Bug#896940: stretch-pu: package xerces-c/3.1.4+debian-2
Uploaded. Thanks!
On Sat, Apr 28, 2018 at 08:30:02PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
>
> On Thu, 2018-04-26 at 03:17 -0400, William Blough wrote:
> > I would like to update xerces-c in a future point release. This
> > update
> > will fix two issues:
> >
> > * Fix CVE-2017-12627: Alberto Garcia, Francisco Oca and Suleman Ali
> > of
> > Offensive Research discovered that the Xerces-C XML parser
> > mishandles
> > certain kinds of external DTD references, resulting in
> > dereference of a
> > NULL pointer while processing the path to the DTD. The bug allows
> > for a
> > denial of service attack in applications that allow DTD
> > processing and do
> > not prevent external DTD usage, and could conceivably result in
> > remote code
> > execution.
> > * Fix a regression that forced gcc to use SSE2, even on platforms
> > that do not
> > support it (e.g., i386). This caused program crashes due to
> > invalid CPU
> > instructions.
>
> Please go ahead.
>
> Regards,
>
> Adam
Reply to: