====================================================================

                             CERT-Renater

                 Note d'Information No. 2016/VULN079
_____________________________________________________________________

DATE                : 25/02/2016

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Xerces-C XML Parser library
                        versions prior to V3.1.3.

======================================================================
http://xerces.apache.org/xerces-c/secadv/CVE-2016-0729.txt
_____________________________________________________________________

CVE-2016-0729: Apache Xerces-C XML Parser Crashes on Malformed Input

Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected: Apache Xerces-C XML Parser library versions
prior to V3.1.3

Description: The Xerces-C XML parser mishandles certain kinds of
malformed input documents, resulting in buffer overlows during
processing and error reporting. The overflows can manifest as a
segmentation fault or as memory corruption during a parse operation.
The bugs allow for a denial of service attack in many applications by
an unauthenticated attacker, and could conceivably result in remote
code execution.

Mitigation: Applications that are using library versions older than
V3.1.3 should upgrade as soon as possible. Distributors of older
versions should apply the patches from this subversion revision:

http://svn.apache.org/viewvc?view=revision&revision=1727978

Credit: This issue was reported by Gustavo Grieco.

References:
http://xerces.apache.org/xerces-c/secadv/CVE-2016-0729.txt

==========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================