It was found that Red Hat JBoss Core Services incorrectly fixed CVE-2016-3627 in Apache HTTP 2.4.23 (erratum RHSA-2016:2957), leaving libxml2 vulnerable to a Denial of Service attack via stack consumption.
Are there any details available for this? Upsteam bug, commit reference?
(In reply to Salvatore Bonaccorso from comment #2)
> Are there any details available for this? Upsteam bug, commit reference?
This and the other two should be for a Red Hat specific security regressions, effectively duplicates of other public CVEs. I'm going to ask Bharti to fix these bugs up properly.
dup of CVE-2016-3627 I would say
This CVE id is for the same issue as CVE-2016-3627 (bug 1319829). This additional CVE was assigned because the original issue was listed as fixed in RHSA-2016:2957 for the Red Hat JBoss Core Services:
However, that erratum actually failed to include the fix for the issue.
Therefore, this new CVE is specific to the Red Hat JBoss Core Services product and is better described as: missing/incorrect fix for CVE-2016-3627 in the Red Hat JBoss Core Services.
JBCS 2.4.29 RHSA-2018:2486 includes rebased libxml2 to 2.9.7 which addresses this CVE and CVE-2016-9597.