A denial of service flaw was found in the way the JRE processes XML. A remote attacker could use this flaw to supply crafted XML that would lead to a denial of service. http://sunsolve.sun.com/search/document.do?assetkey=1-21-118667-22-1
This issue has been addressed in following products: Extras for RHEL 4 Extras for Red Hat Enterprise Linux 5 Via RHSA-2009:1199 https://rhn.redhat.com/errata/RHSA-2009-1199.html
This issue has been addressed in following products: Extras for RHEL 4 Extras for Red Hat Enterprise Linux 5 Via RHSA-2009:1200 https://rhn.redhat.com/errata/RHSA-2009-1200.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:1201 https://rhn.redhat.com/errata/RHSA-2009-1201.html
java-1.6.0-openjdk-1.6.0.0-27.b16.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
java-1.6.0-openjdk-1.6.0.0-20.b16.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Extras for Red Hat Enterprise Linux 5 Extras for RHEL 4 Via RHSA-2009:1236 https://rhn.redhat.com/errata/RHSA-2009-1236.html
This issue has been addressed in following products: Extras for RHEL 3 Extras for RHEL 4 Extras for Red Hat Enterprise Linux 5 Via RHSA-2009:1505 https://rhn.redhat.com/errata/RHSA-2009-1505.html
This flaw is present also in expat, the C library for parsing XML, written by James Clark. References: ----------- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=551936 https://bugs.gentoo.org/show_bug.cgi?id=280615 Upstream bug report: -------------------- https://sourceforge.net/tracker/?func=detail&aid=1990430&group_id=10127&atid=110127 (not accessible for me) Upstream patch: --------------- http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.13&r2=1.15&view=patch Upstream log: ------------- http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?view=log Note: This is now handled under separate CVE id -- CVE-2009-3720, for more information please have a look at: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3720
This issue affects the versions of expat package, as shipped with Red Hat Enterprise Linux 3, 4, and 5. This issue affects the versions of expat package, as shipped with Fedora releases of 10 and 11 (expat-2.0.1-5, expat-2.0.1-6) and as scheduled to appear in Fedora 12 release (expat-2.0.1-7). Please fix. Note: This is now handled under separate CVE id -- CVE-2009-3720, for more information please have a look at: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3720
This issue does NOT affect the versions of the w3c-libwww package, as shipped with Red Hat Enterprise Linux 3 and 4. This issue does NOT affect the versions of the w3c-libwww package, as shipped with Fedora releases of 10, 11, and as scheduled to appear in Fedora 12 (Fedora's w3c-libwww uses system expat library, so once the issue is updated in expat, w3c-libwww in Fedora is also safe). Note: This is now handled under separate CVE id -- CVE-2009-3720, for more information please have a look at: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3720
This issue does NOT affect the version of the PyXML package, as shipped with Red Hat Enterprise Linux 3. This issue affects the versions of the PyXML package, as shipped with Red Hat Enterprise Linux 4 and 5. This issue affects the versions of the PyXML package, as shipped with Fedora release of 10, 11, and as scheduled to appear in Fedora 12. Note: This is now handled under separate CVE id -- CVE-2009-3720, for more information please have a look at: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3720
This issue affects the versions of the 4Suite package, as shipped with Red Hat Enterprise Linux 3 and 4. Note: This is now handled under separate CVE id -- CVE-2009-3720, for more information please have a look at: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3720
This issue does NOT affect the versions of the vnc package, as shipped with Red Hat Enterprise Linux 3, 4, and 5. This issue does NOT affect the versions of the vnc package, as shipped with Fedora releases of 10 and 11. Note: This is now handled under separate CVE id -- CVE-2009-3720, for more information please have a look at: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3720
This issue has been addressed in following products: RHEL 4 for SAP RHEL 5 for SAP Via RHSA-2009:1551 https://rhn.redhat.com/errata/RHSA-2009-1551.html
This issue has been addressed in following products: Extras for RHEL 4 Extras for Red Hat Enterprise Linux 5 Via RHSA-2009:1582 https://rhn.redhat.com/errata/RHSA-2009-1582.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:1615 https://rhn.redhat.com/errata/RHSA-2009-1615.html
This issue has been addressed in following products: JBEAP 4.3.0 for RHEL 4 Via RHSA-2009:1636 https://rhn.redhat.com/errata/RHSA-2009-1636.html
This issue has been addressed in following products: JBEAP 4.2.0 for RHEL 4 Via RHSA-2009:1637 https://rhn.redhat.com/errata/RHSA-2009-1637.html
This issue has been addressed in following products: JBEAP 4.3.0 for RHEL 5 Via RHSA-2009:1649 https://rhn.redhat.com/errata/RHSA-2009-1649.html
This issue has been addressed in following products: JBEAP 4.2.0 for RHEL 5 Via RHSA-2009:1650 https://rhn.redhat.com/errata/RHSA-2009-1650.html
This issue has been addressed in following products: Red Hat Network Satellite Server v 5.1 Via RHSA-2009:1662 https://rhn.redhat.com/errata/RHSA-2009-1662.html
This issue has been addressed in following products: Red Hat Network Satellite Server v 5.3 Via RHSA-2010:0043 https://rhn.redhat.com/errata/RHSA-2010-0043.html
This has never been fixed in Fedora. The upstream patch for this is here: http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=572055&r2=787352&pathrev=787353&view=patch Looks like 2.10.0 fixed this upstream, according to the changelog: http://xerces.apache.org/xerces2-j/releases.html
Created xerces-j2 tracking bugs for this issue Affects: fedora-all [bug 690926]
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0858 https://rhn.redhat.com/errata/RHSA-2011-0858.html
Created centerim tracking bugs for this issue Affects: fedora-14 [bug 751500] Affects: epel-5 [bug 751501]
According to http://www.centerim.org/index.php/Main_Page, centerim 4.22.10 fixes this flaw. Current EPEL6 and >=F15 have this version already, so only F14 and EPEL5 are vulnerable.
(In reply to comment #44) > This has never been fixed in Fedora. The upstream patch for this is here: > > http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=572055&r2=787352&pathrev=787353&view=patch Upstream commit and bug report: http://svn.apache.org/viewvc?view=revision&revision=787352 https://issues.apache.org/jira/browse/XERCESJ-1412
This issue has been addressed in following products: JBoss Operations Network 3.1.0 Via RHSA-2012:0725 https://rhn.redhat.com/errata/RHSA-2012-0725.html
This issue has been addressed in following products: JBoss Enterprise Portal Platform 5.2.2 Via RHSA-2012:1232 https://rhn.redhat.com/errata/RHSA-2012-1232.html
This issue has been addressed in following products: RHEV Manager version 3.x Via RHSA-2012:1537 https://rhn.redhat.com/errata/RHSA-2012-1537.html
This issue has been addressed in following products: JBoss Web Framework Kit 2.2.0 Via RHSA-2013:0763 https://rhn.redhat.com/errata/RHSA-2013-0763.html