[xml/sgml-pkgs] Bug#296432: xerces25: [CAN-2004-1575] Xerces-C++ 2.5.0: Attribute blowup
SALVETTI Djoume
SALVETTI Djoume <djoume@taket.org>, 296432@bugs.debian.org
Tue, 22 Feb 2005 14:49:36 +0100
Package: xerces25
Severity: normal
Good day,
>From [CAN-2004-1575] :
| The XML parser in Xerces-C++ 2.5.0 allows remote attackers to cause a
| denial of service (CPU consumption) via XML attributes in a crafted
| XML document.
This problem have been fixed in version 2.6 of Xerces.
It's not clear to me if prior versions ( xerces24, xerces23, xerces22,
xerces21) are also vulnerable.
I can filed bugs if you think it's appropriate.
Could you also mention the CAN number in changelog entries about this problem.
Regards.
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686
Locale: LANG=fr_FR@euro, LC_CTYPE=fr_FR@euro (charmap=ISO-8859-15) (ignored: LC_ALL set to fr_FR@euro)