Bug 515515 (CVE-2009-1885)
Summary: | CVE-2009-1885 xerces-c, xerces-c27: Stack overflow when parsing recursive XML structures | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | bressers, gsim, jrusnack, juhani.eronen, mrg-program-list, security-response-team |
Target Milestone: | --- | Keywords: | Reopened, Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://svn.apache.org/viewvc?view=rev&revision=781488 | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-12-01 04:10:37 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jan Lieskovsky
2009-08-04 15:26:39 UTC
This issue affects the versions of the xerces-c and xerces-c27 packages, as shipped with Fedora releases of 10 and 11. This issue affects the versions of the xerces-c package, as shipped within the Extra Packages for Enterprise Linux 4 (EPEL-4) and Extra Packages for Enterprise Linux 5 (EPEL-5) projects. Please fix. Public now via: http://www.cert.fi/en/reports/2009/vulnerability2009085.html xerces-c-2.8.0-5.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/xerces-c-2.8.0-5.fc10 xerces-c-2.8.0-5.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/xerces-c-2.8.0-5.fc11 xerces-c27-2.7.0-8.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/xerces-c27-2.7.0-8.fc11 xerces-c27-2.7.0-8.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/xerces-c27-2.7.0-8.fc10 xerces-c-2.7.0-8.el4 has been submitted as an update for Fedora EPEL 4. http://admin.fedoraproject.org/updates/xerces-c-2.7.0-8.el4 xerces-c-2.7.0-8.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/xerces-c-2.7.0-8.el5 This issue affects the versions of Xerces-c package, as shipped with Red Hat Enterprise MRG 1.1 for Red Hat Enterprise Linux 4 and Red Hat Enterprise Linux 5. Official statement from Red Hat Security Response Team regarding this issue: ---------------------------------------------------------------------------- The Red Hat Security Response Team has rated this issue as having low security impact, a future Xerces-c package update may address this flaw in Red Hat Enterprise MRG 1.1. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ xerces-c27-2.7.0-8.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. xerces-c-2.8.0-5.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. xerces-c27-2.7.0-8.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. xerces-c-2.8.0-5.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. xerces-c-2.7.0-8.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. xerces-c-2.7.0-8.el4 has been pushed to the Fedora EPEL 4 stable repository. If problems still persist, please make note of it in this bug report. Should be closed now, I suppose. We actually do want to keep this open for bit longer, as xerces-c is shipped as part of some products, but due to the impact of the flaw itself and impact on particular product, updates are not expected to go out immediately. So I will re-open, feel free to un-CC yourself, as all you care about is fixed by now. Thank you! Ok, understood. Feel free to do everything you need with this ticket :) Statement: Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. |