ArchLinux: 201607-2: xerces-c: denial of service
Summary
The Xerces-C XML parser fails to successfully parse a DTD that is deeply nested, and this causes a stack overflow, which makes a denial of service attack against many applications possible by an unauthenticated attacker.
Resolution
Upgrade to 3.1.4-1.
# pacman -Syu "xerces-c>=3.1.4-1"
The problem has been fixed upstream in version 3.1.4.
References
https://xerces.apache.org/xerces-c/secadv/CVE-2016-4463.txt https://seclists.org/bugtraq/2016/Jun/115 https://access.redhat.com/security/cve/CVE-2016-4463
Workaround
None.