Bug#896940: stretch-pu: package xerces-c/3.1.4+debian-2

["Adam D. Barratt" <adam@adam-barratt.org.uk>]

Control: tags -1 + confirmed

On Thu, 2018-04-26 at 03:17 -0400, William Blough wrote:
> I would like to update xerces-c in a future point release.  This
> update
> will fix two issues:
> 
>   * Fix CVE-2017-12627: Alberto Garcia, Francisco Oca and Suleman Ali
> of
>     Offensive Research discovered that the Xerces-C XML parser
> mishandles
>     certain kinds of external DTD references, resulting in
> dereference of a
>     NULL pointer while processing the path to the DTD. The bug allows
> for a
>     denial of service attack in applications that allow DTD
> processing and do
>     not prevent external DTD usage, and could conceivably result in
> remote code
>     execution.
>   * Fix a regression that forced gcc to use SSE2, even on platforms
> that do not
>     support it (e.g., i386).  This caused program crashes due to
> invalid CPU
>     instructions.

Please go ahead.

Regards,

Adam