Alerts This Week
Warning Icon 1 1,154
Alerts This Week
Warning Icon 1 1,154

Fedora 39: 2023-817ecc703f critical: xerces-c Remote Access Fix

fedora
Calendar Grey December 31, 2023
Dist Fedora Esm H88
Fedora 39 launch brings critical enhancements for libxml2, focused on improving security and efficiency of XML processing.
Update to 3.2.5, fixing CVE-2018-1311 and CVE-2023-37536

Summary

Xerces-C is a validating XML parser written in a portable

subset of C++. Xerces-C makes it easy to give your application the

ability to read and write XML data. A shared library is provided for

parsing, generating, manipulating, and validating XML

documents. Xerces-C is faithful to the XML 1.0 recommendation and

associated standards: XML 1.0 (Third Edition), XML 1.1 (First

Edition), DOM Level 1, 2, 3 Core, DOM Level 2.0 Traversal and Range,

DOM Level 3.0 Load and Save, SAX 1.0 and SAX 2.0, Namespaces in XML,

Namespaces in XML 1.1, XML Schema, XML Inclusions).

Update Information:

Update to 3.2.5, fixing CVE-2018-1311 and CVE-2023-37536

Change Log

* Fri Dec 22 2023 Kalev Lember - 3.2.5-1 - Update to 3.2.5, fixing CVE-2018-1311 and CVE-2023-37536

References


[ 1 ] Bug #1788472 - CVE-2018-1311 xerces-c: XML parser contains a use-after-free error triggered during the scanning of external DTDs https://bugzilla.redhat.com/show_bug.cgi?id=1788472 [ 2 ] Bug #2243426 - CVE-2023-37536 xerces-c: An integer overflow issue that allows remote attackers to cause out-of-bound access via HTTP request https://bugzilla.redhat.com/show_bug.cgi?id=2243426

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2023-817ecc703f' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html

Severity
critical
Lowest
Low
Medium
High
Critical

Name: xerces-c
Product: Fedora 39
Version: 3.2.5
Release: 1.fc39
Summary: Validating XML Parser

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here