Arch Linux Security Advisory ASA-201607-2 ========================================= Severity: Medium Date : 2016-07-05 CVE-ID : CVE-2016-4463 Package : xerces-c Type : denial of service Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package xerces-c before version 3.1.4-1 is vulnerable to denial of service. Resolution ========== Upgrade to 3.1.4-1. # pacman -Syu "xerces-c>=3.1.4-1" The problem has been fixed upstream in version 3.1.4. Workaround ========== None. Description =========== The Xerces-C XML parser fails to successfully parse a DTD that is deeply nested, and this causes a stack overflow, which makes a denial of service attack against many applications possible by an unauthenticated attacker. Impact ====== A remote attacker is able to use a specially crafted XML document that, when processed, is leading to application crash resulting in denial of service. References ========== https://xerces.apache.org/xerces-c/secadv/CVE-2016-4463.txt http://seclists.org/bugtraq/2016/Jun/115 https://access.redhat.com/security/cve/CVE-2016-4463