[SECURITY] [DLA 1328-1] xerces-c security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : xerces-c
Version : 3.1.1-3+deb7u5
CVE ID : CVE-2017-12627
Debian Bug : 894050
Alberto Garcia, Francisco Oca and Suleman Ali of Offensive Research
discovered that the Xerces-C XML parser mishandles certain kinds of
external DTD references, resulting in dereference of a NULL pointer
while processing the path to the DTD. The bug allows for a denial of
service attack in applications that allow DTD processing and do not
prevent external DTD usage, and could conceivably result in remote code
execution.
For Debian 7 "Wheezy", these problems have been fixed in version
3.1.1-3+deb7u5.
We recommend that you upgrade your xerces-c packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlq9X4JfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeQhAhAAmSVauso8Mxcal4Q/Pc3hwKzi0fDUz2UFHwpbuXlMb3G2ivmHaznYBi9X
xgyTaMsQqH54md5aPsJ3kE2NaWUxNpJmckfNPd6332ROREizMGkN9iBc/L5DDsAd
b9gfMySkWbXdOVHbErrWkHH6OI15MEMdrA7JMo0ERsv/KDn8B4gsPWMh1vC/58Qf
ZdEt+uM1tmr9ZXJoTq7CVO0ksOWSrJQ3EA37zYRuVCW9+3dXJQeteC6gwOo8qg9D
IeLDkjwO488eeafx4wHlSE95B/hPbxxscHPiRTN0rEmyrJuYyQCuE+Z34DEpMAFM
bkH0B6FCBrYYvBqMXl9FCQM/e1YiVuI2i4lJK56/42xUJQcW83iLCdm/g2Fx44Xp
Wmgz+GAc1k/bppD5MBgn/Mf4kzwQjhopJoeJ5ysFmenKBF6xnf7shV86ddzYykVU
ZIuEagdwUUxOSUsqFvjoyUwXF7qW80yumS3olGCLlBICWQLfumAFbKjGbuQCf+8B
8trlXa2B6rUE1DpYKA/ZUAfybRzMZsUtUj6F4PqCSAawwvWYTzqbc53XBmOB+pLg
Tnec1/Tbr9g2j0bsC/gX9YJ2gQnlzONUUqmCapbrB9sTPti1yshgZ6OHZQY2hhDF
9FlD/WagMRcNmH17H12DCC2IJPkyCGdQif7mAXidZHYxyyioHT8=
=fosM
-----END PGP SIGNATURE-----
Reply to: