On Tue, Mar 12, 2019 at 02:53:14PM +0100, wf...@niif.hu wrote:
> Moritz Muehlenhoff <j...@inutil.org> writes:
>
> > On Tue, Mar 12, 2019 at 10:19:00AM +0100, wf...@niif.hu wrote:
> >
> >> The resulting packages works fine in my setup. However, I failed to
> >> reproduce the original issue under stretch. After consulting upstream,
> >> it turns out that the old Xerces library actually helps somewhat in this
> >> case, please see Scott Cantor's reply below. So the known exploit
> >> (using an invalid XML declaration) does not work on stable, but if
> >> somebody finds a way to trigger a DOMException in Xerces 3.1, any
> >> xmltooling users will crash all the same. See also his comment on
> >> https://issues.apache.org/jira/browse/XERCESC-2016.
> >
> > I think we can still fix this via stretch-security
>
> OK, uploaded.
DSA has been released, thanks.
Cheers,
Moritz
