CVE-2009-2625

Name	CVE-2009-2625
Source	CVE (at NVD; RH)
Description	XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.
References	DSA-1984-1
NVD severity	medium
Debian Bugs	542210, 548358
Debian/oldstable	packages libxerces2-java, sun-java5 are vulnerable.
Debian/stable	packages libxerces2-java, openjdk-6, sun-java5, sun-java6 are vulnerable.
Debian/testing	package libxerces2-java is vulnerable.
Debian/unstable	not vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
libxerces2-java (PTS)	etch	2.8.1-1	vulnerable
	etch (security)	2.8.1-1+etch1	fixed
	lenny	2.9.1-2	vulnerable
	lenny (security)	2.9.1-2+lenny1	fixed
	squeeze	2.9.1-4	vulnerable
	sid	2.9.1-4.1	fixed
openjdk-6 (PTS)	lenny	6b11-9.1	vulnerable
	lenny (security)	6b11-9.1+lenny2	vulnerable
	squeeze	6b17~pre3-1	fixed
	sid	6b17-1.7-1	fixed
sun-java5 (PTS)	etch/non-free	1.5.0-14-1etch1	vulnerable
	lenny/non-free	1.5.0-17-0.1	vulnerable
sun-java6 (PTS)	lenny/non-free	6-12-1	vulnerable
	squeeze/non-free	6-16-1	fixed
	sid/non-free	6-18-1	fixed

The next table lists affected binary packages.

Binary Package	Release	Version	Status	Architecures
ia32-sun-java5-bin	etch/non-free	1.5.0-14-1etch1	vulnerable	amd64, ia64
	lenny/non-free	1.5.0-17-0.1	vulnerable	amd64, ia64
ia32-sun-java6-bin	lenny/non-free	6-12-1	vulnerable	amd64, ia64
	sid/non-free	6-16-1	fixed	ia64
	squeeze/non-free	6-16-1	fixed	amd64, ia64
ia32-sun-java6-bin, sun-java6-bin, sun-java6-demo, sun-java6-jdk, sun-java6-plugin	sid/non-free	6-17-1	fixed	amd64
icedtea-6-jre-cacao	squeeze	6b17~pre3-1	fixed	amd64, armel, i386, mips, mipsel, powerpc, s390
	sid	6b17-1.7-1	fixed	alpha, amd64, armel, i386, mipsel, powerpc, s390
icedtea-6-jre-cacao, icedtea6-plugin, openjdk-6-dbg, openjdk-6-demo, openjdk-6-jdk, openjdk-6-jre, openjdk-6-jre-headless	sid	6b17~pre3-1	fixed	mips
icedtea6-plugin, openjdk-6-dbg, openjdk-6-demo, openjdk-6-jdk, openjdk-6-jre, openjdk-6-jre-headless	squeeze	6b17~pre3-1	fixed	amd64, armel, i386, ia64, mips, mipsel, powerpc, s390, sparc
	sid	6b17-1.7-1	fixed	alpha, amd64, armel, i386, ia64, mipsel, powerpc, s390, sparc
libxerces2-java	etch	2.8.1-1	vulnerable	all
	etch (security)	2.8.1-1+etch1	fixed	all
libxerces2-java, libxerces2-java-doc	lenny	2.9.1-2	vulnerable	all
	lenny (security)	2.9.1-2+lenny1	fixed	all
	sid, squeeze	2.9.1-4	vulnerable	all
	sid	2.9.1-4.1	fixed	all
libxerces2-java-gcj	lenny	2.9.1-2	vulnerable	amd64, armel, i386, ia64, mips, mipsel, powerpc, s390, sparc
	lenny (security)	2.9.1-2+lenny1	fixed	amd64, armel, i386, ia64, mips, mipsel, powerpc, s390, sparc
	sid	2.9.1-4	vulnerable	mips
	squeeze	2.9.1-4	vulnerable	amd64, hppa, i386, mips, mipsel, powerpc, s390, sparc
	squeeze	2.9.1-4+b1	vulnerable	armel, ia64
	sid	2.9.1-4.1	fixed	alpha, amd64, armel, hppa, i386, ia64, kfreebsd-amd64, kfreebsd-i386, mipsel, powerpc, s390, sparc
openjdk-6-dbg, openjdk-6-demo, openjdk-6-jdk, openjdk-6-jre, openjdk-6-jre-headless	lenny	6b11-9.1	vulnerable	alpha, amd64, armel, i386, ia64, mips, mipsel, powerpc, s390, sparc
	lenny (security)	6b11-9.1+lenny2	vulnerable	alpha, amd64, armel, i386, ia64, mips, mipsel, powerpc, sparc
openjdk-6-doc, openjdk-6-jre-lib, openjdk-6-source	lenny	6b11-9.1	vulnerable	all
	lenny (security)	6b11-9.1+lenny2	vulnerable	all
	squeeze	6b16-4	vulnerable	all
	sid, squeeze	6b17~pre3-1	fixed	all
	sid	6b17-1.7-1	fixed	all
openjdk-6-jre-zero	squeeze	6b17~pre3-1	fixed	amd64, armel, i386, powerpc
	sid	6b17-1.7-1	fixed	amd64, armel, i386, powerpc
sun-java5-bin, sun-java5-demo, sun-java5-jdk	etch/non-free	1.5.0-14-1etch1	vulnerable	amd64, i386
	lenny/non-free	1.5.0-17-0.1	vulnerable	amd64, i386
sun-java5-doc, sun-java5-fonts, sun-java5-jre, sun-java5-source	etch/non-free	1.5.0-14-1etch1	vulnerable	all
	lenny/non-free	1.5.0-17-0.1	vulnerable	all
sun-java5-plugin	etch/non-free	1.5.0-14-1etch1	vulnerable	i386
	lenny/non-free	1.5.0-17-0.1	vulnerable	i386
sun-java6-bin, sun-java6-demo, sun-java6-jdk, sun-java6-plugin	lenny/non-free	6-12-1	vulnerable	amd64, i386
	squeeze/non-free	6-16-1	fixed	amd64, i386
	sid/non-free	6-18-1	fixed	i386
sun-java6-doc, sun-java6-fonts, sun-java6-javadb, sun-java6-jre, sun-java6-source	lenny/non-free	6-12-1	vulnerable	all
sun-java6-fonts, sun-java6-javadb, sun-java6-jre, sun-java6-source	sid/non-free, squeeze/non-free	6-16-1	fixed	all
	sid/non-free	6-17-1	fixed	all
	sid/non-free	6-18-1	fixed	all

The information above is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
libxerces2-java	source	(unstable)	2.9.1-4.1	unknown		548358
libxerces2-java	source	etch	2.8.1-1+etch1	unknown	DSA-1984-1
libxerces2-java	source	lenny	2.9.1-2+lenny1	unknown	DSA-1984-1
openjdk-6	source	(unstable)	6b16-1.6-1	medium		542210
sun-java5	source	(unstable)	1.5.0-20-1	unknown
sun-java6	source	(unstable)	6-15-1	unknown

Notes

[etch] - sun-java5 <no-dsa> (Non-free not supported)
[lenny] - sun-java5 <no-dsa> (Non-free not supported)
[lenny] - sun-java6 <no-dsa> (Non-free not supported)

Home - Testing Security Team - Debian Security - Imprint