Bug#296432: [xml/sgml-pkgs] Bug#296432: xerces25: [CAN-2004-1575] Xerces-C++ 2.5.0: Attribute blowup

Jay Berkenbilt Jay Berkenbilt <qjb@debian.org>, 296432@bugs.debian.org
Tue, 22 Feb 2005 11:47:18 -0500


SALVETTI Djoume <djoume@taket.org> wrote:

>>From [CAN-2004-1575] :
>
> | The XML parser in Xerces-C++ 2.5.0 allows remote attackers to cause a
> | denial of service (CPU consumption) via XML attributes in a crafted
> | XML document.
>
> This problem have been fixed in version 2.6 of Xerces.
>
> It's not clear to me if prior versions ( xerces24, xerces23, xerces22,
> xerces21) are also vulnerable.
>
> I can filed bugs if you think it's appropriate.

xerces22 isn't in debian.  I maintain xerces23 and xerces24, so no
need to file separate bugs.  If you file against xerces21, feel free
to CC me on it.

--Jay