CVE-2016-0729

NameCVE-2016-0729
DescriptionMultiple buffer overflows in (1) internal/XMLReader.cpp, (2) util/XMLURL.cpp, and (3) util/XMLUri.cpp in the XML Parser library in Apache Xerces-C before 3.1.3 allow remote attackers to cause a denial of service (segmentation fault or memory corruption) or possibly execute arbitrary code via a crafted document.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-433-1, DSA-3493-1
NVD severityhigh (attack range: remote)
Debian Bugs815907

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
xerces-c (PTS)wheezy3.1.1-3+deb7u2fixed
wheezy (security)3.1.1-3+deb7u4fixed
jessie (security), jessie3.1.1-5.1+deb8u3fixed
stretch3.1.4+debian-2fixed
buster, sid3.2.0+debian-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
xerces-csource(unstable)3.1.3+debian-1high815907
xerces-csourcejessie3.1.1-5.1+deb8u1highDSA-3493-1
xerces-csourcesqueeze3.1.1-1+deb6u2highDLA-433-1
xerces-csourcewheezy3.1.1-3+deb7u2highDSA-3493-1

Notes

http://xerces.apache.org/xerces-c/secadv/CVE-2016-0729.txt
http://svn.apache.org/viewvc?view=revision&revision=1727978

Search for package or bug name: Reporting problems