USN-4784-1: Xerces-C++ vulnerabilities
15 March 2021
Several security issues were fixed in Xerces-C++.
Releases
Packages
- xerces-c - Validating XML parser written in a portable subset of C++
Details
It was discovered that Xerces-C++ XML Parser mishandles certain kinds of
external DTD references, resulting in a user-after-free. An attacker could
use this vulnerability to cause a denial of service (crash) or possibly
execute arbitrary code. This issue affected only Ubuntu 16.04 ESM.
(CVE-2016-2099)
It was discovered that Xerces-C++ XML Parser fails to successfully parse a
DTD that is too deeply nested. An unauthenticated attacker could use this
vulnerability to cause a denial of service. This issue affected only Ubuntu
16.04 ESM. (CVE-2016-4463)
It was discovered that Xerces-C++ mishandles certain kinds of external DTD
references, resulting in dereference of a NULL pointer. An attacker could
use this vulnerability to cause a denial of service. (CVE-2017-12627)
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 18.04
-
libxerces-c3.2
-
3.2.0+debian-2ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 16.04
-
libxerces-c-dev
-
3.1.3+debian-1ubuntu0.1~esm1
Available with Ubuntu Pro
-
libxerces-c3.1
-
3.1.3+debian-1ubuntu0.1~esm1
Available with Ubuntu Pro
-
libxerces-c-samples
-
3.1.3+debian-1ubuntu0.1~esm1
Available with Ubuntu Pro
-
libxerces-c-doc
-
3.1.3+debian-1ubuntu0.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.