Headline
CVE-2015-0252: Debian -- Security Information -- DSA-3199-1 xerces-c
internal/XMLReader.cpp in Apache Xerces-C before 3.1.2 allows remote attackers to cause a denial of service (segmentation fault and crash) via crafted XML data.
Debian Security Advisory
Date Reported:
20 Mar 2015
Affected Packages:
xerces-c
Vulnerable:
Yes
Security database references:
In the Debian bugtracking system: Bug 780827.
In Mitre’s CVE dictionary: CVE-2015-0252.
More information:
Anton Rager and Jonathan Brossard from the Salesforce.com Product Security Team and Ben Laurie of Google discovered a denial of service vulnerability in xerces-c, a validating XML parser library for C++. The parser mishandles certain kinds of malformed input documents, resulting in a segmentation fault during a parse operation. An unauthenticated attacker could use this flaw to cause an application using the xerces-c library to crash.
For the stable distribution (wheezy), this problem has been fixed in version 3.1.1-3+deb7u1.
We recommend that you upgrade your xerces-c packages.
Related news
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).