[SECURITY] [DLA 535-1] xerces-c security update

2016-06-2920:27:56

lists.debian.org

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.007 Low

EPSS

Percentile

80.8%

JSON

Package : xerces-c
Version : 3.1.1-3+deb7u4
CVE ID : CVE-2016-4463
Debian Bug : 828990

Brandon Perry discovered that xerces-c, a validating XML parser library
for C++, fails to successfully parse a DTD that is deeply nested,
causing a stack overflow. A remote unauthenticated attacker can take
advantage of this flaw to cause a denial of service against applications
using the xerces-c library.

Additionally this update includes an enhancement to enable applications
to fully disable DTD processing through the use of an environment
variable (XERCES_DISABLE_DTD).

For Debian 7 "Wheezy", these problems have been fixed in version
3.1.1-3+deb7u4.

We recommend that you upgrade your xerces-c packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian7amd64libxerces-c-dev< 3.1.1-3+deb7u4libxerces-c-dev_3.1.1-3+deb7u4_amd64.deb
Debian8arm64libxerces-c-samples< 3.1.1-5.1+deb8u3libxerces-c-samples_3.1.1-5.1+deb8u3_arm64.deb
Debian8powerpclibxerces-c-dev< 3.1.1-5.1+deb8u3libxerces-c-dev_3.1.1-5.1+deb8u3_powerpc.deb
Debian8s390xlibxerces-c3.1< 3.1.1-5.1+deb8u3libxerces-c3.1_3.1.1-5.1+deb8u3_s390x.deb
Debian8mipslibxerces-c3.1< 3.1.1-5.1+deb8u3libxerces-c3.1_3.1.1-5.1+deb8u3_mips.deb
Debian8kfreebsd-i386libxerces-c-samples< 3.1.1-5.1+deb8u3libxerces-c-samples_3.1.1-5.1+deb8u3_kfreebsd-i386.deb
Debian7armellibxerces-c3.1< 3.1.1-3+deb7u4libxerces-c3.1_3.1.1-3+deb7u4_armel.deb
Debian8powerpclibxerces-c3.1< 3.1.1-5.1+deb8u3libxerces-c3.1_3.1.1-5.1+deb8u3_powerpc.deb
Debian8mipsellibxerces-c-samples< 3.1.1-5.1+deb8u3libxerces-c-samples_3.1.1-5.1+deb8u3_mipsel.deb
Debian8amd64libxerces-c-dev< 3.1.1-5.1+deb8u3libxerces-c-dev_3.1.1-5.1+deb8u3_amd64.deb

OS	Version	Architecture	Package	Version	Filename
Debian	7	amd64	libxerces-c-dev	< 3.1.1-3+deb7u4	libxerces-c-dev_3.1.1-3+deb7u4_amd64.deb
Debian	8	arm64	libxerces-c-samples	< 3.1.1-5.1+deb8u3	libxerces-c-samples_3.1.1-5.1+deb8u3_arm64.deb
Debian	8	powerpc	libxerces-c-dev	< 3.1.1-5.1+deb8u3	libxerces-c-dev_3.1.1-5.1+deb8u3_powerpc.deb
Debian	8	s390x	libxerces-c3.1	< 3.1.1-5.1+deb8u3	libxerces-c3.1_3.1.1-5.1+deb8u3_s390x.deb
Debian	8	mips	libxerces-c3.1	< 3.1.1-5.1+deb8u3	libxerces-c3.1_3.1.1-5.1+deb8u3_mips.deb
Debian	8	kfreebsd-i386	libxerces-c-samples	< 3.1.1-5.1+deb8u3	libxerces-c-samples_3.1.1-5.1+deb8u3_kfreebsd-i386.deb
Debian	7	armel	libxerces-c3.1	< 3.1.1-3+deb7u4	libxerces-c3.1_3.1.1-3+deb7u4_armel.deb
Debian	8	powerpc	libxerces-c3.1	< 3.1.1-5.1+deb8u3	libxerces-c3.1_3.1.1-5.1+deb8u3_powerpc.deb
Debian	8	mipsel	libxerces-c-samples	< 3.1.1-5.1+deb8u3	libxerces-c-samples_3.1.1-5.1+deb8u3_mipsel.deb
Debian	8	amd64	libxerces-c-dev	< 3.1.1-5.1+deb8u3	libxerces-c-dev_3.1.1-5.1+deb8u3_amd64.deb