{"id": "OPENVAS:1361412562310875670", "type": "openvas", "bulletinFamily": "scanner", "title": "Fedora Update for xerces-c27 FEDORA-2018-51ce232320", "description": "The remote host is missing an update for the ", "published": "2019-05-07T00:00:00", "modified": "2019-05-14T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310875670", "reporter": "Copyright (C) 2019 Greenbone Networks GmbH", "references": ["https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MMCXOMXMDGI3E4QPKT555STPNMAXVYFN", "2018-51ce232320"], "cvelist": ["CVE-2016-4463", "CVE-2017-12627"], "lastseen": "2019-05-29T18:32:13", "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-12627", "CVE-2016-4463"]}, {"type": "f5", "idList": ["SOL70191975", "F5:K70191975"]}, {"type": "openvas", "idList": ["OPENVAS:703610", "OPENVAS:1361412562311220181101", "OPENVAS:1361412562310874897", "OPENVAS:1361412562311220181395", "OPENVAS:1361412562311220181100", "OPENVAS:1361412562310852455", "OPENVAS:1361412562310891328", "OPENVAS:1361412562311220181160", "OPENVAS:1361412562310105898", "OPENVAS:1361412562310874896"]}, {"type": "fedora", "idList": ["FEDORA:B246F6062E32", "FEDORA:25BFB60F4452", "FEDORA:695266060B78", "FEDORA:D0B7E60F8CB6", "FEDORA:453EC6075D81", "FEDORA:9D4716087D67", "FEDORA:BC0C9601B28F", "FEDORA:180D36062E32", "FEDORA:870746062BE7"]}, {"type": "debian", "idList": ["DEBIAN:DLA-535-1:80CD0", "DEBIAN:DSA-3610-1:14B0F", "DEBIAN:DLA-1328-1:8CC7C"]}, {"type": "nessus", "idList": ["EULEROS_SA-2018-1160.NASL", "FEDORA_2018-7B97E553FF.NASL", "DEBIAN_DLA-1328.NASL", "SUSE_SU-2020-2225-1.NASL", "PHOTONOS_PHSA-2018-1_0-0126_XERCES.NASL", "OPENSUSE-2019-1283.NASL", "EULEROS_SA-2018-1101.NASL", "EULEROS_SA-2019-2199.NASL", "SUSE_SU-2019-0977-1.NASL", "EULEROS_SA-2018-1100.NASL"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1283-1"]}, {"type": "archlinux", "idList": ["ASA-201803-23", "ASA-201607-2"]}, {"type": "redhat", "idList": ["RHSA-2018:3506", "RHSA-2018:3514", "RHSA-2018:3335"]}, {"type": "amazon", "idList": ["ALAS2-2018-1124"]}, {"type": "centos", "idList": ["CESA-2018:3335"]}, {"type": "oraclelinux", "idList": ["ELSA-2018-3335"]}, {"type": "freebsd", "idList": ["CB09A7AA-5344-11E6-A7BD-14DAE9D210B8"]}, {"type": "oracle", "idList": ["ORACLE:CPUJUL2018-4258247", "ORACLE:CPUAPR2020", "ORACLE:CPUJUL2018"]}], "modified": "2019-05-29T18:32:13", "rev": 2}, "score": {"value": 6.3, "vector": "NONE", "modified": "2019-05-29T18:32:13", "rev": 2}, "vulnersScore": 6.3}, "pluginID": "1361412562310875670", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.875670\");\n script_version(\"2019-05-14T05:04:40+0000\");\n script_cve_id(\"CVE-2016-4463\", \"CVE-2017-12627\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-05-14 05:04:40 +0000 (Tue, 14 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-07 02:15:16 +0000 (Tue, 07 May 2019)\");\n script_name(\"Fedora Update for xerces-c27 FEDORA-2018-51ce232320\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC29\");\n\n script_xref(name:\"FEDORA\", value:\"2018-51ce232320\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MMCXOMXMDGI3E4QPKT555STPNMAXVYFN\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'xerces-c27'\n package(s) announced via the FEDORA-2018-51ce232320 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Xerces-C is a validating XML parser written in a portable subset of C++.\nXerces-C makes it easy to give your application the ability to read and write\nXML data. A shared library is provided for parsing, generating, manipulating,\nand validating XML documents. Xerces-C is faithful to the XML 1.0\nrecommendation and associated standards ( DOM 1.0, DOM 2.0. SAX 1.0, SAX 2.0,\nNamespaces).\n\nNote that this package contains Xerces-C++ 2.7.0 for compatibility with\napplications that cannot use a newer version.\");\n\n script_tag(name:\"affected\", value:\"'xerces-c27' package(s) on Fedora 29.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC29\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"xerces-c27\", rpm:\"xerces-c27~2.7.0~28.fc29\", rls:\"FC29\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "naslFamily": "Fedora Local Security Checks"}

{"cve": [{"lastseen": "2021-02-02T06:36:35", "description": "In Apache Xerces-C XML Parser library before 3.2.1, processing of external DTD paths can result in a null pointer dereference under certain conditions.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-03-01T14:29:00", "title": "CVE-2017-12627", "type": "cve", "cwe": ["CWE-476"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12627"], "modified": "2018-03-31T01:29:00", "cpe": [], "id": "CVE-2017-12627", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12627", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2021-02-02T06:28:07", "description": "Stack-based buffer overflow in Apache Xerces-C++ before 3.1.4 allows context-dependent attackers to cause a denial of service via a deeply nested DTD.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-07-08T19:59:00", "title": "CVE-2016-4463", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4463"], "modified": "2018-11-07T11:29:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/a:apache:xerces-c\\+\\+:3.1.3"], "id": "CVE-2016-4463", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4463", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:xerces-c\\+\\+:3.1.3:*:*:*:*:*:*:*"]}], "f5": [{"lastseen": "2017-06-08T06:18:13", "bulletinFamily": "software", "cvelist": ["CVE-2016-4463"], "edition": 1, "description": "\nF5 Product Development has assigned ID 612393 (BIG-IP), ID 599815 (Enterprise Manager), and ID 595939 (ARX) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H615876 on the **Diagnostics** &gt; **Identified** &gt; **Medium** screen.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1| 11.2.1 \n10.2.1 - 10.2.4| Medium| **PolicySync** and the **samlidpd** daemon \nBIG-IP ASM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP DNS| None| 12.0.0 - 12.1.1| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.0 - 11.4.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebSafe| None| 12.0.0 - 12.1.1 \n11.6.0 - 11.6.1| Not Vulnerable| None \nARX| 6.2.0 - 6.4.0| None| Low| XML parser \nEnterprise Manager| 3.1.1| None| Medium| EM daemons \nFirePass| None| 7.0.0| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nF5 iWorkflow| None| 2.0.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nTraffix SDC| None| 5.0.0 \n4.0.0 - 4.4.0| Not vulnerable| None\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to [K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems](<https://support.f5.com/csp/article/K21232150>).\n\nMitigation\n\nTo mitigate this vulnerability, you should permit management access to F5 products only over a secure network and limit shell access to only trusted users. For more information, refer to [K13309: Restricting access to the Configuration utility by source IP address (11.x - 12.x)](<https://support.f5.com/csp/article/K13309>) and [K13092: Overview of securing access to the BIG-IP system](<https://support.f5.com/csp/article/K13092>).\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 12.x)](<https://support.f5.com/csp/article/K13123>)\n * [K9502: BIG-IP hotfix matrix](<https://support.f5.com/csp/article/K9502>)\n", "modified": "2017-03-14T22:30:00", "published": "2016-09-15T21:28:00", "href": "https://support.f5.com/csp/article/K70191975", "id": "F5:K70191975", "title": "Apache Xerces vulnerability CVE-2016-4463", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2016-09-26T17:23:17", "bulletinFamily": "software", "cvelist": ["CVE-2016-4463"], "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to SOL21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems.\n\nMitigation\n\nTo mitigate this vulnerability, you should permit management access to F5 products only over a secure network and limit shell access to only trusted users. For more information, refer to SOL13309: Restricting access to the Configuration utility by source IP address (11.x - 12.x) and SOL13092: Overview of securing access to the BIG-IP system.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n * SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)\n * SOL9502: BIG-IP hotfix matrix\n", "edition": 1, "modified": "2016-09-15T00:00:00", "published": "2016-09-15T00:00:00", "id": "SOL70191975", "href": "http://support.f5.com/kb/en-us/solutions/public/k/70/sol70191975.html", "type": "f5", "title": "SOL70191975 - Apache Xerces vulnerability CVE-2016-4463", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "openvas": [{"lastseen": "2020-04-07T18:43:27", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-4463"], "description": "Stack-based buffer overflow in Apache Xerces-C++ before 3.1.4 allows context-dependent attackers to cause a denial of service via a deeply nested DTD.", "modified": "2020-04-03T00:00:00", "published": "2016-09-22T00:00:00", "id": "OPENVAS:1361412562310105898", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105898", "type": "openvas", "title": "F5 BIG-IP - SOL70191975 - Apache Xerces vulnerability CVE-2016-4463", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# F5 BIG-IP - SOL70191975 - Apache Xerces vulnerability CVE-2016-4463\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/h:f5:big-ip\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105898\");\n script_cve_id(\"CVE-2016-4463\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_version(\"2020-04-03T06:15:47+0000\");\n\n script_name(\"F5 BIG-IP - SOL70191975 - Apache Xerces vulnerability CVE-2016-4463\");\n\n script_xref(name:\"URL\", value:\"https://support.f5.com/kb/en-us/solutions/public/k/70/sol70191975.html\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"Stack-based buffer overflow in Apache Xerces-C++ before 3.1.4 allows context-dependent attackers to cause a denial of service via a deeply nested DTD.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"2020-04-03 06:15:47 +0000 (Fri, 03 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-09-22 13:01:18 +0200 (Thu, 22 Sep 2016)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"F5 Local Security Checks\");\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_dependencies(\"gb_f5_big_ip_version.nasl\");\n script_mandatory_keys(\"f5/big_ip/version\", \"f5/big_ip/active_modules\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"list_array_func.inc\");\ninclude(\"f5.inc\");\n\nif( ! version = get_app_version( cpe:CPE ) )\n exit( 0 );\n\ncheck_f5['APM'] = make_array( 'affected', '12.0.0-12.1.1;11.4.0-11.6.1;',\n 'unaffected', '11.2.1;10.2.1-10.2.4;' );\n\nif( report = f5_is_vulnerable( ca:check_f5, version:version ) ) {\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-01-27T18:39:13", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12627"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220181160", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220181160", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for xerces-c (EulerOS-SA-2018-1160)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2018.1160\");\n script_version(\"2020-01-23T11:15:35+0000\");\n script_cve_id(\"CVE-2017-12627\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 11:15:35 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:15:35 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for xerces-c (EulerOS-SA-2018-1160)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP3\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2018-1160\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1160\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'xerces-c' package(s) announced via the EulerOS-SA-2018-1160 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"In Apache Xerces-C XML Parser library before 3.2.1, processing of external DTD paths can result in a null pointer dereference under certain conditions.(CVE-2017-12627)\");\n\n script_tag(name:\"affected\", value:\"'xerces-c' package(s) on Huawei EulerOS V2.0SP3.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP3\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"xerces-c\", rpm:\"xerces-c~3.1.1~8.h1\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12627"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-08-05T00:00:00", "id": "OPENVAS:1361412562310874896", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874896", "type": "openvas", "title": "Fedora Update for mingw-gdal FEDORA-2018-7b97e553ff", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_7b97e553ff_mingw-gdal_fc28.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for mingw-gdal FEDORA-2018-7b97e553ff\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874896\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-08-05 06:02:31 +0200 (Sun, 05 Aug 2018)\");\n script_cve_id(\"CVE-2017-12627\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for mingw-gdal FEDORA-2018-7b97e553ff\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'mingw-gdal'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\non the target host.\");\n script_tag(name:\"affected\", value:\"mingw-gdal on Fedora 28\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-7b97e553ff\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VVW3NLXLY7U7NZE7XLNTPAYB7HNJLBZK\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC28\")\n{\n\n if ((res = isrpmvuln(pkg:\"mingw32-gdal\", rpm:\"mingw32-gdal~2.2.4~5.fc28\", rls:\"FC28\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mingw64-gdal\", rpm:\"mingw64-gdal~2.2.4~5.fc28\", rls:\"FC28\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-29T20:09:14", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12627"], "description": "lberto Garcia, Francisco Oca and Suleman Ali of Offensive Research\ndiscovered that the Xerces-C XML parser mishandles certain kinds of\nexternal DTD references, resulting in dereference of a NULL pointer\nwhile processing the path to the DTD. The bug allows for a denial of\nservice attack in applications that allow DTD processing and do not\nprevent external DTD usage, and could conceivably result in remote code\nexecution.", "modified": "2020-01-29T00:00:00", "published": "2018-04-02T00:00:00", "id": "OPENVAS:1361412562310891328", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891328", "type": "openvas", "title": "Debian LTS: Security Advisory for xerces-c (DLA-1328-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891328\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2017-12627\");\n script_name(\"Debian LTS: Security Advisory for xerces-c (DLA-1328-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-04-02 00:00:00 +0200 (Mon, 02 Apr 2018)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2018/03/msg00032.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n\n script_tag(name:\"affected\", value:\"xerces-c on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 7 'Wheezy', these problems have been fixed in version\n3.1.1-3+deb7u5.\n\nWe recommend that you upgrade your xerces-c packages.\");\n\n script_tag(name:\"summary\", value:\"lberto Garcia, Francisco Oca and Suleman Ali of Offensive Research\ndiscovered that the Xerces-C XML parser mishandles certain kinds of\nexternal DTD references, resulting in dereference of a NULL pointer\nwhile processing the path to the DTD. The bug allows for a denial of\nservice attack in applications that allow DTD processing and do not\nprevent external DTD usage, and could conceivably result in remote code\nexecution.\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"libxerces-c-dev\", ver:\"3.1.1-3+deb7u5\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libxerces-c-doc\", ver:\"3.1.1-3+deb7u5\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libxerces-c-samples\", ver:\"3.1.1-3+deb7u5\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libxerces-c3.1\", ver:\"3.1.1-3+deb7u5\", rls:\"DEB7\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-27T18:35:39", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12627"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220181101", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220181101", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for xerces-c (EulerOS-SA-2018-1101)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2018.1101\");\n script_version(\"2020-01-23T11:12:38+0000\");\n script_cve_id(\"CVE-2017-12627\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 11:12:38 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:12:38 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for xerces-c (EulerOS-SA-2018-1101)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP2\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2018-1101\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1101\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'xerces-c' package(s) announced via the EulerOS-SA-2018-1101 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"In Apache Xerces-C XML Parser library before 3.2.1, processing of external DTD paths can result in a null pointer dereference under certain conditions.(CVE-2017-12627)\");\n\n script_tag(name:\"affected\", value:\"'xerces-c' package(s) on Huawei EulerOS V2.0SP2.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP2\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"xerces-c\", rpm:\"xerces-c~3.1.1~8.h1\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-27T18:35:39", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12627"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220181100", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220181100", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for xerces-c (EulerOS-SA-2018-1100)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2018.1100\");\n script_version(\"2020-01-23T11:12:37+0000\");\n script_cve_id(\"CVE-2017-12627\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 11:12:37 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:12:37 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for xerces-c (EulerOS-SA-2018-1100)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP1\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2018-1100\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1100\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'xerces-c' package(s) announced via the EulerOS-SA-2018-1100 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"In Apache Xerces-C XML Parser library before 3.2.1, processing of external DTD paths can result in a null pointer dereference under certain conditions.(CVE-2017-12627)\");\n\n script_tag(name:\"affected\", value:\"'xerces-c' package(s) on Huawei EulerOS V2.0SP1.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP1\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"xerces-c\", rpm:\"xerces-c~3.1.1~8.h1\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:08", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12627"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-08-05T00:00:00", "id": "OPENVAS:1361412562310874897", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874897", "type": "openvas", "title": "Fedora Update for mingw-xerces-c FEDORA-2018-7b97e553ff", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_7b97e553ff_mingw-xerces-c_fc28.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for mingw-xerces-c FEDORA-2018-7b97e553ff\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874897\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-08-05 06:02:33 +0200 (Sun, 05 Aug 2018)\");\n script_cve_id(\"CVE-2017-12627\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for mingw-xerces-c FEDORA-2018-7b97e553ff\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'mingw-xerces-c'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\non the target host.\");\n script_tag(name:\"affected\", value:\"mingw-xerces-c on Fedora 28\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-7b97e553ff\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OK5AWTWZ3CXE365VK6U3E4Q2GO6CFVG3\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC28\")\n{\n\n if ((res = isrpmvuln(pkg:\"mingw32-xerces-c\", rpm:\"mingw32-xerces-c~3.2.1~1.fc28\", rls:\"FC28\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mingw64-xerces-c\", rpm:\"mingw64-xerces-c~3.2.1~1.fc28\", rls:\"FC28\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-31T16:48:12", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12627"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2019-04-27T00:00:00", "id": "OPENVAS:1361412562310852455", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310852455", "type": "openvas", "title": "openSUSE: Security Advisory for xerces-c (openSUSE-SU-2019:1283-1)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.852455\");\n script_version(\"2020-01-31T08:04:39+0000\");\n script_cve_id(\"CVE-2017-12627\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:04:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-04-27 02:00:26 +0000 (Sat, 27 Apr 2019)\");\n script_name(\"openSUSE: Security Advisory for xerces-c (openSUSE-SU-2019:1283-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap15\\.0\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2019:1283-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2019-04/msg00099.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'xerces-c'\n package(s) announced via the openSUSE-SU-2019:1283-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for xerces-c fixes the following issue:\n\n - CVE-2017-12627: Processing of external DTD paths could have resulted in\n a null pointer dereference under certain conditions (bsc#1083630)\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.0:\n\n zypper in -t patch openSUSE-2019-1283=1\");\n\n script_tag(name:\"affected\", value:\"'xerces-c' package(s) on openSUSE Leap 15.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap15.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"libxerces-c-3_1\", rpm:\"libxerces-c-3_1~3.1.4~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libxerces-c-3_1-debuginfo\", rpm:\"libxerces-c-3_1-debuginfo~3.1.4~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libxerces-c-devel\", rpm:\"libxerces-c-devel~3.1.4~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xerces-c\", rpm:\"xerces-c~3.1.4~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xerces-c-debuginfo\", rpm:\"xerces-c-debuginfo~3.1.4~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xerces-c-debugsource\", rpm:\"xerces-c-debugsource~3.1.4~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xerces-c-doc\", rpm:\"xerces-c-doc~3.1.4~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libxerces-c-3_1-32bit\", rpm:\"libxerces-c-3_1-32bit~3.1.4~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libxerces-c-3_1-32bit-debuginfo\", rpm:\"libxerces-c-3_1-32bit-debuginfo~3.1.4~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-07-24T12:54:54", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-4463"], "description": "Brandon Perry discovered that xerces-c,\na validating XML parser library for C++, fails to successfully parse a DTD that is\ndeeply nested, causing a stack overflow. A remote unauthenticated attacker can take\nadvantage of this flaw to cause a denial of service against applications\nusing the xerces-c library.\n\nAdditionally this update includes an enhancement to enable applications\nto fully disable DTD processing through the use of an environment\nvariable (XERCES_DISABLE_DTD).", "modified": "2017-07-07T00:00:00", "published": "2016-06-29T00:00:00", "id": "OPENVAS:703610", "href": "http://plugins.openvas.org/nasl.php?oid=703610", "type": "openvas", "title": "Debian Security Advisory DSA 3610-1 (xerces-c - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3610.nasl 6608 2017-07-07 12:05:05Z cfischer $\n# Auto-generated from advisory DSA 3610-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703610);\n script_version(\"$Revision: 6608 $\");\n script_cve_id(\"CVE-2016-4463\");\n script_name(\"Debian Security Advisory DSA 3610-1 (xerces-c - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:05:05 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2016-06-29 00:00:00 +0200 (Wed, 29 Jun 2016)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2016/dsa-3610.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"xerces-c on Debian Linux\");\n script_tag(name: \"solution\", value: \"For the stable distribution (jessie),\nthis problem has been fixed in version 3.1.1-5.1+deb8u3.\n\nWe recommend that you upgrade your xerces-c packages.\");\n script_tag(name: \"summary\", value: \"Brandon Perry discovered that xerces-c,\na validating XML parser library for C++, fails to successfully parse a DTD that is\ndeeply nested, causing a stack overflow. A remote unauthenticated attacker can take\nadvantage of this flaw to cause a denial of service against applications\nusing the xerces-c library.\n\nAdditionally this update includes an enhancement to enable applications\nto fully disable DTD processing through the use of an environment\nvariable (XERCES_DISABLE_DTD).\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software\nversion using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"libxerces-c-dev\", ver:\"3.1.1-5.1+deb8u3\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxerces-c-doc\", ver:\"3.1.1-5.1+deb8u3\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxerces-c-samples\", ver:\"3.1.1-5.1+deb8u3\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxerces-c3.1:amd64\", ver:\"3.1.1-5.1+deb8u3\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxerces-c3.1:i386\", ver:\"3.1.1-5.1+deb8u3\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2020-01-27T18:39:38", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-4463"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220181395", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220181395", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for xerces-c (EulerOS-SA-2018-1395)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2018.1395\");\n script_version(\"2020-01-23T11:24:28+0000\");\n script_cve_id(\"CVE-2016-4463\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 11:24:28 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:24:28 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for xerces-c (EulerOS-SA-2018-1395)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP3\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2018-1395\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1395\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'xerces-c' package(s) announced via the EulerOS-SA-2018-1395 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"xerces-c: Stack overflow when parsing deeply nested DTD (CVE-2016-4463)\");\n\n script_tag(name:\"affected\", value:\"'xerces-c' package(s) on Huawei EulerOS V2.0SP3.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP3\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"xerces-c\", rpm:\"xerces-c~3.1.1~9.h1\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "fedora": [{"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2016-4463", "CVE-2017-12627"], "description": "Xerces-C is a validating XML parser written in a portable subset of C++. Xerces-C makes it easy to give your application the ability to read and wri te XML data. A shared library is provided for parsing, generating, manipulatin g, and validating XML documents. Xerces-C is faithful to the XML 1.0 recommendation and associated standards ( DOM 1.0, DOM 2.0. SAX 1.0, SAX 2. 0, Namespaces). Note that this package contains Xerces-C++ 2.7.0 for compatibility with applications that cannot use a newer version. ", "modified": "2019-02-13T02:48:11", "published": "2019-02-13T02:48:11", "id": "FEDORA:9D4716087D67", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 29 Update: xerces-c27-2.7.0-28.fc29", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-12627"], "description": "Xerces-C is a validating XML parser written in a portable subset of C++. Xerces-C makes it easy to give your application the ability to read and write XML data. A shared library is provided for parsing, generating, manipulating, and validating XML documents. Xerces-C is faithful to the XML 1.0 recommendation and associated standards (DOM 1.0, DOM 2.0. SAX 1.0, SAX 2.0, Namespaces). ", "modified": "2018-08-04T21:46:47", "published": "2018-08-04T21:46:47", "id": "FEDORA:25BFB60F4452", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: mingw-xerces-c-3.2.1-1.fc28", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-12627"], "description": "MinGW Windows GDAL library. ", "modified": "2018-08-04T21:46:46", "published": "2018-08-04T21:46:46", "id": "FEDORA:D0B7E60F8CB6", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: mingw-gdal-2.2.4-5.fc28", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-2099", "CVE-2016-4463"], "description": "Xerces-C is a validating XML parser written in a portable subset of C++. Xerces-C makes it easy to give your application the ability to read and write XML data. A shared library is provided for parsing, generating, manipulating, and validating XML documents. Xerces-C is faithful to the XML 1.0 recommendation and associated standards: XML 1.0 (Third Edition), XML 1.1 (First Edition), DOM Level 1, 2, 3 Core, DOM Level 2.0 Traversal and Range, DOM Level 3.0 Load and Save, SAX 1.0 and SAX 2.0, Namespaces in XML, Namespaces in XML 1.1, XML Schema, XML Inclusions). ", "modified": "2016-07-06T05:56:02", "published": "2016-07-06T05:56:02", "id": "FEDORA:870746062BE7", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 23 Update: xerces-c-3.1.4-1.fc23", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-2099", "CVE-2016-4463"], "description": "Xerces-C is a validating XML parser written in a portable subset of C++. Xerces-C makes it easy to give your application the ability to read and write XML data. A shared library is provided for parsing, generating, manipulating, and validating XML documents. Xerces-C is faithful to the XML 1.0 recommendation and associated standards: XML 1.0 (Third Edition), XML 1.1 (First Edition), DOM Level 1, 2, 3 Core, DOM Level 2.0 Traversal and Range, DOM Level 3.0 Load and Save, SAX 1.0 and SAX 2.0, Namespaces in XML, Namespaces in XML 1.1, XML Schema, XML Inclusions). ", "modified": "2016-07-06T05:52:27", "published": "2016-07-06T05:52:27", "id": "FEDORA:B246F6062E32", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 22 Update: xerces-c-3.1.4-1.fc22", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-2099", "CVE-2016-4463"], "description": "Xerces-C is a validating XML parser written in a portable subset of C++. Xerces-C makes it easy to give your application the ability to read and write XML data. A shared library is provided for parsing, generating, manipulating, and validating XML documents. Xerces-C is faithful to the XML 1.0 recommendation and associated standards: XML 1.0 (Third Edition), XML 1.1 (First Edition), DOM Level 1, 2, 3 Core, DOM Level 2.0 Traversal and Range, DOM Level 3.0 Load and Save, SAX 1.0 and SAX 2.0, Namespaces in XML, Namespaces in XML 1.1, XML Schema, XML Inclusions). ", "modified": "2016-07-02T15:30:16", "published": "2016-07-02T15:30:16", "id": "FEDORA:695266060B78", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: xerces-c-3.1.4-1.fc24", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-0729", "CVE-2016-2099", "CVE-2016-4463"], "description": "Xerces-C is a validating XML parser written in a portable subset of C++. Xerces-C makes it easy to give your application the ability to read and write XML data. A shared library is provided for parsing, generating, manipulating, and validating XML documents. Xerces-C is faithful to the XML 1.0 recommendation and associated standards (DOM 1.0, DOM 2.0. SAX 1.0, SAX 2.0, Namespaces). ", "modified": "2016-07-06T05:52:17", "published": "2016-07-06T05:52:17", "id": "FEDORA:180D36062E32", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 22 Update: mingw-xerces-c-3.1.4-1.fc22", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-0729", "CVE-2016-2099", "CVE-2016-4463"], "description": "Xerces-C is a validating XML parser written in a portable subset of C++. Xerces-C makes it easy to give your application the ability to read and write XML data. A shared library is provided for parsing, generating, manipulating, and validating XML documents. Xerces-C is faithful to the XML 1.0 recommendation and associated standards (DOM 1.0, DOM 2.0. SAX 1.0, SAX 2.0, Namespaces). ", "modified": "2016-07-06T05:55:52", "published": "2016-07-06T05:55:52", "id": "FEDORA:453EC6075D81", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 23 Update: mingw-xerces-c-3.1.4-1.fc23", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-0729", "CVE-2016-2099", "CVE-2016-4463"], "description": "Xerces-C is a validating XML parser written in a portable subset of C++. Xerces-C makes it easy to give your application the ability to read and write XML data. A shared library is provided for parsing, generating, manipulating, and validating XML documents. Xerces-C is faithful to the XML 1.0 recommendation and associated standards (DOM 1.0, DOM 2.0. SAX 1.0, SAX 2.0, Namespaces). ", "modified": "2016-07-05T05:06:36", "published": "2016-07-05T05:06:36", "id": "FEDORA:BC0C9601B28F", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: mingw-xerces-c-3.1.4-1.fc24", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2020-03-17T22:39:31", "description": "An update of the xerces package has been released.", "edition": 8, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-02-07T00:00:00", "title": "Photon OS 1.0: Xerces PHSA-2018-1.0-0126", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12627"], "modified": "2019-02-07T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:xerces", "cpe:/o:vmware:photonos:1.0"], "id": "PHOTONOS_PHSA-2018-1_0-0126_XERCES.NASL", "href": "https://www.tenable.com/plugins/nessus/121831", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2018-1.0-0126. The text\n# itself is copyright (C) VMware, Inc.\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(121831);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2019/02/07\");\n\n script_cve_id(\"CVE-2017-12627\");\n\n script_name(english:\"Photon OS 1.0: Xerces PHSA-2018-1.0-0126\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the xerces package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-1.0-126.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-12627\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/04/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:xerces\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 1.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"xerces-c-3.2.1-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"xerces-c-debuginfo-3.2.1-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"xerces-c-devel-3.2.1-1.ph1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xerces\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:18:54", "description": "Update to 3.2.1 (CVE-2017-12627)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 11, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-01-03T00:00:00", "title": "Fedora 28 : mingw-gdal / mingw-xerces-c (2018-7b97e553ff)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12627"], "modified": "2019-01-03T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:mingw-xerces-c", "p-cpe:/a:fedoraproject:fedora:mingw-gdal", "cpe:/o:fedoraproject:fedora:28"], "id": "FEDORA_2018-7B97E553FF.NASL", "href": "https://www.tenable.com/plugins/nessus/120555", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-7b97e553ff.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(120555);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-12627\");\n script_xref(name:\"FEDORA\", value:\"2018-7b97e553ff\");\n\n script_name(english:\"Fedora 28 : mingw-gdal / mingw-xerces-c (2018-7b97e553ff)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update to 3.2.1 (CVE-2017-12627)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-7b97e553ff\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected mingw-gdal and / or mingw-xerces-c packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:mingw-gdal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:mingw-xerces-c\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:28\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^28([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 28\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC28\", reference:\"mingw-gdal-2.2.4-5.fc28\")) flag++;\nif (rpm_check(release:\"FC28\", reference:\"mingw-xerces-c-3.2.1-1.fc28\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"mingw-gdal / mingw-xerces-c\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-14T06:17:56", "description": "This update for xerces-c fixes the following issue :\n\nCVE-2017-12627: Processing of external DTD paths could have resulted\nin a NULL pointer dereference under certain conditions (bsc#1083630)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 18, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-04-18T00:00:00", "title": "SUSE SLED15 / SLES15 Security Update : xerces-c (SUSE-SU-2019:0977-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12627"], "modified": "2019-04-18T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:xerces-c", "p-cpe:/a:novell:suse_linux:libxerces-c-devel", "p-cpe:/a:novell:suse_linux:xerces-c-debuginfo", "cpe:/o:novell:suse_linux:15", "p-cpe:/a:novell:suse_linux:libxerces-c", "p-cpe:/a:novell:suse_linux:xerces-c-debugsource", "p-cpe:/a:novell:suse_linux:xerces-c-doc", "p-cpe:/a:novell:suse_linux:libxerces-c-3_1-debuginfo"], "id": "SUSE_SU-2019-0977-1.NASL", "href": "https://www.tenable.com/plugins/nessus/124151", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2019:0977-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(124151);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/13\");\n\n script_cve_id(\"CVE-2017-12627\");\n\n script_name(english:\"SUSE SLED15 / SLES15 Security Update : xerces-c (SUSE-SU-2019:0977-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for xerces-c fixes the following issue :\n\nCVE-2017-12627: Processing of external DTD paths could have resulted\nin a NULL pointer dereference under certain conditions (bsc#1083630)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083630\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-12627/\"\n );\n # https://www.suse.com/support/update/announcement/2019/suse-su-20190977-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?4a10e5b6\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Module for Open Buildservice Development Tools\n15:zypper in -t patch\nSUSE-SLE-Module-Development-Tools-OBS-15-2019-977=1\n\nSUSE Linux Enterprise Module for Basesystem 15:zypper in -t patch\nSUSE-SLE-Module-Basesystem-15-2019-977=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libxerces-c\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libxerces-c-3_1-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libxerces-c-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:xerces-c\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:xerces-c-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:xerces-c-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:xerces-c-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/04/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/04/18\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED15|SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED15 / SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP0\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED15\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED15 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"libxerces-c-3_1-3.1.4-3.3.25\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"libxerces-c-3_1-debuginfo-3.1.4-3.3.25\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"libxerces-c-devel-3.1.4-3.3.25\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"xerces-c-3.1.4-3.3.25\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"xerces-c-debuginfo-3.1.4-3.3.25\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"xerces-c-debugsource-3.1.4-3.3.25\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"xerces-c-doc-3.1.4-3.3.25\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"libxerces-c-3_1-3.1.4-3.3.25\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"libxerces-c-3_1-debuginfo-3.1.4-3.3.25\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"libxerces-c-devel-3.1.4-3.3.25\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"xerces-c-3.1.4-3.3.25\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"xerces-c-debuginfo-3.1.4-3.3.25\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"xerces-c-debugsource-3.1.4-3.3.25\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"xerces-c-doc-3.1.4-3.3.25\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xerces-c\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T08:53:18", "description": "According to the versions of the xerces-c package installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - Xerces-C is a validating XML parser written in a\n portable subset of C++. Xerces-C makes it easy to give\n your application the ability to read and write XML\n data. A shared library is provided for parsing,\n generating, manipulating, and validating XML documents.\n Xerces-C is faithful to the XML 1.0 recommendation and\n associated standards: XML 1.0 (Third Edition), XML 1.1\n (First Edition), DOM Level 1, 2, 3 Core, DOM Level 2.0\n Traversal and Range,DOM Level 3.0 Load and Save, SAX\n 1.0 and SAX 2.0, Namespaces in XML, Namespaces in XML\n 1.1, XML Schema, XML Inclusions).\n\n - Security fix(es):\n\n - In Apache Xerces-C XML Parser library before 3.2.1,\n processing of external DTD paths can result in a null\n pointer dereference under certain\n conditions.(CVE-2017-12627)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 17, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-05-02T00:00:00", "title": "EulerOS 2.0 SP2 : xerces-c (EulerOS-SA-2018-1101)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12627"], "modified": "2018-05-02T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:xerces-c", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2018-1101.NASL", "href": "https://www.tenable.com/plugins/nessus/109499", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(109499);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2017-12627\"\n );\n\n script_name(english:\"EulerOS 2.0 SP2 : xerces-c (EulerOS-SA-2018-1101)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the xerces-c package installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - Xerces-C is a validating XML parser written in a\n portable subset of C++. Xerces-C makes it easy to give\n your application the ability to read and write XML\n data. A shared library is provided for parsing,\n generating, manipulating, and validating XML documents.\n Xerces-C is faithful to the XML 1.0 recommendation and\n associated standards: XML 1.0 (Third Edition), XML 1.1\n (First Edition), DOM Level 1, 2, 3 Core, DOM Level 2.0\n Traversal and Range,DOM Level 3.0 Load and Save, SAX\n 1.0 and SAX 2.0, Namespaces in XML, Namespaces in XML\n 1.1, XML Schema, XML Inclusions).\n\n - Security fix(es):\n\n - In Apache Xerces-C XML Parser library before 3.2.1,\n processing of external DTD paths can result in a null\n pointer dereference under certain\n conditions.(CVE-2017-12627)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1101\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?83819cd7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected xerces-c packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/05/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:xerces-c\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(2)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"xerces-c-3.1.1-8.h1\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"2\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xerces-c\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T08:53:31", "description": "According to the versions of the xerces-c package installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - Xerces-C is a validating XML parser written in a\n portable subset of C++. Xerces-C makes it easy to give\n your application the ability to read and write XML\n data. A shared library is provided for parsing,\n generating, manipulating, and validating XML documents.\n Xerces-C is faithful to the XML 1.0 recommendation and\n associated standards: XML 1.0 (Third Edition), XML 1.1\n (First Edition), DOM Level 1, 2, 3 Core, DOM Level 2.0\n Traversal and Range,DOM Level 3.0 Load and Save, SAX\n 1.0 and SAX 2.0, Namespaces in XML, Namespaces in XML\n 1.1, XML Schema, XML Inclusions).\n\n - Security fix(es):\n\n - In Apache Xerces-C XML Parser library before 3.2.1,\n processing of external DTD paths can result in a null\n pointer dereference under certain\n conditions.(CVE-2017-12627)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 20, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-06-28T00:00:00", "title": "EulerOS 2.0 SP3 : xerces-c (EulerOS-SA-2018-1160)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12627"], "modified": "2018-06-28T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:xerces-c", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2018-1160.NASL", "href": "https://www.tenable.com/plugins/nessus/110736", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(110736);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2017-12627\"\n );\n\n script_name(english:\"EulerOS 2.0 SP3 : xerces-c (EulerOS-SA-2018-1160)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the xerces-c package installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - Xerces-C is a validating XML parser written in a\n portable subset of C++. Xerces-C makes it easy to give\n your application the ability to read and write XML\n data. A shared library is provided for parsing,\n generating, manipulating, and validating XML documents.\n Xerces-C is faithful to the XML 1.0 recommendation and\n associated standards: XML 1.0 (Third Edition), XML 1.1\n (First Edition), DOM Level 1, 2, 3 Core, DOM Level 2.0\n Traversal and Range,DOM Level 3.0 Load and Save, SAX\n 1.0 and SAX 2.0, Namespaces in XML, Namespaces in XML\n 1.1, XML Schema, XML Inclusions).\n\n - Security fix(es):\n\n - In Apache Xerces-C XML Parser library before 3.2.1,\n processing of external DTD paths can result in a null\n pointer dereference under certain\n conditions.(CVE-2017-12627)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1160\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?54f761b2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected xerces-c packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:xerces-c\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(3)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"xerces-c-3.1.1-8.h1\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"3\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xerces-c\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-20T12:41:11", "description": "This update for xerces-c fixes the following issue :\n\n - CVE-2017-12627: Processing of external DTD paths could\n have resulted in a NULL pointer dereference under\n certain conditions (bsc#1083630)\n\nThis update was imported from the SUSE:SLE-15:Update update project.", "edition": 15, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-04-29T00:00:00", "title": "openSUSE Security Update : xerces-c (openSUSE-2019-1283)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12627"], "modified": "2019-04-29T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:xerces-c-debugsource", "cpe:/o:novell:opensuse:15.0", "p-cpe:/a:novell:opensuse:libxerces-c-3_1", "p-cpe:/a:novell:opensuse:libxerces-c-3_1-debuginfo", "p-cpe:/a:novell:opensuse:xerces-c-debuginfo", "p-cpe:/a:novell:opensuse:libxerces-c-devel", "p-cpe:/a:novell:opensuse:libxerces-c-3_1-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libxerces-c-3_1-32bit", "p-cpe:/a:novell:opensuse:xerces-c"], "id": "OPENSUSE-2019-1283.NASL", "href": "https://www.tenable.com/plugins/nessus/124357", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2019-1283.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(124357);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2017-12627\");\n\n script_name(english:\"openSUSE Security Update : xerces-c (openSUSE-2019-1283)\");\n script_summary(english:\"Check for the openSUSE-2019-1283 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for xerces-c fixes the following issue :\n\n - CVE-2017-12627: Processing of external DTD paths could\n have resulted in a NULL pointer dereference under\n certain conditions (bsc#1083630)\n\nThis update was imported from the SUSE:SLE-15:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1083630\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected xerces-c packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libxerces-c-3_1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libxerces-c-3_1-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libxerces-c-3_1-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libxerces-c-3_1-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libxerces-c-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:xerces-c\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:xerces-c-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:xerces-c-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/04/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/04/29\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.0)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.0\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.0\", reference:\"libxerces-c-3_1-3.1.4-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"libxerces-c-3_1-debuginfo-3.1.4-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"libxerces-c-devel-3.1.4-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"xerces-c-3.1.4-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"xerces-c-debuginfo-3.1.4-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"xerces-c-debugsource-3.1.4-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", cpu:\"x86_64\", reference:\"libxerces-c-3_1-32bit-3.1.4-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", cpu:\"x86_64\", reference:\"libxerces-c-3_1-32bit-debuginfo-3.1.4-lp150.2.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libxerces-c-3_1 / libxerces-c-3_1-debuginfo / libxerces-c-devel / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T09:39:08", "description": "Alberto Garcia, Francisco Oca and Suleman Ali of Offensive Research\ndiscovered that the Xerces-C XML parser mishandles certain kinds of\nexternal DTD references, resulting in dereference of a NULL pointer\nwhile processing the path to the DTD. The bug allows for a denial of\nservice attack in applications that allow DTD processing and do not\nprevent external DTD usage, and could conceivably result in remote\ncode execution.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n3.1.1-3+deb7u5.\n\nWe recommend that you upgrade your xerces-c packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 13, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-03-30T00:00:00", "title": "Debian DLA-1328-1 : xerces-c security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12627"], "modified": "2018-03-30T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libxerces-c-doc", "p-cpe:/a:debian:debian_linux:libxerces-c-dev", "cpe:/o:debian:debian_linux:7.0", "p-cpe:/a:debian:debian_linux:libxerces-c3.1", "p-cpe:/a:debian:debian_linux:libxerces-c-samples"], "id": "DEBIAN_DLA-1328.NASL", "href": "https://www.tenable.com/plugins/nessus/108728", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1328-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(108728);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-12627\");\n\n script_name(english:\"Debian DLA-1328-1 : xerces-c security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Alberto Garcia, Francisco Oca and Suleman Ali of Offensive Research\ndiscovered that the Xerces-C XML parser mishandles certain kinds of\nexternal DTD references, resulting in dereference of a NULL pointer\nwhile processing the path to the DTD. The bug allows for a denial of\nservice attack in applications that allow DTD processing and do not\nprevent external DTD usage, and could conceivably result in remote\ncode execution.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n3.1.1-3+deb7u5.\n\nWe recommend that you upgrade your xerces-c packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2018/03/msg00032.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/xerces-c\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libxerces-c-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libxerces-c-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libxerces-c-samples\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libxerces-c3.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"libxerces-c-dev\", reference:\"3.1.1-3+deb7u5\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libxerces-c-doc\", reference:\"3.1.1-3+deb7u5\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libxerces-c-samples\", reference:\"3.1.1-3+deb7u5\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libxerces-c3.1\", reference:\"3.1.1-3+deb7u5\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T08:53:18", "description": "According to the versions of the xerces-c package installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - Xerces-C is a validating XML parser written in a\n portable subset of C++. Xerces-C makes it easy to give\n your application the ability to read and write XML\n data. A shared library is provided for parsing,\n generating, manipulating, and validating XML documents.\n Xerces-C is faithful to the XML 1.0 recommendation and\n associated standards: XML 1.0 (Third Edition), XML 1.1\n (First Edition), DOM Level 1, 2, 3 Core, DOM Level 2.0\n Traversal and Range,DOM Level 3.0 Load and Save, SAX\n 1.0 and SAX 2.0, Namespaces in XML, Namespaces in XML\n 1.1, XML Schema, XML Inclusions).\n\n - Security fix(es):\n\n - In Apache Xerces-C XML Parser library before 3.2.1,\n processing of external DTD paths can result in a null\n pointer dereference under certain\n conditions.(CVE-2017-12627)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 17, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-05-02T00:00:00", "title": "EulerOS 2.0 SP1 : xerces-c (EulerOS-SA-2018-1100)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12627"], "modified": "2018-05-02T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:xerces-c", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2018-1100.NASL", "href": "https://www.tenable.com/plugins/nessus/109498", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(109498);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2017-12627\"\n );\n\n script_name(english:\"EulerOS 2.0 SP1 : xerces-c (EulerOS-SA-2018-1100)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the xerces-c package installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - Xerces-C is a validating XML parser written in a\n portable subset of C++. Xerces-C makes it easy to give\n your application the ability to read and write XML\n data. A shared library is provided for parsing,\n generating, manipulating, and validating XML documents.\n Xerces-C is faithful to the XML 1.0 recommendation and\n associated standards: XML 1.0 (Third Edition), XML 1.1\n (First Edition), DOM Level 1, 2, 3 Core, DOM Level 2.0\n Traversal and Range,DOM Level 3.0 Load and Save, SAX\n 1.0 and SAX 2.0, Namespaces in XML, Namespaces in XML\n 1.1, XML Schema, XML Inclusions).\n\n - Security fix(es):\n\n - In Apache Xerces-C XML Parser library before 3.2.1,\n processing of external DTD paths can result in a null\n pointer dereference under certain\n conditions.(CVE-2017-12627)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1100\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?04c1549c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected xerces-c packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/05/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:xerces-c\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(1)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"xerces-c-3.1.1-8.h1\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"1\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xerces-c\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-14T06:29:43", "description": "This update for xerces-c fixes the following issues :\n\nCVE-2017-12627: Processing of external DTD paths could have resulted\nin a NULL pointer dereference under certain conditions (bsc#1083630)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 4, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-08-14T00:00:00", "title": "SUSE SLES12 Security Update : xerces-c (SUSE-SU-2020:2225-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12627"], "modified": "2020-08-14T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:xerces-c-debuginfo", "p-cpe:/a:novell:suse_linux:libxerces-c-3_1", "p-cpe:/a:novell:suse_linux:libxerces-c", "p-cpe:/a:novell:suse_linux:xerces-c-debugsource", "p-cpe:/a:novell:suse_linux:libxerces-c-3_1-debuginfo"], "id": "SUSE_SU-2020-2225-1.NASL", "href": "https://www.tenable.com/plugins/nessus/139592", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2020:2225-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(139592);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/13\");\n\n script_cve_id(\"CVE-2017-12627\");\n\n script_name(english:\"SUSE SLES12 Security Update : xerces-c (SUSE-SU-2020:2225-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for xerces-c fixes the following issues :\n\nCVE-2017-12627: Processing of external DTD paths could have resulted\nin a NULL pointer dereference under certain conditions (bsc#1083630)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083630\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-12627/\"\n );\n # https://www.suse.com/support/update/announcement/2020/suse-su-20202225-1\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b564812d\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE OpenStack Cloud Crowbar 9 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2020-2225=1\n\nSUSE OpenStack Cloud 9 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-9-2020-2225=1\n\nSUSE OpenStack Cloud 8 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-8-2020-2225=1\n\nSUSE OpenStack Cloud 7 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-7-2020-2225=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP5 :\n\nzypper in -t patch SUSE-SLE-SDK-12-SP5-2020-2225=1\n\nSUSE Linux Enterprise Server for SAP 12-SP4 :\n\nzypper in -t patch SUSE-SLE-SAP-12-SP4-2020-2225=1\n\nSUSE Linux Enterprise Server for SAP 12-SP3 :\n\nzypper in -t patch SUSE-SLE-SAP-12-SP3-2020-2225=1\n\nSUSE Linux Enterprise Server for SAP 12-SP2 :\n\nzypper in -t patch SUSE-SLE-SAP-12-SP2-2020-2225=1\n\nSUSE Linux Enterprise Server 12-SP5 :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-2225=1\n\nSUSE Linux Enterprise Server 12-SP4-LTSS :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2020-2225=1\n\nSUSE Linux Enterprise Server 12-SP3-LTSS :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-2225=1\n\nSUSE Linux Enterprise Server 12-SP3-BCL :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-2225=1\n\nSUSE Linux Enterprise Server 12-SP2-LTSS :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-2225=1\n\nSUSE Linux Enterprise Server 12-SP2-BCL :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-2225=1\n\nSUSE Enterprise Storage 5 :\n\nzypper in -t patch SUSE-Storage-5-2020-2225=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-12627\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libxerces-c\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libxerces-c-3_1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libxerces-c-3_1-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:xerces-c-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:xerces-c-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/08/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/08/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(2|3|4|5)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP2/3/4/5\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libxerces-c-3_1-3.1.1-13.3.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libxerces-c-3_1-32bit-3.1.1-13.3.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libxerces-c-3_1-debuginfo-3.1.1-13.3.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libxerces-c-3_1-debuginfo-32bit-3.1.1-13.3.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"xerces-c-debuginfo-3.1.1-13.3.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"xerces-c-debugsource-3.1.1-13.3.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libxerces-c-3_1-3.1.1-13.3.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libxerces-c-3_1-32bit-3.1.1-13.3.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libxerces-c-3_1-debuginfo-3.1.1-13.3.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libxerces-c-3_1-debuginfo-32bit-3.1.1-13.3.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"xerces-c-debuginfo-3.1.1-13.3.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"xerces-c-debugsource-3.1.1-13.3.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libxerces-c-3_1-3.1.1-13.3.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libxerces-c-3_1-32bit-3.1.1-13.3.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libxerces-c-3_1-debuginfo-3.1.1-13.3.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libxerces-c-3_1-debuginfo-32bit-3.1.1-13.3.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"xerces-c-debuginfo-3.1.1-13.3.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"xerces-c-debugsource-3.1.1-13.3.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libxerces-c-3_1-3.1.1-13.3.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libxerces-c-3_1-32bit-3.1.1-13.3.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libxerces-c-3_1-debuginfo-3.1.1-13.3.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libxerces-c-3_1-debuginfo-32bit-3.1.1-13.3.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"xerces-c-debuginfo-3.1.1-13.3.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"xerces-c-debugsource-3.1.1-13.3.6\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xerces-c\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-01T02:05:30", "description": "Stack-based buffer overflow in Apache Xerces-C++ before 3.1.4 allows\ncontext-dependent attackers to cause a denial of service via a deeply\nnested DTD.(CVE-2016-4463)", "edition": 30, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2016-09-16T00:00:00", "title": "F5 Networks BIG-IP : Apache Xerces vulnerability (K70191975)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-4463"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/h:f5:big-ip", "cpe:/a:f5:big-ip_access_policy_manager"], "id": "F5_BIGIP_SOL70191975.NASL", "href": "https://www.tenable.com/plugins/nessus/93550", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K70191975.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(93550);\n script_version(\"2.10\");\n script_cvs_date(\"Date: 2019/01/04 10:03:40\");\n\n script_cve_id(\"CVE-2016-4463\");\n\n script_name(english:\"F5 Networks BIG-IP : Apache Xerces vulnerability (K70191975)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Stack-based buffer overflow in Apache Xerces-C++ before 3.1.4 allows\ncontext-dependent attackers to cause a denial of service via a deeply\nnested DTD.(CVE-2016-4463)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K70191975\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution K70191975.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/16\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"K70191975\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"12.0.0-12.1.1\",\"11.4.0-11.6.1\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"11.2.1\",\"10.2.1-10.2.4\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running the affected module APM\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "debian": [{"lastseen": "2019-05-30T02:22:04", "bulletinFamily": "unix", "cvelist": ["CVE-2017-12627"], "description": "Package : xerces-c\nVersion : 3.1.1-3+deb7u5\nCVE ID : CVE-2017-12627\nDebian Bug : 894050\n\nAlberto Garcia, Francisco Oca and Suleman Ali of Offensive Research\ndiscovered that the Xerces-C XML parser mishandles certain kinds of\nexternal DTD references, resulting in dereference of a NULL pointer\nwhile processing the path to the DTD. The bug allows for a denial of\nservice attack in applications that allow DTD processing and do not\nprevent external DTD usage, and could conceivably result in remote code\nexecution.\n\nFor Debian 7 &quot;Wheezy&quot;, these problems have been fixed in version\n3.1.1-3+deb7u5.\n\nWe recommend that you upgrade your xerces-c packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 3, "modified": "2018-03-29T21:50:17", "published": "2018-03-29T21:50:17", "id": "DEBIAN:DLA-1328-1:8CC7C", "href": "https://lists.debian.org/debian-lts-announce/2018/debian-lts-announce-201803/msg00032.html", "title": "[SECURITY] [DLA 1328-1] xerces-c security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-30T02:21:32", "bulletinFamily": "unix", "cvelist": ["CVE-2016-4463"], "description": "Package : xerces-c\nVersion : 3.1.1-3+deb7u4\nCVE ID : CVE-2016-4463\nDebian Bug : 828990\n\nBrandon Perry discovered that xerces-c, a validating XML parser library\nfor C++, fails to successfully parse a DTD that is deeply nested,\ncausing a stack overflow. A remote unauthenticated attacker can take\nadvantage of this flaw to cause a denial of service against applications\nusing the xerces-c library.\n\nAdditionally this update includes an enhancement to enable applications\nto fully disable DTD processing through the use of an environment\nvariable (XERCES_DISABLE_DTD).\n\nFor Debian 7 &quot;Wheezy&quot;, these problems have been fixed in version\n3.1.1-3+deb7u4.\n\nWe recommend that you upgrade your xerces-c packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 3, "modified": "2016-06-29T20:28:13", "published": "2016-06-29T20:28:13", "id": "DEBIAN:DLA-535-1:80CD0", "href": "https://lists.debian.org/debian-lts-announce/2016/debian-lts-announce-201606/msg00035.html", "title": "[SECURITY] [DLA 535-1] xerces-c security update", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-08-12T00:58:27", "bulletinFamily": "unix", "cvelist": ["CVE-2016-4463"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3610-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nJune 29, 2016 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : xerces-c\nCVE ID : CVE-2016-4463\nDebian Bug : 828990\n\nBrandon Perry discovered that xerces-c, a validating XML parser library\nfor C++, fails to successfully parse a DTD that is deeply nested,\ncausing a stack overflow. A remote unauthenticated attacker can take\nadvantage of this flaw to cause a denial of service against applications\nusing the xerces-c library.\n\nAdditionally this update includes an enhancement to enable applications\nto fully disable DTD processing through the use of an environment\nvariable (XERCES_DISABLE_DTD).\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 3.1.1-5.1+deb8u3.\n\nWe recommend that you upgrade your xerces-c packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 8, "modified": "2016-06-29T20:19:18", "published": "2016-06-29T20:19:18", "id": "DEBIAN:DSA-3610-1:14B0F", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2016/msg00188.html", "title": "[SECURITY] [DSA 3610-1] xerces-c security update", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "suse": [{"lastseen": "2019-04-26T22:20:31", "bulletinFamily": "unix", "cvelist": ["CVE-2017-12627"], "description": "This update for xerces-c fixes the following issue:\n\n - CVE-2017-12627: Processing of external DTD paths could have resulted in\n a null pointer dereference under certain conditions (bsc#1083630)\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n", "edition": 1, "modified": "2019-04-26T21:10:07", "published": "2019-04-26T21:10:07", "id": "OPENSUSE-SU-2019:1283-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00099.html", "title": "Security update for xerces-c (low)", "type": "suse", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "archlinux": [{"lastseen": "2020-09-22T18:36:41", "bulletinFamily": "unix", "cvelist": ["CVE-2017-12627"], "description": "Arch Linux Security Advisory ASA-201803-23\n==========================================\n\nSeverity: High\nDate : 2018-03-25\nCVE-ID : CVE-2017-12627\nPackage : xerces-c\nType : arbitrary code execution\nRemote : Yes\nLink : https://security.archlinux.org/AVG-644\n\nSummary\n=======\n\nThe package xerces-c before version 3.2.1-1 is vulnerable to arbitrary\ncode execution.\n\nResolution\n==========\n\nUpgrade to 3.2.1-1.\n\n# pacman -Syu \"xerces-c>=3.2.1-1\"\n\nThe problem has been fixed upstream in version 3.2.1.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nThe Xerces-C XML parser mishandles certain kinds of external DTD\nreferences, resulting in dereference of a NULL pointer while processing\nthe path to the DTD. The bug allows for a denial of service attack in\napplications that allow DTD processing and do not prevent external DTD\nusage, and could conceivably result in remote code execution.\n\nImpact\n======\n\nA remote attacker might be able to cause a denial of service or execute\narbitrary code by submitting a crafted XML document with an external\nDTD path to an application using a vulnerable version of the xerces-c\nparser.\n\nReferences\n==========\n\nhttps://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt\nhttps://security.archlinux.org/CVE-2017-12627", "modified": "2018-03-25T00:00:00", "published": "2018-03-25T00:00:00", "id": "ASA-201803-23", "href": "https://security.archlinux.org/ASA-201803-23", "type": "archlinux", "title": "[ASA-201803-23] xerces-c: arbitrary code execution", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2016-09-02T18:44:47", "bulletinFamily": "unix", "cvelist": ["CVE-2016-4463"], "description": "The Xerces-C XML parser fails to successfully parse a DTD that is\ndeeply nested, and this causes a stack overflow, which makes a denial\nof service attack against many applications possible by an\nunauthenticated attacker.", "modified": "2016-07-05T00:00:00", "published": "2016-07-05T00:00:00", "id": "ASA-201607-2", "href": "https://lists.archlinux.org/pipermail/arch-security/2016-July/000662.html", "type": "archlinux", "title": "xerces-c: denial of service", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "amazon": [{"lastseen": "2020-11-10T12:37:36", "bulletinFamily": "unix", "cvelist": ["CVE-2016-4463"], "description": "**Issue Overview:**\n\nA stack exhaustion flaw was found in the way Xerces-C XML parser handled deeply nested DTDs. An attacker could potentially use this flaw to crash an application using Xerces-C by tricking it into processing specially crafted data.([CVE-2016-4463 __](<https://access.redhat.com/security/cve/CVE-2016-4463>))\n\n \n**Affected Packages:** \n\n\nxerces-c\n\n \n**Issue Correction:** \nRun _yum update xerces-c_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n aarch64: \n xerces-c-3.1.1-9.amzn2.aarch64 \n xerces-c-devel-3.1.1-9.amzn2.aarch64 \n xerces-c-debuginfo-3.1.1-9.amzn2.aarch64 \n \n i686: \n xerces-c-3.1.1-9.amzn2.i686 \n xerces-c-devel-3.1.1-9.amzn2.i686 \n xerces-c-debuginfo-3.1.1-9.amzn2.i686 \n \n noarch: \n xerces-c-doc-3.1.1-9.amzn2.noarch \n \n src: \n xerces-c-3.1.1-9.amzn2.src \n \n x86_64: \n xerces-c-3.1.1-9.amzn2.x86_64 \n xerces-c-devel-3.1.1-9.amzn2.x86_64 \n xerces-c-debuginfo-3.1.1-9.amzn2.x86_64 \n \n \n", "edition": 1, "modified": "2018-12-06T20:30:00", "published": "2018-12-06T20:30:00", "id": "ALAS2-2018-1124", "href": "https://alas.aws.amazon.com/AL2/ALAS-2018-1124.html", "title": "Medium: xerces-c", "type": "amazon", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "centos": [{"lastseen": "2019-12-20T18:25:04", "bulletinFamily": "unix", "cvelist": ["CVE-2016-4463"], "description": "**CentOS Errata and Security Advisory** CESA-2018:3335\n\n\nXerces-C is a validating XML parser written in a portable subset of C++. Xerces-C makes it easy to give your application the ability to read and write XML data. A shared library is provided for parsing, generating, manipulating, and validating XML documents.\n\nSecurity Fix(es):\n\n* xerces-c: Stack overflow when parsing deeply nested DTD (CVE-2016-4463)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-cr-announce/2018-November/005710.html\n\n**Affected packages:**\nxerces-c\nxerces-c-devel\nxerces-c-doc\n\n**Upstream details at:**\n", "edition": 3, "modified": "2018-11-15T18:53:50", "published": "2018-11-15T18:53:50", "id": "CESA-2018:3335", "href": "http://lists.centos.org/pipermail/centos-cr-announce/2018-November/005710.html", "title": "xerces security update", "type": "centos", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "redhat": [{"lastseen": "2019-08-13T18:45:59", "bulletinFamily": "unix", "cvelist": ["CVE-2016-4463"], "description": "Xerces-C is a validating XML parser written in a portable subset of C++. Xerces-C makes it easy to give your application the ability to read and write XML data. A shared library is provided for parsing, generating, manipulating, and validating XML documents.\n\nSecurity Fix(es):\n\n* xerces-c: Stack overflow when parsing deeply nested DTD (CVE-2016-4463)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2018-11-06T20:47:41", "published": "2018-11-06T20:43:00", "id": "RHSA-2018:3514", "href": "https://access.redhat.com/errata/RHSA-2018:3514", "type": "redhat", "title": "(RHSA-2018:3514) Moderate: xerces-c security update", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-08-13T18:47:03", "bulletinFamily": "unix", "cvelist": ["CVE-2016-4463"], "description": "Xerces-C is a validating XML parser written in a portable subset of C++. Xerces-C makes it easy to give your application the ability to read and write XML data. A shared library is provided for parsing, generating, manipulating, and validating XML documents.\n\nSecurity Fix(es):\n\n* xerces-c: Stack overflow when parsing deeply nested DTD (CVE-2016-4463)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.", "modified": "2018-10-30T09:21:55", "published": "2018-10-30T08:44:38", "id": "RHSA-2018:3335", "href": "https://access.redhat.com/errata/RHSA-2018:3335", "type": "redhat", "title": "(RHSA-2018:3335) Moderate: xerces-c security update", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-08-13T18:44:43", "bulletinFamily": "unix", "cvelist": ["CVE-2016-4463"], "description": "Xerces-C is a validating XML parser written in a portable subset of C++. Xerces-C makes it easy to give your application the ability to read and write XML data. A shared library is provided for parsing, generating, manipulating, and validating XML documents.\n\nSecurity Fix(es):\n\n* xerces-c: Stack overflow when parsing deeply nested DTD (CVE-2016-4463)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2018-11-06T20:02:19", "published": "2018-11-06T19:46:34", "id": "RHSA-2018:3506", "href": "https://access.redhat.com/errata/RHSA-2018:3506", "type": "redhat", "title": "(RHSA-2018:3506) Moderate: xerces-c security update", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "oraclelinux": [{"lastseen": "2020-10-22T17:03:43", "bulletinFamily": "unix", "cvelist": ["CVE-2016-4463"], "description": "[3.1.1-9]\n- Fix CVE-2016-4463\n- Resolves: #1534481", "edition": 3, "modified": "2018-11-05T00:00:00", "published": "2018-11-05T00:00:00", "id": "ELSA-2018-3335", "href": "http://linux.oracle.com/errata/ELSA-2018-3335.html", "title": "xerces-c security update", "type": "oraclelinux", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "freebsd": [{"lastseen": "2019-05-29T18:32:37", "bulletinFamily": "unix", "cvelist": ["CVE-2016-4463", "CVE-2016-2099"], "description": "\nApache reports:\n\nThe Xerces-C XML parser fails to successfully parse a\n\t DTD that is deeply nested, and this causes a stack overflow, which\n\t makes a denial of service attack against many applications possible\n\t by an unauthenticated attacker.\nAlso, CVE-2016-2099: Use-after-free vulnerability in\n\t validators/DTD/DTDScanner.cpp in Apache Xerces C++ 3.1.3 and earlier\n\t allows context-dependent attackers to have unspecified impact via an\n\t invalid character in an XML document.\n\n", "edition": 4, "modified": "2016-05-09T00:00:00", "published": "2016-05-09T00:00:00", "id": "CB09A7AA-5344-11E6-A7BD-14DAE9D210B8", "href": "https://vuxml.freebsd.org/freebsd/cb09a7aa-5344-11e6-a7bd-14dae9d210b8.html", "title": "xercesi-c3 -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "oracle": [{"lastseen": "2019-05-29T18:20:50", "bulletinFamily": "software", "cvelist": ["CVE-2015-5600", "CVE-2018-3010", "CVE-2017-5533", "CVE-2018-3004", "CVE-2015-5351", "CVE-2018-3091", "CVE-2018-3021", "CVE-2017-13218", "CVE-2017-9798", "CVE-2018-3109", "CVE-2018-2935", "CVE-2018-1000120", "CVE-2018-2948", "CVE-2018-3019", "CVE-2011-4461", "CVE-2018-2984", "CVE-2016-7103", "CVE-2017-5753", "CVE-2018-2893", "CVE-2018-2917", "CVE-2018-2981", "CVE-2017-10989", "CVE-2017-5754", "CVE-2018-3098", "CVE-2018-2965", "CVE-2018-3029", "CVE-2018-3072", "CVE-2018-1304", "CVE-2018-2969", "CVE-2018-2955", "CVE-2018-3104", "CVE-2018-3079", "CVE-2018-2906", "CVE-2018-3048", "CVE-2015-6420", "CVE-2018-2988", "CVE-2018-2944", "CVE-2018-3093", "CVE-2018-2881", "CVE-2015-3415", "CVE-2018-3055", "CVE-2017-6074", "CVE-2018-3050", "CVE-2016-5019", "CVE-2018-3027", "CVE-2018-3025", "CVE-2018-2951", "CVE-2018-3046", "CVE-2018-1275", "CVE-2018-2990", "CVE-2018-7489", "CVE-2018-2980", "CVE-2018-3069", "CVE-2018-2894", "CVE-2018-2954", "CVE-2018-3053", "CVE-2018-2953", "CVE-2018-2938", "CVE-2016-4055", "CVE-2018-3008", "CVE-2016-9878", "CVE-2017-3735", "CVE-2018-2973", "CVE-2015-5262", "CVE-2018-3009", "CVE-2014-0230", "CVE-2018-2947", "CVE-2018-1271", "CVE-2018-3015", "CVE-2018-3096", "CVE-2018-2989", "CVE-2018-2897", "CVE-2018-2961", "CVE-2018-2920", "CVE-2018-3006", "CVE-2018-1000121", "CVE-2016-0714", "CVE-2018-2994", "CVE-2016-3092", "CVE-2018-3043", "CVE-2018-2937", "CVE-2018-2924", "CVE-2018-2966", "CVE-2017-3652", "CVE-2016-5300", "CVE-2018-3031", "CVE-2018-2908", "CVE-2018-1171", "CVE-2018-3100", "CVE-2017-3648", "CVE-2014-9746", "CVE-2018-2992", "CVE-2015-5345", "CVE-2018-3002", "CVE-2018-2942", "CVE-2018-3061", "CVE-2018-3075", "CVE-2016-2105", "CVE-2018-2998", "CVE-2014-3577", "CVE-2018-2956", "CVE-2018-2975", "CVE-2016-2107", "CVE-2016-4463", "CVE-2018-3044", "CVE-2015-7501", "CVE-2018-2976", "CVE-2018-2999", "CVE-2017-3649", "CVE-2018-3101", "CVE-2018-3067", "CVE-2017-0785", "CVE-2017-3737", "CVE-2018-2962", "CVE-2018-2926", "CVE-2017-15707", "CVE-2018-2958", "CVE-2016-1182", "CVE-2018-1258", "CVE-2018-3073", "CVE-2018-1000122", "CVE-2018-1305", "CVE-2018-3095", "CVE-2017-13088", "CVE-2018-2977", "CVE-2017-5662", "CVE-2018-2995", "CVE-2017-9526", "CVE-2018-3086", "CVE-2018-2964", "CVE-2018-3047", "CVE-2018-2985", "CVE-2018-3032", "CVE-2018-2960", "CVE-2018-2997", "CVE-2018-2972", "CVE-2018-3034", "CVE-2018-3023", "CVE-2018-2904", "CVE-2016-0718", "CVE-2018-2882", "CVE-2018-3065", "CVE-2018-3102", "CVE-2014-2532", "CVE-2018-2957", "CVE-2017-5715", "CVE-2018-3057", "CVE-2016-2109", "CVE-2017-3633", "CVE-2018-2921", "CVE-2018-2915", "CVE-2018-1000300", "CVE-2017-3647", "CVE-2018-2959", "CVE-2018-2767", "CVE-2014-0114", "CVE-2018-3080", "CVE-2018-2934", "CVE-2017-3732", "CVE-2018-2949", "CVE-2018-3089", "CVE-2018-2945", "CVE-2018-2943", "CVE-2018-0739", "CVE-2015-5346", "CVE-2018-2896", "CVE-2018-3013", "CVE-2018-2936", "CVE-2018-2986", "CVE-2018-2905", "CVE-2018-2916", "CVE-2018-3087", "CVE-2018-3007", "CVE-2015-3416", "CVE-2018-1313", "CVE-2018-2991", "CVE-2018-2598", "CVE-2018-3033", "CVE-2018-8013", "CVE-2015-5174", "CVE-2014-9029", "CVE-2018-3012", "CVE-2018-3036", "CVE-2018-3062", "CVE-2018-3108", "CVE-2018-1272", "CVE-2018-2987", "CVE-2017-7525", "CVE-2018-3060", "CVE-2018-3071", "CVE-2018-3014", "CVE-2018-3051", "CVE-2015-3414", "CVE-2018-3103", "CVE-2018-2979", "CVE-2018-2993", "CVE-2018-3092", "CVE-2015-0204", "CVE-2014-7810", "CVE-2018-3022", "CVE-2018-1270", "CVE-2018-2903", "CVE-2017-3651", "CVE-2018-3058", "CVE-2016-0706", "CVE-2017-3641", "CVE-2018-2928", "CVE-2017-5664", "CVE-2018-2900", "CVE-2018-2898", "CVE-2018-3003", "CVE-2018-3001", "CVE-2018-2950", "CVE-2018-2929", "CVE-2018-0733", "CVE-2017-3635", "CVE-2018-3094", "CVE-2016-1181", "CVE-2018-2941", "CVE-2014-8157", "CVE-2018-2933", "CVE-2018-3017", "CVE-2016-9843", "CVE-2018-2946", "CVE-2016-2176", "CVE-2016-8735", "CVE-2018-2940", "CVE-2017-3738", "CVE-2018-2930", "CVE-2018-3049", "CVE-2018-2918", "CVE-2018-3076", "CVE-2018-2982", "CVE-2018-3041", "CVE-2016-5195", "CVE-2018-3026", "CVE-2018-2901", "CVE-2018-2939", "CVE-2018-3081", "CVE-2018-3085", "CVE-2017-5645", "CVE-2016-2099", "CVE-2018-3024", "CVE-2018-2892", "CVE-2018-3070", "CVE-2018-3018", "CVE-2017-12617", "CVE-2018-3077", "CVE-2018-3054", "CVE-2017-5529", "CVE-2017-3653", "CVE-2016-9841", "CVE-2015-7940", "CVE-2018-2970", "CVE-2018-2963", "CVE-2017-3736", "CVE-2018-3028", "CVE-2018-3074", "CVE-2018-3052", "CVE-2018-3063", "CVE-2017-0379", "CVE-2018-2919", "CVE-2018-3039", "CVE-2018-3082", "CVE-2018-2899", "CVE-2018-2974", "CVE-2018-2932", "CVE-2018-3038", "CVE-2018-3097", "CVE-2018-3020", "CVE-2016-3506", "CVE-2018-3005", "CVE-2018-3090", "CVE-2017-3636", "CVE-2018-3035", "CVE-2018-2968", "CVE-2018-2907", "CVE-2017-15095", "CVE-2018-3064", "CVE-2018-3037", "CVE-2018-2895", "CVE-2018-3068", "CVE-2018-3078", "CVE-2018-2996", "CVE-2018-2923", "CVE-2018-3030", "CVE-2018-3099", "CVE-2018-3084", "CVE-2016-2106", "CVE-2017-3634", "CVE-2016-6814", "CVE-2018-3066", "CVE-2018-2925", "CVE-2018-3056", "CVE-2018-3639", "CVE-2018-1000301", "CVE-2018-3040", "CVE-2018-3000", "CVE-2018-3045", "CVE-2018-3640", "CVE-2018-3016", "CVE-2018-3088", "CVE-2018-2967", "CVE-2018-2888", "CVE-2018-1327", "CVE-2018-2927", "CVE-2018-2952", "CVE-2018-3105", "CVE-2018-3042", "CVE-2018-2891", "CVE-2018-2978"], "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to: \n\n * [Critical Patch Updates, Security Alerts and Bulletins](<http://www.oracle.com/securityalerts>) for information about Oracle Security Advisories. \n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.**\n\nThis Critical Patch Update contains 334 new security fixes across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ July 2018 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2420273.1>).\n\nMany industry experts anticipate that exploits leveraging known flaws in modern processor designs will continue to be disclosed for the foreseeable future (i.e., \"Spectre\" variants). For information related to these issues, please refer to:\n\n * the January 2018 Critical Patch Update (and later) Advisories,\n * the \"Addendum to the January 2018 Critical Patch Update Advisory for Spectre (CVE-2017-5715, CVE-2017-5753) and Meltdown (CVE-2017-5754)\" ([Doc ID 2347948.1](<https://support.oracle.com/rs?type=doc&id=2347948.1>)), and\n * \"Information about processor vulnerabilities CVE-2018-3640 (\"Spectre v3a\") and CVE-2018-3639 (\"Spectre v4\")\" ([Doc ID 2399123.1](<https://support.oracle.com/rs?type=doc&id=2399123.1>)).\n\n \n", "modified": "2018-10-12T00:00:00", "published": "2018-07-17T00:00:00", "id": "ORACLE:CPUJUL2018-4258247", "href": "", "type": "oracle", "title": "CPU July 2018", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-04T21:15:58", "bulletinFamily": "software", "cvelist": ["CVE-2011-4461", "CVE-2014-0114", "CVE-2014-0230", "CVE-2014-2532", "CVE-2014-3577", "CVE-2014-7810", "CVE-2014-8157", "CVE-2014-9029", "CVE-2014-9746", "CVE-2015-0204", "CVE-2015-3414", "CVE-2015-3415", "CVE-2015-3416", "CVE-2015-5174", "CVE-2015-5262", "CVE-2015-5345", "CVE-2015-5346", "CVE-2015-5351", "CVE-2015-5600", "CVE-2015-6420", "CVE-2015-7501", "CVE-2015-7940", "CVE-2016-0706", "CVE-2016-0714", "CVE-2016-0718", "CVE-2016-1181", "CVE-2016-1182", "CVE-2016-2099", "CVE-2016-2105", "CVE-2016-2106", "CVE-2016-2107", "CVE-2016-2109", "CVE-2016-2176", "CVE-2016-3092", "CVE-2016-3506", "CVE-2016-4055", "CVE-2016-4463", "CVE-2016-5019", "CVE-2016-5195", "CVE-2016-5300", "CVE-2016-6814", "CVE-2016-7103", "CVE-2016-8735", "CVE-2016-9841", "CVE-2016-9843", "CVE-2016-9878", "CVE-2017-0379", "CVE-2017-0785", "CVE-2017-10989", "CVE-2017-12617", "CVE-2017-13088", "CVE-2017-13218", "CVE-2017-15095", "CVE-2017-15707", "CVE-2017-3633", "CVE-2017-3634", "CVE-2017-3635", "CVE-2017-3636", "CVE-2017-3641", "CVE-2017-3647", "CVE-2017-3648", "CVE-2017-3649", "CVE-2017-3651", "CVE-2017-3652", "CVE-2017-3653", "CVE-2017-3732", "CVE-2017-3735", "CVE-2017-3736", "CVE-2017-3737", "CVE-2017-3738", "CVE-2017-5529", "CVE-2017-5533", "CVE-2017-5645", "CVE-2017-5662", "CVE-2017-5664", "CVE-2017-5715", "CVE-2017-5753", "CVE-2017-5754", "CVE-2017-6074", "CVE-2017-7525", "CVE-2017-9526", "CVE-2017-9798", "CVE-2018-0733", "CVE-2018-0739", "CVE-2018-1000120", "CVE-2018-1000121", "CVE-2018-1000122", "CVE-2018-1000300", "CVE-2018-1000301", "CVE-2018-1171", "CVE-2018-1258", "CVE-2018-1270", "CVE-2018-1271", "CVE-2018-1272", "CVE-2018-1275", "CVE-2018-1304", "CVE-2018-1305", "CVE-2018-1313", "CVE-2018-1327", "CVE-2018-2598", "CVE-2018-2767", "CVE-2018-2881", "CVE-2018-2882", "CVE-2018-2888", "CVE-2018-2891", "CVE-2018-2892", "CVE-2018-2893", "CVE-2018-2894", "CVE-2018-2895", "CVE-2018-2896", "CVE-2018-2897", "CVE-2018-2898", "CVE-2018-2899", "CVE-2018-2900", "CVE-2018-2901", "CVE-2018-2903", "CVE-2018-2904", "CVE-2018-2905", "CVE-2018-2906", "CVE-2018-2907", "CVE-2018-2908", "CVE-2018-2915", "CVE-2018-2916", "CVE-2018-2917", "CVE-2018-2918", "CVE-2018-2919", "CVE-2018-2920", "CVE-2018-2921", "CVE-2018-2923", "CVE-2018-2924", "CVE-2018-2925", "CVE-2018-2926", "CVE-2018-2927", "CVE-2018-2928", "CVE-2018-2929", "CVE-2018-2930", "CVE-2018-2932", "CVE-2018-2933", "CVE-2018-2934", "CVE-2018-2935", "CVE-2018-2936", "CVE-2018-2937", "CVE-2018-2938", "CVE-2018-2939", "CVE-2018-2940", "CVE-2018-2941", "CVE-2018-2942", "CVE-2018-2943", "CVE-2018-2944", "CVE-2018-2945", "CVE-2018-2946", "CVE-2018-2947", "CVE-2018-2948", "CVE-2018-2949", "CVE-2018-2950", "CVE-2018-2951", "CVE-2018-2952", "CVE-2018-2953", "CVE-2018-2954", "CVE-2018-2955", "CVE-2018-2956", "CVE-2018-2957", "CVE-2018-2958", "CVE-2018-2959", "CVE-2018-2960", "CVE-2018-2961", "CVE-2018-2962", "CVE-2018-2963", "CVE-2018-2964", "CVE-2018-2965", "CVE-2018-2966", "CVE-2018-2967", "CVE-2018-2968", "CVE-2018-2969", "CVE-2018-2970", "CVE-2018-2972", "CVE-2018-2973", "CVE-2018-2974", "CVE-2018-2975", "CVE-2018-2976", "CVE-2018-2977", "CVE-2018-2978", "CVE-2018-2979", "CVE-2018-2980", "CVE-2018-2981", "CVE-2018-2982", "CVE-2018-2984", "CVE-2018-2985", "CVE-2018-2986", "CVE-2018-2987", "CVE-2018-2988", "CVE-2018-2989", "CVE-2018-2990", "CVE-2018-2991", "CVE-2018-2992", "CVE-2018-2993", "CVE-2018-2994", "CVE-2018-2995", "CVE-2018-2996", "CVE-2018-2997", "CVE-2018-2998", "CVE-2018-2999", "CVE-2018-3000", "CVE-2018-3001", "CVE-2018-3002", "CVE-2018-3003", "CVE-2018-3004", "CVE-2018-3005", "CVE-2018-3006", "CVE-2018-3007", "CVE-2018-3008", "CVE-2018-3009", "CVE-2018-3010", "CVE-2018-3012", "CVE-2018-3013", "CVE-2018-3014", "CVE-2018-3015", "CVE-2018-3016", "CVE-2018-3017", "CVE-2018-3018", "CVE-2018-3019", "CVE-2018-3020", "CVE-2018-3021", "CVE-2018-3022", "CVE-2018-3023", "CVE-2018-3024", "CVE-2018-3025", "CVE-2018-3026", "CVE-2018-3027", "CVE-2018-3028", "CVE-2018-3029", "CVE-2018-3030", "CVE-2018-3031", "CVE-2018-3032", "CVE-2018-3033", "CVE-2018-3034", "CVE-2018-3035", "CVE-2018-3036", "CVE-2018-3037", "CVE-2018-3038", "CVE-2018-3039", "CVE-2018-3040", "CVE-2018-3041", "CVE-2018-3042", "CVE-2018-3043", "CVE-2018-3044", "CVE-2018-3045", "CVE-2018-3046", "CVE-2018-3047", "CVE-2018-3048", "CVE-2018-3049", "CVE-2018-3050", "CVE-2018-3051", "CVE-2018-3052", "CVE-2018-3053", "CVE-2018-3054", "CVE-2018-3055", "CVE-2018-3056", "CVE-2018-3057", "CVE-2018-3058", "CVE-2018-3060", "CVE-2018-3061", "CVE-2018-3062", "CVE-2018-3063", "CVE-2018-3064", "CVE-2018-3065", "CVE-2018-3066", "CVE-2018-3067", "CVE-2018-3068", "CVE-2018-3069", "CVE-2018-3070", "CVE-2018-3071", "CVE-2018-3072", "CVE-2018-3073", "CVE-2018-3074", "CVE-2018-3075", "CVE-2018-3076", "CVE-2018-3077", "CVE-2018-3078", "CVE-2018-3079", "CVE-2018-3080", "CVE-2018-3081", "CVE-2018-3082", "CVE-2018-3084", "CVE-2018-3085", "CVE-2018-3086", "CVE-2018-3087", "CVE-2018-3088", "CVE-2018-3089", "CVE-2018-3090", "CVE-2018-3091", "CVE-2018-3092", "CVE-2018-3093", "CVE-2018-3094", "CVE-2018-3095", "CVE-2018-3096", "CVE-2018-3097", "CVE-2018-3098", "CVE-2018-3099", "CVE-2018-3100", "CVE-2018-3101", "CVE-2018-3102", "CVE-2018-3103", "CVE-2018-3104", "CVE-2018-3105", "CVE-2018-3108", "CVE-2018-3109", "CVE-2018-3639", "CVE-2018-3640", "CVE-2018-7489", "CVE-2018-8013"], "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to: \n\n * Critical Patch Updates, Security Alerts and Bulletins for information about Oracle Security Advisories. \n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.**\n\nThis Critical Patch Update contains 334 new security fixes across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ July 2018 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/epmos/faces/DocumentDisplay?id=2420273.1>).\n\nMany industry experts anticipate that exploits leveraging known flaws in modern processor designs will continue to be disclosed for the foreseeable future (i.e., \u201cSpectre\u201d variants). For information related to these issues, please refer to:\n\n * the January 2018 Critical Patch Update (and later) Advisories,\n * the \"Addendum to the January 2018 Critical Patch Update Advisory for Spectre (CVE-2017-5715, CVE-2017-5753) and Meltdown (CVE-2017-5754)\" ([Doc ID 2347948.1](<https://support.oracle.com/epmos/faces/DocumentDisplay?id=2347948.1>)), and\n * \"Information about processor vulnerabilities CVE-2018-3640 (\"Spectre v3a\") and CVE-2018-3639 (\"Spectre v4\")\" ([Doc ID 2399123.1](<https://support.oracle.com/epmos/faces/DocumentDisplay?id=2399123.1>)).\n", "modified": "2018-10-12T00:00:00", "published": "2018-07-17T00:00:00", "id": "ORACLE:CPUJUL2018", "href": "", "type": "oracle", "title": "CPU July 2018", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-24T15:41:24", "bulletinFamily": "software", "cvelist": ["CVE-2015-0254", "CVE-2015-1832", "CVE-2015-3253", "CVE-2015-7940", "CVE-2015-9251", "CVE-2016-0701", "CVE-2016-1000031", "CVE-2016-10244", "CVE-2016-10251", "CVE-2016-10328", "CVE-2016-2183", "CVE-2016-2381", "CVE-2016-3092", "CVE-2016-4000", "CVE-2016-4463", "CVE-2016-6306", "CVE-2016-6489", "CVE-2016-7103", "CVE-2016-8610", "CVE-2017-12626", "CVE-2017-13745", "CVE-2017-14232", "CVE-2017-14735", "CVE-2017-15706", "CVE-2017-3160", "CVE-2017-5130", "CVE-2017-5529", "CVE-2017-5533", "CVE-2017-5645", "CVE-2017-5754", "CVE-2017-7857", "CVE-2017-7858", "CVE-2017-7864", "CVE-2017-8105", "CVE-2017-8287", "CVE-2018-0732", "CVE-2018-0734", "CVE-2018-0737", "CVE-2018-1000180", "CVE-2018-1000613", "CVE-2018-1000632", "CVE-2018-1000873", "CVE-2018-10237", "CVE-2018-11054", "CVE-2018-11055", "CVE-2018-11056", "CVE-2018-11057", "CVE-2018-11058", "CVE-2018-11307", "CVE-2018-1165", "CVE-2018-11775", "CVE-2018-11784", "CVE-2018-11797", "CVE-2018-12022", "CVE-2018-12023", "CVE-2018-1258", "CVE-2018-1304", "CVE-2018-1305", "CVE-2018-1320", "CVE-2018-1336", "CVE-2018-14718", "CVE-2018-14719", "CVE-2018-14720", "CVE-2018-14721", "CVE-2018-15756", "CVE-2018-15769", "CVE-2018-17197", "CVE-2018-18227", "CVE-2018-18311", "CVE-2018-18873", "CVE-2018-19139", "CVE-2018-19360", "CVE-2018-19361", "CVE-2018-19362", "CVE-2018-19539", "CVE-2018-19540", "CVE-2018-19541", "CVE-2018-19542", "CVE-2018-19543", "CVE-2018-19622", "CVE-2018-19623", "CVE-2018-19624", "CVE-2018-19625", "CVE-2018-19626", "CVE-2018-19627", "CVE-2018-19628", "CVE-2018-20346", "CVE-2018-20506", "CVE-2018-20570", "CVE-2018-20584", "CVE-2018-20622", "CVE-2018-20843", "CVE-2018-20852", "CVE-2018-5407", "CVE-2018-5711", "CVE-2018-5712", "CVE-2018-6942", "CVE-2018-8014", "CVE-2018-8032", "CVE-2018-8034", "CVE-2018-8036", "CVE-2018-8037", "CVE-2018-8039", "CVE-2018-9055", "CVE-2018-9154", "CVE-2018-9252", "CVE-2019-0196", "CVE-2019-0197", "CVE-2019-0199", "CVE-2019-0211", "CVE-2019-0215", "CVE-2019-0217", "CVE-2019-0220", "CVE-2019-0221", "CVE-2019-0222", "CVE-2019-0227", "CVE-2019-0228", "CVE-2019-0232", "CVE-2019-10072", "CVE-2019-10081", "CVE-2019-10082", "CVE-2019-10086", "CVE-2019-10088", "CVE-2019-10092", "CVE-2019-10093", "CVE-2019-10094", "CVE-2019-10097", "CVE-2019-10098", "CVE-2019-1010238", "CVE-2019-10173", "CVE-2019-10246", "CVE-2019-10247", "CVE-2019-11358", "CVE-2019-12086", "CVE-2019-12384", "CVE-2019-12387", "CVE-2019-12402", "CVE-2019-12406", "CVE-2019-12415", "CVE-2019-12418", "CVE-2019-12419", "CVE-2019-12855", "CVE-2019-13057", "CVE-2019-13565", "CVE-2019-13990", "CVE-2019-14379", "CVE-2019-14439", "CVE-2019-14540", "CVE-2019-14821", "CVE-2019-14889", "CVE-2019-15161", "CVE-2019-15162", "CVE-2019-15163", "CVE-2019-15164", "CVE-2019-15165", "CVE-2019-1543", "CVE-2019-1547", "CVE-2019-1549", "CVE-2019-1552", "CVE-2019-15601", "CVE-2019-15604", "CVE-2019-15605", "CVE-2019-15606", "CVE-2019-1563", "CVE-2019-15903", "CVE-2019-16056", "CVE-2019-16168", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17091", "CVE-2019-17195", "CVE-2019-17359", "CVE-2019-17531", "CVE-2019-17563", "CVE-2019-17571", "CVE-2019-18197", "CVE-2019-19242", "CVE-2019-19244", "CVE-2019-19269", "CVE-2019-19317", "CVE-2019-19553", "CVE-2019-19603", "CVE-2019-19645", "CVE-2019-19646", "CVE-2019-19880", "CVE-2019-19923", "CVE-2019-19924", "CVE-2019-19925", "CVE-2019-19926", "CVE-2019-19959", "CVE-2019-20218", "CVE-2019-20330", "CVE-2019-2412", "CVE-2019-2725", "CVE-2019-2729", "CVE-2019-2756", "CVE-2019-2759", "CVE-2019-2852", "CVE-2019-2853", "CVE-2019-2878", "CVE-2019-2880", "CVE-2019-2899", "CVE-2019-2904", "CVE-2019-3008", "CVE-2019-5427", "CVE-2019-5435", "CVE-2019-5436", "CVE-2019-5443", "CVE-2019-5481", "CVE-2019-5482", "CVE-2019-8457", "CVE-2019-9517", "CVE-2019-9579", "CVE-2020-2514", "CVE-2020-2522", "CVE-2020-2524", "CVE-2020-2553", "CVE-2020-2558", "CVE-2020-2575", "CVE-2020-2578", "CVE-2020-2594", "CVE-2020-2680", "CVE-2020-2706", "CVE-2020-2733", "CVE-2020-2734", "CVE-2020-2735", "CVE-2020-2737", "CVE-2020-2738", "CVE-2020-2739", "CVE-2020-2740", "CVE-2020-2741", "CVE-2020-2742", "CVE-2020-2743", "CVE-2020-2744", "CVE-2020-2745", "CVE-2020-2746", "CVE-2020-2747", "CVE-2020-2748", "CVE-2020-2749", "CVE-2020-2750", "CVE-2020-2751", "CVE-2020-2752", "CVE-2020-2753", "CVE-2020-2754", "CVE-2020-2755", "CVE-2020-2756", "CVE-2020-2757", "CVE-2020-2758", "CVE-2020-2759", "CVE-2020-2760", "CVE-2020-2761", "CVE-2020-2762", "CVE-2020-2763", "CVE-2020-2764", "CVE-2020-2765", "CVE-2020-2766", "CVE-2020-2767", "CVE-2020-2768", "CVE-2020-2769", "CVE-2020-2770", "CVE-2020-2771", "CVE-2020-2772", "CVE-2020-2773", "CVE-2020-2774", "CVE-2020-2775", "CVE-2020-2776", "CVE-2020-2777", "CVE-2020-2778", "CVE-2020-2779", "CVE-2020-2780", "CVE-2020-2781", "CVE-2020-2782", "CVE-2020-2783", "CVE-2020-2784", "CVE-2020-2785", "CVE-2020-2786", "CVE-2020-2787", "CVE-2020-2789", "CVE-2020-2790", "CVE-2020-2791", "CVE-2020-2793", "CVE-2020-2794", "CVE-2020-2795", "CVE-2020-2796", "CVE-2020-2797", "CVE-2020-2798", "CVE-2020-2799", "CVE-2020-2800", "CVE-2020-2801", "CVE-2020-2802", "CVE-2020-2803", "CVE-2020-2804", "CVE-2020-2805", "CVE-2020-2806", "CVE-2020-2807", "CVE-2020-2808", "CVE-2020-2809", "CVE-2020-2810", "CVE-2020-2811", "CVE-2020-2812", "CVE-2020-2813", "CVE-2020-2814", "CVE-2020-2815", "CVE-2020-2816", "CVE-2020-2817", "CVE-2020-2818", "CVE-2020-2819", "CVE-2020-2820", "CVE-2020-2821", "CVE-2020-2822", "CVE-2020-2823", "CVE-2020-2824", "CVE-2020-2825", "CVE-2020-2826", "CVE-2020-2827", "CVE-2020-2828", "CVE-2020-2829", "CVE-2020-2830", "CVE-2020-2831", "CVE-2020-2832", "CVE-2020-2833", "CVE-2020-2834", "CVE-2020-2835", "CVE-2020-2836", "CVE-2020-2837", "CVE-2020-2838", "CVE-2020-2839", "CVE-2020-2840", "CVE-2020-2841", "CVE-2020-2842", "CVE-2020-2843", "CVE-2020-2844", "CVE-2020-2845", "CVE-2020-2846", "CVE-2020-2847", "CVE-2020-2848", "CVE-2020-2849", "CVE-2020-2850", "CVE-2020-2851", "CVE-2020-2852", "CVE-2020-2853", "CVE-2020-2854", "CVE-2020-2855", "CVE-2020-2856", "CVE-2020-2857", "CVE-2020-2858", "CVE-2020-2859", "CVE-2020-2860", "CVE-2020-2861", "CVE-2020-2862", "CVE-2020-2863", "CVE-2020-2864", "CVE-2020-2865", "CVE-2020-2866", "CVE-2020-2867", "CVE-2020-2868", "CVE-2020-2869", "CVE-2020-2870", "CVE-2020-2871", "CVE-2020-2872", "CVE-2020-2873", "CVE-2020-2874", "CVE-2020-2875", "CVE-2020-2876", "CVE-2020-2877", "CVE-2020-2878", "CVE-2020-2879", "CVE-2020-2880", "CVE-2020-2881", "CVE-2020-2882", "CVE-2020-2883", "CVE-2020-2884", "CVE-2020-2885", "CVE-2020-2886", "CVE-2020-2887", "CVE-2020-2888", "CVE-2020-2889", "CVE-2020-2890", "CVE-2020-2891", "CVE-2020-2892", "CVE-2020-2893", "CVE-2020-2894", "CVE-2020-2895", "CVE-2020-2896", "CVE-2020-2897", "CVE-2020-2898", "CVE-2020-2899", "CVE-2020-2900", "CVE-2020-2901", "CVE-2020-2902", "CVE-2020-2903", "CVE-2020-2904", "CVE-2020-2905", "CVE-2020-2906", "CVE-2020-2907", "CVE-2020-2908", "CVE-2020-2909", "CVE-2020-2910", "CVE-2020-2911", "CVE-2020-2912", "CVE-2020-2913", "CVE-2020-2914", "CVE-2020-2915", "CVE-2020-2920", "CVE-2020-2921", "CVE-2020-2922", "CVE-2020-2923", "CVE-2020-2924", "CVE-2020-2925", "CVE-2020-2926", "CVE-2020-2927", "CVE-2020-2928", "CVE-2020-2929", "CVE-2020-2930", "CVE-2020-2931", "CVE-2020-2932", "CVE-2020-2933", "CVE-2020-2934", "CVE-2020-2935", "CVE-2020-2936", "CVE-2020-2937", "CVE-2020-2938", "CVE-2020-2939", "CVE-2020-2940", "CVE-2020-2941", "CVE-2020-2942", "CVE-2020-2943", "CVE-2020-2944", "CVE-2020-2945", "CVE-2020-2946", "CVE-2020-2947", "CVE-2020-2949", "CVE-2020-2950", "CVE-2020-2951", "CVE-2020-2952", "CVE-2020-2953", "CVE-2020-2954", "CVE-2020-2955", "CVE-2020-2956", "CVE-2020-2958", "CVE-2020-2959", "CVE-2020-2961", "CVE-2020-2963", "CVE-2020-2964", "CVE-2020-5397", "CVE-2020-5398", "CVE-2020-7044", "CVE-2020-8840"], "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Please refer to:\n\n * [Critical Patch Updates, Security Alerts and Bulletins](<https://www.oracle.com/security-alerts>) for information about Oracle Security Advisories.\n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.**\n\nThis Critical Patch Update contains 399 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ April 2020 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2652714.1>).\n", "modified": "2020-07-20T00:00:00", "published": "2020-04-14T00:00:00", "id": "ORACLE:CPUAPR2020", "href": "", "type": "oracle", "title": "Oracle Critical Patch Update Advisory - April 2020", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}