[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] [ MDVSA-2009:223 ] xerces-c



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:223
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : xerces-c
 Date    : August 30, 2009
 Affected: 2008.1, 2009.0, 2009.1, Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 A vulnerability has been found and corrected in xerces-c:
 
 Stack consumption vulnerability in validators/DTD/DTDScanner.cpp in
 Apache Xerces C++ 2.7.0 and 2.8.0 allows context-dependent attackers to
 cause a denial of service (application crash) via vectors involving
 nested parentheses and invalid byte values in simply nested DTD
 structures, as demonstrated by the Codenomicon XML fuzzing framework
 (CVE-2009-1885).
 
 This update provides a solution to this vulnerability.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1885
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.1:
 6fe1343e12872cfb72600cda610a7156  
2008.1/i586/libxerces-c0-2.7.0-7.1mdv2008.1.i586.rpm
 52a88c588964e773d06aee149431db62  
2008.1/i586/libxerces-c0-devel-2.7.0-7.1mdv2008.1.i586.rpm
 bc2033e182f9431de38591c61a79d04e  
2008.1/i586/xerces-c-doc-2.7.0-7.1mdv2008.1.i586.rpm 
 f1650c04f1226497c237b9df8ca52914  
2008.1/SRPMS/xerces-c-2.7.0-7.1mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 b443ce3f0d4b6dd9b788f2f5e5dc5018  
2008.1/x86_64/lib64xerces-c0-2.7.0-7.1mdv2008.1.x86_64.rpm
 0721b1c2c3c3cc3778cfab91e74e80de  
2008.1/x86_64/lib64xerces-c0-devel-2.7.0-7.1mdv2008.1.x86_64.rpm
 d19e80b801f968cb7aacd440e25e87fd  
2008.1/x86_64/xerces-c-doc-2.7.0-7.1mdv2008.1.x86_64.rpm 
 f1650c04f1226497c237b9df8ca52914  
2008.1/SRPMS/xerces-c-2.7.0-7.1mdv2008.1.src.rpm

 Mandriva Linux 2009.0:
 456a414a9b9198e635656662a7e94aba  
2009.0/i586/libxerces-c0-2.7.0-7.1mdv2009.0.i586.rpm
 1f3b5377f035b888ce9ae44032315996  
2009.0/i586/libxerces-c0-devel-2.7.0-7.1mdv2009.0.i586.rpm
 35bf505f9c495ad6ea524769efd3daa7  
2009.0/i586/libxerces-c28-2.8.0-2.1mdv2009.0.i586.rpm
 b380105dbd43b807d2e221f2629a7e14  
2009.0/i586/libxerces-c-devel-2.8.0-2.1mdv2009.0.i586.rpm
 edb9336631ab0cb1b93d512218fd7154  
2009.0/i586/xerces-c-doc-2.7.0-7.1mdv2009.0.i586.rpm
 f598ff70574e18cbe2a1fd1f4e37db35  
2009.0/i586/xerces-c-doc-2.8.0-2.1mdv2009.0.i586.rpm 
 a13a2e170b253495cbbc5ce6771e617b  
2009.0/SRPMS/xerces-c-2.7.0-7.1mdv2009.0.src.rpm
 76d86a6868412ee03be540e0451f6ef3  
2009.0/SRPMS/xerces-c-2.8.0-2.1mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 05bd3f1dec9e2ff7d4737e145998587e  
2009.0/x86_64/lib64xerces-c0-2.7.0-7.1mdv2009.0.x86_64.rpm
 17ef57d1bee9cd1b80f020f9a01a5c78  
2009.0/x86_64/lib64xerces-c0-devel-2.7.0-7.1mdv2009.0.x86_64.rpm
 ebec80803cf8add9a94ae02a6045f1fd  
2009.0/x86_64/lib64xerces-c28-2.8.0-2.1mdv2009.0.x86_64.rpm
 85ea70a0737137061741b11af8f3720b  
2009.0/x86_64/lib64xerces-c-devel-2.8.0-2.1mdv2009.0.x86_64.rpm
 3649d09123e345059218ed706ca724be  
2009.0/x86_64/xerces-c-doc-2.7.0-7.1mdv2009.0.x86_64.rpm
 3e3020d0e14617e2b2ad1c2de06e7a3f  
2009.0/x86_64/xerces-c-doc-2.8.0-2.1mdv2009.0.x86_64.rpm 
 a13a2e170b253495cbbc5ce6771e617b  
2009.0/SRPMS/xerces-c-2.7.0-7.1mdv2009.0.src.rpm
 76d86a6868412ee03be540e0451f6ef3  
2009.0/SRPMS/xerces-c-2.8.0-2.1mdv2009.0.src.rpm

 Mandriva Linux 2009.1:
 1700f8e14c729fe9832e562510a489bf  
2009.1/i586/libxerces-c28-2.8.0-2.1mdv2009.1.i586.rpm
 5d7918c10d10c591f9ca2312bf365532  
2009.1/i586/libxerces-c-devel-2.8.0-2.1mdv2009.1.i586.rpm
 b1c26127c4734e61d38f6b5360f678b8  
2009.1/i586/xerces-c-doc-2.8.0-2.1mdv2009.1.i586.rpm 
 85116e6849e6201535dad276c3449a02  
2009.1/SRPMS/xerces-c-2.8.0-2.1mdv2009.1.src.rpm

 Mandriva Linux 2009.1/X86_64:
 d62bdc0c0b443af4b5a2f3b7031eace2  
2009.1/x86_64/lib64xerces-c28-2.8.0-2.1mdv2009.1.x86_64.rpm
 34674db83d664fdd5bb2918fc2e2d4ca  
2009.1/x86_64/lib64xerces-c-devel-2.8.0-2.1mdv2009.1.x86_64.rpm
 8749b4d5b99477f1057abfc69a0713f1  
2009.1/x86_64/xerces-c-doc-2.8.0-2.1mdv2009.1.x86_64.rpm 
 85116e6849e6201535dad276c3449a02  
2009.1/SRPMS/xerces-c-2.8.0-2.1mdv2009.1.src.rpm

 Mandriva Enterprise Server 5:
 833d6d41e3b719b4d9a26e126d38f85c  
mes5/i586/libxerces-c0-2.7.0-7.1mdvmes5.i586.rpm
 2c234197dda4b427dac53a1908f28a6b  
mes5/i586/libxerces-c0-devel-2.7.0-7.1mdvmes5.i586.rpm
 4360120c35f047e0c46550132a8388d4  
mes5/i586/libxerces-c28-2.8.0-2.1mdvmes5.i586.rpm
 af19c3b823b4b857fbffec760d8750a3  
mes5/i586/libxerces-c-devel-2.8.0-2.1mdvmes5.i586.rpm
 43234d44a3f6d0fba412257ba51ed0aa  
mes5/i586/xerces-c-doc-2.7.0-7.1mdvmes5.i586.rpm
 e4a6858ac8d2f3acb02af0b48e8620b8  
mes5/i586/xerces-c-doc-2.8.0-2.1mdvmes5.i586.rpm 
 14c4d8bd71fa9f5de81fb200dd45a264  mes5/SRPMS/xerces-c-2.7.0-7.1mdvmes5.src.rpm
 51fb9e82eecd07d7829beca2977a7236  mes5/SRPMS/xerces-c-2.8.0-2.1mdvmes5.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 7b00a6a7035797e3bf5a6f7281202f58  
mes5/x86_64/lib64xerces-c0-2.7.0-7.1mdvmes5.x86_64.rpm
 e46a2044d9e25ae4e57554ef69bc4f91  
mes5/x86_64/lib64xerces-c0-devel-2.7.0-7.1mdvmes5.x86_64.rpm
 a4dd5e9cd4e80c9ed4da70491a068ad5  
mes5/x86_64/lib64xerces-c28-2.8.0-2.1mdvmes5.x86_64.rpm
 b3b8b9fbcf931e6f9bf0d98d933f23ff  
mes5/x86_64/lib64xerces-c-devel-2.8.0-2.1mdvmes5.x86_64.rpm
 c39464cecd5ada674e1d0955e4751ffa  
mes5/x86_64/xerces-c-doc-2.7.0-7.1mdvmes5.x86_64.rpm
 07bd56e33e2acb0449a6ae4bdc43f9aa  
mes5/x86_64/xerces-c-doc-2.8.0-2.1mdvmes5.x86_64.rpm 
 14c4d8bd71fa9f5de81fb200dd45a264  mes5/SRPMS/xerces-c-2.7.0-7.1mdvmes5.src.rpm
 51fb9e82eecd07d7829beca2977a7236  mes5/SRPMS/xerces-c-2.8.0-2.1mdvmes5.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKmpCbmqjQ0CJFipgRAsT/AJ9pEVZLPjebqx4y+VH66BQIe8WDoQCglct4
hf7U+mMdvf5JG4LtWZJNu64=
=rySh
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/