Bug#896940: stretch-pu: package xerces-c/3.1.4+debian-2

[Bill Blough <devel@blough.us>]

Uploaded.  Thanks!

On Sat, Apr 28, 2018 at 08:30:02PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Thu, 2018-04-26 at 03:17 -0400, William Blough wrote:
> > I would like to update xerces-c in a future point release.  This
> > update
> > will fix two issues:
> > 
> >   * Fix CVE-2017-12627: Alberto Garcia, Francisco Oca and Suleman Ali
> > of
> >     Offensive Research discovered that the Xerces-C XML parser
> > mishandles
> >     certain kinds of external DTD references, resulting in
> > dereference of a
> >     NULL pointer while processing the path to the DTD. The bug allows
> > for a
> >     denial of service attack in applications that allow DTD
> > processing and do
> >     not prevent external DTD usage, and could conceivably result in
> > remote code
> >     execution.
> >   * Fix a regression that forced gcc to use SSE2, even on platforms
> > that do not
> >     support it (e.g., i386).  This caused program crashes due to
> > invalid CPU
> >     instructions.
> 
> Please go ahead.
> 
> Regards,
> 
> Adam