Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2018-1311

Опубликовано: 18 дек. 2019
Источник: debian

Описание

The Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-free error triggered during the scanning of external DTDs. This flaw has not been addressed in the maintained version of the library and has no current mitigation other than to disable DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
xerces-cfixed3.2.3+debian-2package
xerces-cpostponedjessiepackage

Примечания

  • http://xerces.apache.org/xerces-c/secadv/CVE-2018-1311.txt

  • https://issues.apache.org/jira/browse/XERCESC-2188

  • http://vault.centos.org/7.7.1908/updates/Source/SPackages/xerces-c-3.1.1-10.el7_7.src.rpm (fix with memory leak, applied in DLA-2498-1 and DSA-4814-1)

  • Mitigation by setting the XERCES_DISABLE_DTD environment variable

  • Fixed by: https://github.com/apache/xerces-c/commit/e0024267504188e42ace4dd9031d936786914835 (v3.2.5)

  • Fix replaced with upstream-vetted patch (without introducing memory leak and binary-compatible) in 3.2.4+debian-1.1

Связанные уязвимости

ubuntu логотип

CVE-2018-1311

CVSS3: 8.1
ubuntu
около 6 лет назад

The Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-free error triggered during the scanning of external DTDs. This flaw has not been addressed in the maintained version of the library and has no current mitigation other than to disable DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable.

redhat логотип

CVE-2018-1311

CVSS3: 8.1
redhat
около 6 лет назад

The Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-free error triggered during the scanning of external DTDs. This flaw has not been addressed in the maintained version of the library and has no current mitigation other than to disable DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable.

nvd логотип

CVE-2018-1311

CVSS3: 8.1
nvd
около 6 лет назад

The Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-free error triggered during the scanning of external DTDs. This flaw has not been addressed in the maintained version of the library and has no current mitigation other than to disable DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable.

msrc логотип

CVE-2018-1311

CVSS3: 8.1
msrc
почти 4 года назад

Описание отсутствует

suse-cvrf логотип

openSUSE-SU-2021:2958-1

suse-cvrf
больше 4 лет назад

Security update for xerces-c