Bug 512921 (CVE-2009-2625)
| Summary: | CVE-2009-2625 xerces-j2, JDK: XML parsing Denial-Of-Service (6845701) | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Marc Schoenefeld <mschoene> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | acathrow, andreas.bierfert, aph, atkac, bazulay, bressers, cpelland, dbhole, dyasny, fnasser, iheim, jlieskov, jorton, kreilly, lkundrak, mitr, mjc, mmcallis, ovasik, pcheung, Rhev-m-bugs, rrakus, rruss, security-response-team, vdanen, ykaul, ylavi, zdover |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
Previously, a denial-of-service flaw was found in Java which allowed the creation of an inifinte loop in XML headers that would consume all CPU resources. This issue was patched and Java is no longer vulnerable to a denial-of-service flaw due to the initiation of an infinte loop by means of XML headers.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-04-22 21:33:19 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 513391, 513392, 515679, 515680, 515682, 515683, 521225, 521226, 522764, 522765, 522766, 526017, 526018, 526815, 526816, 529660, 529661, 540443, 690926, 690931, 690932, 751500, 751501, 795942, 850657, 850658 | ||
| Bug Blocks: | 734571, 824237 | ||
|
Comment 2
Marc Schoenefeld
2009-08-06 14:22:34 UTC
This issue has been addressed in following products: Extras for RHEL 4 Extras for Red Hat Enterprise Linux 5 Via RHSA-2009:1199 https://rhn.redhat.com/errata/RHSA-2009-1199.html This issue has been addressed in following products: Extras for RHEL 4 Extras for Red Hat Enterprise Linux 5 Via RHSA-2009:1200 https://rhn.redhat.com/errata/RHSA-2009-1200.html This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:1201 https://rhn.redhat.com/errata/RHSA-2009-1201.html java-1.6.0-openjdk-1.6.0.0-27.b16.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. java-1.6.0-openjdk-1.6.0.0-20.b16.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in following products: Extras for Red Hat Enterprise Linux 5 Extras for RHEL 4 Via RHSA-2009:1236 https://rhn.redhat.com/errata/RHSA-2009-1236.html This issue has been addressed in following products: Extras for RHEL 3 Extras for RHEL 4 Extras for Red Hat Enterprise Linux 5 Via RHSA-2009:1505 https://rhn.redhat.com/errata/RHSA-2009-1505.html This flaw is present also in expat, the C library for parsing XML, written by James Clark. References: ----------- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=551936 https://bugs.gentoo.org/show_bug.cgi?id=280615 Upstream bug report: -------------------- https://sourceforge.net/tracker/?func=detail&aid=1990430&group_id=10127&atid=110127 (not accessible for me) Upstream patch: --------------- http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.13&r2=1.15&view=patch Upstream log: ------------- http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?view=log Note: This is now handled under separate CVE id -- CVE-2009-3720, for more information please have a look at: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3720 This issue affects the versions of expat package, as shipped with Red Hat Enterprise Linux 3, 4, and 5. This issue affects the versions of expat package, as shipped with Fedora releases of 10 and 11 (expat-2.0.1-5, expat-2.0.1-6) and as scheduled to appear in Fedora 12 release (expat-2.0.1-7). Please fix. Note: This is now handled under separate CVE id -- CVE-2009-3720, for more information please have a look at: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3720 This issue does NOT affect the versions of the w3c-libwww package, as shipped with Red Hat Enterprise Linux 3 and 4. This issue does NOT affect the versions of the w3c-libwww package, as shipped with Fedora releases of 10, 11, and as scheduled to appear in Fedora 12 (Fedora's w3c-libwww uses system expat library, so once the issue is updated in expat, w3c-libwww in Fedora is also safe). Note: This is now handled under separate CVE id -- CVE-2009-3720, for more information please have a look at: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3720 This issue does NOT affect the version of the PyXML package, as shipped with Red Hat Enterprise Linux 3. This issue affects the versions of the PyXML package, as shipped with Red Hat Enterprise Linux 4 and 5. This issue affects the versions of the PyXML package, as shipped with Fedora release of 10, 11, and as scheduled to appear in Fedora 12. Note: This is now handled under separate CVE id -- CVE-2009-3720, for more information please have a look at: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3720 This issue affects the versions of the 4Suite package, as shipped with Red Hat Enterprise Linux 3 and 4. Note: This is now handled under separate CVE id -- CVE-2009-3720, for more information please have a look at: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3720 This issue does NOT affect the versions of the vnc package, as shipped with Red Hat Enterprise Linux 3, 4, and 5. This issue does NOT affect the versions of the vnc package, as shipped with Fedora releases of 10 and 11. Note: This is now handled under separate CVE id -- CVE-2009-3720, for more information please have a look at: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3720 This issue has been addressed in following products: RHEL 4 for SAP RHEL 5 for SAP Via RHSA-2009:1551 https://rhn.redhat.com/errata/RHSA-2009-1551.html This issue has been addressed in following products: Extras for RHEL 4 Extras for Red Hat Enterprise Linux 5 Via RHSA-2009:1582 https://rhn.redhat.com/errata/RHSA-2009-1582.html This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:1615 https://rhn.redhat.com/errata/RHSA-2009-1615.html This issue has been addressed in following products: JBEAP 4.3.0 for RHEL 4 Via RHSA-2009:1636 https://rhn.redhat.com/errata/RHSA-2009-1636.html This issue has been addressed in following products: JBEAP 4.2.0 for RHEL 4 Via RHSA-2009:1637 https://rhn.redhat.com/errata/RHSA-2009-1637.html This issue has been addressed in following products: JBEAP 4.3.0 for RHEL 5 Via RHSA-2009:1649 https://rhn.redhat.com/errata/RHSA-2009-1649.html This issue has been addressed in following products: JBEAP 4.2.0 for RHEL 5 Via RHSA-2009:1650 https://rhn.redhat.com/errata/RHSA-2009-1650.html This issue has been addressed in following products: Red Hat Network Satellite Server v 5.1 Via RHSA-2009:1662 https://rhn.redhat.com/errata/RHSA-2009-1662.html This issue has been addressed in following products: Red Hat Network Satellite Server v 5.3 Via RHSA-2010:0043 https://rhn.redhat.com/errata/RHSA-2010-0043.html This has never been fixed in Fedora. The upstream patch for this is here: http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=572055&r2=787352&pathrev=787353&view=patch Looks like 2.10.0 fixed this upstream, according to the changelog: http://xerces.apache.org/xerces2-j/releases.html Created xerces-j2 tracking bugs for this issue Affects: fedora-all [bug 690926] This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0858 https://rhn.redhat.com/errata/RHSA-2011-0858.html Created centerim tracking bugs for this issue Affects: fedora-14 [bug 751500] Affects: epel-5 [bug 751501] According to http://www.centerim.org/index.php/Main_Page, centerim 4.22.10 fixes this flaw. Current EPEL6 and >=F15 have this version already, so only F14 and EPEL5 are vulnerable. (In reply to comment #44) > This has never been fixed in Fedora. The upstream patch for this is here: > > http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=572055&r2=787352&pathrev=787353&view=patch Upstream commit and bug report: http://svn.apache.org/viewvc?view=revision&revision=787352 https://issues.apache.org/jira/browse/XERCESJ-1412 This issue has been addressed in following products: JBoss Operations Network 3.1.0 Via RHSA-2012:0725 https://rhn.redhat.com/errata/RHSA-2012-0725.html This issue has been addressed in following products: JBoss Enterprise Portal Platform 5.2.2 Via RHSA-2012:1232 https://rhn.redhat.com/errata/RHSA-2012-1232.html This issue has been addressed in following products: RHEV Manager version 3.x Via RHSA-2012:1537 https://rhn.redhat.com/errata/RHSA-2012-1537.html This issue has been addressed in following products: JBoss Web Framework Kit 2.2.0 Via RHSA-2013:0763 https://rhn.redhat.com/errata/RHSA-2013-0763.html |