123e345059218ed706ca724be 2009.0/x86_64/xerces-c-doc-2.7.0-7.1mdv2009.0.x86_64.rpm
3e3020d0e14617e2b2ad1c2de06e7a3f 2009.0/x86_64/xerces-c-doc-2.8.0-2.1mdv2009.0.x86_64.rpm
a13a2e170b253495cbbc5ce6771e617b 2009.0/SRPMS/xerces-c-2.7.0-7.1mdv2009.0.src.rpm
76d86a6868412ee03be540e0451f6ef3 2009.0/SRPMS/xerces-c-2.8.0-2.1mdv2009.0.src.rpm
Mandriva Linux 2009.1:
1700f8e14c729fe9832e562510a489bf 2009.1/i586/libxerces-c28-2.8.0-2.1mdv2009.1.i586.rpm
5d7918c10d10c591f9ca2312bf365532 2009.1/i586/libxerces-c-devel-2.8.0-2.1mdv2009.1.i586.rpm
b1c26127c4734e61d38f6b5360f678b8 2009.1/i586/xerces-c-doc-2.8.0-2.1mdv2009.1.i586.rpm
85116e6849e6201535dad276c3449a02 2009.1/SRPMS/xerces-c-2.8.0-2.1mdv2009.1.src.rpm
Mandriva Linux 2009.1/X86_64:
d62bdc0c0b443af4b5a2f3b7031eace2 2009.1/x86_64/lib64xerces-c28-2.8.0-2.1mdv2009.1.x86_64.rpm
34674db83d664fdd5bb2918fc2e2d4ca 2009.1/x86_64/lib64xerces-c-devel-2.8.0-2.1mdv2009.1.x86_64.rpm
8749b4d5b99477f1057abfc69a0713f1 2009.1/x86_64/xerces-c-doc-2.8.0-2.1mdv2009.1.x86_64.rpm
85116e6849e6201535dad276c3449a02 2009.1/SRPMS/xerces-c-2.8.0-2.1mdv2009.1.src.rpm
Mandriva Enterprise Server 5:
833d6d41e3b719b4d9a26e126d38f85c mes5/i586/libxerces-c0-2.7.0-7.1mdvmes5.i586.rpm
2c234197dda4b427dac53a1908f28a6b mes5/i586/libxerces-c0-devel-2.7.0-7.1mdvmes5.i586.rpm
4360120c35f047e0c46550132a8388d4 mes5/i586/libxerces-c28-2.8.0-2.1mdvmes5.i586.rpm
af19c3b823b4b857fbffec760d8750a3 mes5/i586/libxerces-c-devel-2.8.0-2.1mdvmes5.i586.rpm
43234d44a3f6d0fba412257ba51ed0aa mes5/i586/xerces-c-doc-2.7.0-7.1mdvmes5.i586.rpm
e4a6858ac8d2f3acb02af0b48e8620b8 mes5/i586/xerces-c-doc-2.8.0-2.1mdvmes5.i586.rpm
14c4d8bd71fa9f5de81fb200dd45a264 mes5/SRPMS/xerces-c-2.7.0-7.1mdvmes5.src.rpm
51fb9e82eecd07d7829beca2977a7236 mes5/SRPMS/xerces-c-2.8.0-2.1mdvmes5.src.rpm
Mandriva Enterprise Server 5/X86_64:
7b00a6a7035797e3bf5a6f7281202f58 mes5/x86_64/lib64xerces-c0-2.7.0-7.1mdvmes5.x86_64.rpm
e46a2044d9e25ae4e57554ef69bc4f91 mes5/x86_64/lib64xerces-c0-devel-2.7.0-7.1mdvmes5.x86_64.rpm
a4dd5e9cd4e80c9ed4da70491a068ad5 mes5/x86_64/lib64xerces-c28-2.8.0-2.1mdvmes5.x86_64.rpm
b3b8b9fbcf931e6f9bf0d98d933f23ff mes5/x86_64/lib64xerces-c-devel-2.8.0-2.1mdvmes5.x86_64.rpm
c39464cecd5ada674e1d0955e4751ffa mes5/x86_64/xerces-c-doc-2.7.0-7.1mdvmes5.x86_64.rpm
07bd56e33e2acb0449a6ae4bdc43f9aa mes5/x86_64/xerces-c-doc-2.8.0-2.1mdvmes5.x86_64.rpm
14c4d8bd71fa9f5de81fb200dd45a264 mes5/SRPMS/xerces-c-2.7.0-7.1mdvmes5.src.rpm
51fb9e82eecd07d7829beca2977a7236 mes5/SRPMS/xerces-c-2.8.0-2.1mdvmes5.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFKmpCbmqjQ0CJFipgRAsT/AJ9pEVZLPjebqx4y+VH66BQIe8WDoQCglct4
hf7U+mMdvf5JG4LtWZJNu64=
=rySh
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists