-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:223 http://www.mandriva.com/security/ _______________________________________________________________________ Package : xerces-c Date : August 30, 2009 Affected: 2008.1, 2009.0, 2009.1, Enterprise Server 5.0 _______________________________________________________________________ Problem Description: A vulnerability has been found and corrected in xerces-c: Stack consumption vulnerability in validators/DTD/DTDScanner.cpp in Apache Xerces C++ 2.7.0 and 2.8.0 allows context-dependent attackers to cause a denial of service (application crash) via vectors involving nested parentheses and invalid byte values in simply nested DTD structures, as demonstrated by the Codenomicon XML fuzzing framework (CVE-2009-1885). This update provides a solution to this vulnerability. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1885 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.1: 6fe1343e12872cfb72600cda610a7156 2008.1/i586/libxerces-c0-2.7.0-7.1mdv2008.1.i586.rpm 52a88c588964e773d06aee149431db62 2008.1/i586/libxerces-c0-devel-2.7.0-7.1mdv2008.1.i586.rpm bc2033e182f9431de38591c61a79d04e 2008.1/i586/xerces-c-doc-2.7.0-7.1mdv2008.1.i586.rpm f1650c04f1226497c237b9df8ca52914 2008.1/SRPMS/xerces-c-2.7.0-7.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: b443ce3f0d4b6dd9b788f2f5e5dc5018 2008.1/x86_64/lib64xerces-c0-2.7.0-7.1mdv2008.1.x86_64.rpm 0721b1c2c3c3cc3778cfab91e74e80de 2008.1/x86_64/lib64xerces-c0-devel-2.7.0-7.1mdv2008.1.x86_64.rpm d19e80b801f968cb7aacd440e25e87fd 2008.1/x86_64/xerces-c-doc-2.7.0-7.1mdv2008.1.x86_64.rpm f1650c04f1226497c237b9df8ca52914 2008.1/SRPMS/xerces-c-2.7.0-7.1mdv2008.1.src.rpm Mandriva Linux 2009.0: 456a414a9b9198e635656662a7e94aba 2009.0/i586/libxerces-c0-2.7.0-7.1mdv2009.0.i586.rpm 1f3b5377f035b888ce9ae44032315996 2009.0/i586/libxerces-c0-devel-2.7.0-7.1mdv2009.0.i586.rpm 35bf505f9c495ad6ea524769efd3daa7 2009.0/i586/libxerces-c28-2.8.0-2.1mdv2009.0.i586.rpm b380105dbd43b807d2e221f2629a7e14 2009.0/i586/libxerces-c-devel-2.8.0-2.1mdv2009.0.i586.rpm edb9336631ab0cb1b93d512218fd7154 2009.0/i586/xerces-c-doc-2.7.0-7.1mdv2009.0.i586.rpm f598ff70574e18cbe2a1fd1f4e37db35 2009.0/i586/xerces-c-doc-2.8.0-2.1mdv2009.0.i586.rpm a13a2e170b253495cbbc5ce6771e617b 2009.0/SRPMS/xerces-c-2.7.0-7.1mdv2009.0.src.rpm 76d86a6868412ee03be540e0451f6ef3 2009.0/SRPMS/xerces-c-2.8.0-2.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 05bd3f1dec9e2ff7d4737e145998587e 2009.0/x86_64/lib64xerces-c0-2.7.0-7.1mdv2009.0.x86_64.rpm 17ef57d1bee9cd1b80f020f9a01a5c78 2009.0/x86_64/lib64xerces-c0-devel-2.7.0-7.1mdv2009.0.x86_64.rpm ebec80803cf8add9a94ae02a6045f1fd 2009.0/x86_64/lib64xerces-c28-2.8.0-2.1mdv2009.0.x86_64.rpm 85ea70a0737137061741b11af8f3720b 2009.0/x86_64/lib64xerces-c-devel-2.8.0-2.1mdv2009.0.x86_64.rpm 3649d09123e345059218ed706ca724be 2009.0/x86_64/xerces-c-doc-2.7.0-7.1mdv2009.0.x86_64.rpm 3e3020d0e14617e2b2ad1c2de06e7a3f 2009.0/x86_64/xerces-c-doc-2.8.0-2.1mdv2009.0.x86_64.rpm a13a2e170b253495cbbc5ce6771e617b 2009.0/SRPMS/xerces-c-2.7.0-7.1mdv2009.0.src.rpm 76d86a6868412ee03be540e0451f6ef3 2009.0/SRPMS/xerces-c-2.8.0-2.1mdv2009.0.src.rpm Mandriva Linux 2009.1: 1700f8e14c729fe9832e562510a489bf 2009.1/i586/libxerces-c28-2.8.0-2.1mdv2009.1.i586.rpm 5d7918c10d10c591f9ca2312bf365532 2009.1/i586/libxerces-c-devel-2.8.0-2.1mdv2009.1.i586.rpm b1c26127c4734e61d38f6b5360f678b8 2009.1/i586/xerces-c-doc-2.8.0-2.1mdv2009.1.i586.rpm 85116e6849e6201535dad276c3449a02 2009.1/SRPMS/xerces-c-2.8.0-2.1mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: d62bdc0c0b443af4b5a2f3b7031eace2 2009.1/x86_64/lib64xerces-c28-2.8.0-2.1mdv2009.1.x86_64.rpm 34674db83d664fdd5bb2918fc2e2d4ca 2009.1/x86_64/lib64xerces-c-devel-2.8.0-2.1mdv2009.1.x86_64.rpm 8749b4d5b99477f1057abfc69a0713f1 2009.1/x86_64/xerces-c-doc-2.8.0-2.1mdv2009.1.x86_64.rpm 85116e6849e6201535dad276c3449a02 2009.1/SRPMS/xerces-c-2.8.0-2.1mdv2009.1.src.rpm Mandriva Enterprise Server 5: 833d6d41e3b719b4d9a26e126d38f85c mes5/i586/libxerces-c0-2.7.0-7.1mdvmes5.i586.rpm 2c234197dda4b427dac53a1908f28a6b mes5/i586/libxerces-c0-devel-2.7.0-7.1mdvmes5.i586.rpm 4360120c35f047e0c46550132a8388d4 mes5/i586/libxerces-c28-2.8.0-2.1mdvmes5.i586.rpm af19c3b823b4b857fbffec760d8750a3 mes5/i586/libxerces-c-devel-2.8.0-2.1mdvmes5.i586.rpm 43234d44a3f6d0fba412257ba51ed0aa mes5/i586/xerces-c-doc-2.7.0-7.1mdvmes5.i586.rpm e4a6858ac8d2f3acb02af0b48e8620b8 mes5/i586/xerces-c-doc-2.8.0-2.1mdvmes5.i586.rpm 14c4d8bd71fa9f5de81fb200dd45a264 mes5/SRPMS/xerces-c-2.7.0-7.1mdvmes5.src.rpm 51fb9e82eecd07d7829beca2977a7236 mes5/SRPMS/xerces-c-2.8.0-2.1mdvmes5.src.rpm Mandriva Enterprise Server 5/X86_64: 7b00a6a7035797e3bf5a6f7281202f58 mes5/x86_64/lib64xerces-c0-2.7.0-7.1mdvmes5.x86_64.rpm e46a2044d9e25ae4e57554ef69bc4f91 mes5/x86_64/lib64xerces-c0-devel-2.7.0-7.1mdvmes5.x86_64.rpm a4dd5e9cd4e80c9ed4da70491a068ad5 mes5/x86_64/lib64xerces-c28-2.8.0-2.1mdvmes5.x86_64.rpm b3b8b9fbcf931e6f9bf0d98d933f23ff mes5/x86_64/lib64xerces-c-devel-2.8.0-2.1mdvmes5.x86_64.rpm c39464cecd5ada674e1d0955e4751ffa mes5/x86_64/xerces-c-doc-2.7.0-7.1mdvmes5.x86_64.rpm 07bd56e33e2acb0449a6ae4bdc43f9aa mes5/x86_64/xerces-c-doc-2.8.0-2.1mdvmes5.x86_64.rpm 14c4d8bd71fa9f5de81fb200dd45a264 mes5/SRPMS/xerces-c-2.7.0-7.1mdvmes5.src.rpm 51fb9e82eecd07d7829beca2977a7236 mes5/SRPMS/xerces-c-2.8.0-2.1mdvmes5.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFKmpCbmqjQ0CJFipgRAsT/AJ9pEVZLPjebqx4y+VH66BQIe8WDoQCglct4 hf7U+mMdvf5JG4LtWZJNu64= =rySh -----END PGP SIGNATURE-----