Source: xerces-c Version: 3.2.2+debian-1 Severity: important Tags: security upstream Forwarded: https://issues.apache.org/jira/browse/XERCESC-2188 Control: found -1 3.1.4+debian-2+deb9u1 Control: found -1 3.1.4+debian-1
Hi, The following vulnerability was published for xerces-c. There is no upstream fix and only suggested mitigations, at time of writing the bugreport. CVE-2018-1311[0]: | The Apache Xerces-C 3.0.0 to 3.2.2 XML parser contains a use-after- | free error triggered during the scanning of external DTDs. This flaw | has not been addressed in the maintained version of the library and | has no current mitigation other than to disable DTD processing. This | can be accomplished via the DOM using a standard parser feature, or | via SAX using the XERCES_DISABLE_DTD environment variable. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-1311 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1311 [1] https://issues.apache.org/jira/browse/XERCESC-2188 [2] https://xerces.apache.org/xerces-c/secadv/CVE-2018-1311.txt [3] https://marc.info/?l=xerces-c-users&m=157653840106914&w=2 Regards, Salvatore
