[arch-security] [ASA-201503-19] xerces-c: denial of service
Arch Linux Security Advisory ASA-201503-19 ========================================== Severity: Medium Date : 2015-03-20 CVE-ID : CVE-2015-0252 Package : xerces-c Type : denial of service Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package xerces-c before version 3.1.2-1 is vulnerable to denial of service. Resolution ========== Upgrade to 3.1.2-1. # pacman -Syu "xerces-c>=3.1.2-1" The problem has been fixed upstream in version 3.1.2. Workaround ========== None. Description =========== - CVE-2015-0252 (denial of service) The Xerces-C XML parser mishandles certain kinds of malformed input documents, resulting in a segmentation fault during a parse operation. The bug does not appear to allow for remote code execution, but is a denial of service attack that in many applications may allow for an unauthenticated attacker to supply malformed input and cause a crash. Impact ====== A remote attacker is able to send specially crafted documents that are resulting in a segmentation fault leading to denial of service. References ========== https://xerces.apache.org/xerces-c/secadv/CVE-2015-0252.txt https://access.redhat.com/security/cve/CVE-2015-0252 https://bugs.archlinux.org/task/44272
participants (1)
-
Levente Polyak