Bug#296432: [xml/sgml-pkgs] Bug#296432: xerces25: [CAN-2004-1575] Xerces-C++ 2.5.0: Attribute blowup
Jay Berkenbilt <email@example.com>, firstname.lastname@example.org
Tue, 22 Feb 2005 11:47:18 -0500
SALVETTI Djoume <email@example.com> wrote:
>>From [CAN-2004-1575] :
> | The XML parser in Xerces-C++ 2.5.0 allows remote attackers to cause a
> | denial of service (CPU consumption) via XML attributes in a crafted
> | XML document.
> This problem have been fixed in version 2.6 of Xerces.
> It's not clear to me if prior versions ( xerces24, xerces23, xerces22,
> xerces21) are also vulnerable.
> I can filed bugs if you think it's appropriate.
xerces22 isn't in debian. I maintain xerces23 and xerces24, so no
need to file separate bugs. If you file against xerces21, feel free
to CC me on it.