CVE-2016-4463

NameCVE-2016-4463
DescriptionStack-based buffer overflow in Apache Xerces-C++ before 3.1.4 allows context-dependent attackers to cause a denial of service via a deeply nested DTD.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-535-1, DSA-3610-1
NVD severitymedium (attack range: remote)
Debian Bugs828990

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
xerces-c (PTS)wheezy3.1.1-3+deb7u2vulnerable
wheezy (security)3.1.1-3+deb7u4fixed
jessie (security), jessie3.1.1-5.1+deb8u3fixed
buster, sid, stretch3.1.4+debian-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
xerces-csource(unstable)3.1.3+debian-2.1medium828990
xerces-csourcejessie3.1.1-5.1+deb8u3mediumDSA-3610-1
xerces-csourcewheezy3.1.1-3+deb7u4mediumDLA-535-1

Notes

http://xerces.apache.org/xerces-c/secadv/CVE-2016-4463.txt

Search for package or bug name: Reporting problems