LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: November 21st, 2014
Linux Security Week: November 17th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Mandriva: Subject: [Security Announce] [ MDVSA-2009:223 ] xerces-c Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Mandrake A vulnerability has been found and corrected in xerces-c: Stack consumption vulnerability in validators/DTD/DTDScanner.cpp in Apache Xerces C++ 2.7.0 and 2.8.0 allows context-dependent attackers to cause a denial of service (application crash) via vectors involving nested parentheses and invalid byte values in simply nested DTD structures, as demonstrated by the Codenomicon XML fuzzing framework (CVE-2009-1885). This update provides a solution to this vulnerability.
 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:223
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : xerces-c
 Date    : August 30, 2009
 Affected: 2008.1, 2009.0, 2009.1, Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 A vulnerability has been found and corrected in xerces-c:
 
 Stack consumption vulnerability in validators/DTD/DTDScanner.cpp in
 Apache Xerces C++ 2.7.0 and 2.8.0 allows context-dependent attackers to
 cause a denial of service (application crash) via vectors involving
 nested parentheses and invalid byte values in simply nested DTD
 structures, as demonstrated by the Codenomicon XML fuzzing framework
 (CVE-2009-1885).
 
 This update provides a solution to this vulnerability.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1885
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.1:
 6fe1343e12872cfb72600cda610a7156  2008.1/i586/libxerces-c0-2.7.0-7.1mdv2008.1.i586.rpm
 52a88c588964e773d06aee149431db62  2008.1/i586/libxerces-c0-devel-2.7.0-7.1mdv2008.1.i586.rpm
 bc2033e182f9431de38591c61a79d04e  2008.1/i586/xerces-c-doc-2.7.0-7.1mdv2008.1.i586.rpm 
 f1650c04f1226497c237b9df8ca52914  2008.1/SRPMS/xerces-c-2.7.0-7.1mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 b443ce3f0d4b6dd9b788f2f5e5dc5018  2008.1/x86_64/lib64xerces-c0-2.7.0-7.1mdv2008.1.x86_64.rpm
 0721b1c2c3c3cc3778cfab91e74e80de  2008.1/x86_64/lib64xerces-c0-devel-2.7.0-7.1mdv2008.1.x86_64.rpm
 d19e80b801f968cb7aacd440e25e87fd  2008.1/x86_64/xerces-c-doc-2.7.0-7.1mdv2008.1.x86_64.rpm 
 f1650c04f1226497c237b9df8ca52914  2008.1/SRPMS/xerces-c-2.7.0-7.1mdv2008.1.src.rpm

 Mandriva Linux 2009.0:
 456a414a9b9198e635656662a7e94aba  2009.0/i586/libxerces-c0-2.7.0-7.1mdv2009.0.i586.rpm
 1f3b5377f035b888ce9ae44032315996  2009.0/i586/libxerces-c0-devel-2.7.0-7.1mdv2009.0.i586.rpm
 35bf505f9c495ad6ea524769efd3daa7  2009.0/i586/libxerces-c28-2.8.0-2.1mdv2009.0.i586.rpm
 b380105dbd43b807d2e221f2629a7e14  2009.0/i586/libxerces-c-devel-2.8.0-2.1mdv2009.0.i586.rpm
 edb9336631ab0cb1b93d512218fd7154  2009.0/i586/xerces-c-doc-2.7.0-7.1mdv2009.0.i586.rpm
 f598ff70574e18cbe2a1fd1f4e37db35  2009.0/i586/xerces-c-doc-2.8.0-2.1mdv2009.0.i586.rpm 
 a13a2e170b253495cbbc5ce6771e617b  2009.0/SRPMS/xerces-c-2.7.0-7.1mdv2009.0.src.rpm
 76d86a6868412ee03be540e0451f6ef3  2009.0/SRPMS/xerces-c-2.8.0-2.1mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 05bd3f1dec9e2ff7d4737e145998587e  2009.0/x86_64/lib64xerces-c0-2.7.0-7.1mdv2009.0.x86_64.rpm
 17ef57d1bee9cd1b80f020f9a01a5c78  2009.0/x86_64/lib64xerces-c0-devel-2.7.0-7.1mdv2009.0.x86_64.rpm
 ebec80803cf8add9a94ae02a6045f1fd  2009.0/x86_64/lib64xerces-c28-2.8.0-2.1mdv2009.0.x86_64.rpm
 85ea70a0737137061741b11af8f3720b  2009.0/x86_64/lib64xerces-c-devel-2.8.0-2.1mdv2009.0.x86_64.rpm
 3649d09123e345059218ed706ca724be  2009.0/x86_64/xerces-c-doc-2.7.0-7.1mdv2009.0.x86_64.rpm
 3e3020d0e14617e2b2ad1c2de06e7a3f  2009.0/x86_64/xerces-c-doc-2.8.0-2.1mdv2009.0.x86_64.rpm 
 a13a2e170b253495cbbc5ce6771e617b  2009.0/SRPMS/xerces-c-2.7.0-7.1mdv2009.0.src.rpm
 76d86a6868412ee03be540e0451f6ef3  2009.0/SRPMS/xerces-c-2.8.0-2.1mdv2009.0.src.rpm

 Mandriva Linux 2009.1:
 1700f8e14c729fe9832e562510a489bf  2009.1/i586/libxerces-c28-2.8.0-2.1mdv2009.1.i586.rpm
 5d7918c10d10c591f9ca2312bf365532  2009.1/i586/libxerces-c-devel-2.8.0-2.1mdv2009.1.i586.rpm
 b1c26127c4734e61d38f6b5360f678b8  2009.1/i586/xerces-c-doc-2.8.0-2.1mdv2009.1.i586.rpm 
 85116e6849e6201535dad276c3449a02  2009.1/SRPMS/xerces-c-2.8.0-2.1mdv2009.1.src.rpm

 Mandriva Linux 2009.1/X86_64:
 d62bdc0c0b443af4b5a2f3b7031eace2  2009.1/x86_64/lib64xerces-c28-2.8.0-2.1mdv2009.1.x86_64.rpm
 34674db83d664fdd5bb2918fc2e2d4ca  2009.1/x86_64/lib64xerces-c-devel-2.8.0-2.1mdv2009.1.x86_64.rpm
 8749b4d5b99477f1057abfc69a0713f1  2009.1/x86_64/xerces-c-doc-2.8.0-2.1mdv2009.1.x86_64.rpm 
 85116e6849e6201535dad276c3449a02  2009.1/SRPMS/xerces-c-2.8.0-2.1mdv2009.1.src.rpm

 Mandriva Enterprise Server 5:
 833d6d41e3b719b4d9a26e126d38f85c  mes5/i586/libxerces-c0-2.7.0-7.1mdvmes5.i586.rpm
 2c234197dda4b427dac53a1908f28a6b  mes5/i586/libxerces-c0-devel-2.7.0-7.1mdvmes5.i586.rpm
 4360120c35f047e0c46550132a8388d4  mes5/i586/libxerces-c28-2.8.0-2.1mdvmes5.i586.rpm
 af19c3b823b4b857fbffec760d8750a3  mes5/i586/libxerces-c-devel-2.8.0-2.1mdvmes5.i586.rpm
 43234d44a3f6d0fba412257ba51ed0aa  mes5/i586/xerces-c-doc-2.7.0-7.1mdvmes5.i586.rpm
 e4a6858ac8d2f3acb02af0b48e8620b8  mes5/i586/xerces-c-doc-2.8.0-2.1mdvmes5.i586.rpm 
 14c4d8bd71fa9f5de81fb200dd45a264  mes5/SRPMS/xerces-c-2.7.0-7.1mdvmes5.src.rpm
 51fb9e82eecd07d7829beca2977a7236  mes5/SRPMS/xerces-c-2.8.0-2.1mdvmes5.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 7b00a6a7035797e3bf5a6f7281202f58  mes5/x86_64/lib64xerces-c0-2.7.0-7.1mdvmes5.x86_64.rpm
 e46a2044d9e25ae4e57554ef69bc4f91  mes5/x86_64/lib64xerces-c0-devel-2.7.0-7.1mdvmes5.x86_64.rpm
 a4dd5e9cd4e80c9ed4da70491a068ad5  mes5/x86_64/lib64xerces-c28-2.8.0-2.1mdvmes5.x86_64.rpm
 b3b8b9fbcf931e6f9bf0d98d933f23ff  mes5/x86_64/lib64xerces-c-devel-2.8.0-2.1mdvmes5.x86_64.rpm
 c39464cecd5ada674e1d0955e4751ffa  mes5/x86_64/xerces-c-doc-2.7.0-7.1mdvmes5.x86_64.rpm
 07bd56e33e2acb0449a6ae4bdc43f9aa  mes5/x86_64/xerces-c-doc-2.8.0-2.1mdvmes5.x86_64.rpm 
 14c4d8bd71fa9f5de81fb200dd45a264  mes5/SRPMS/xerces-c-2.7.0-7.1mdvmes5.src.rpm
 51fb9e82eecd07d7829beca2977a7236  mes5/SRPMS/xerces-c-2.8.0-2.1mdvmes5.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Weekend Edition
Google Releases Open Source Tool for Testing Web App Security Scanners
Most Targeted Attacks Exploit Privileged Accounts
NotCompable sets new standards for mobile botnet sophistication
Hands on with Caine Linux: Pentesting and UEFI compatible
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.