The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Apache Xerces-C++: NULL pointer dereference via the DTD reference

Synthesis of the vulnerability 

An attacker can force Apache Xerces-C++ dereference a NULL pointer while processing the path to the external DTD, in order to trigger a denial of service.
Vulnerable products: Xerces-C++, Debian, Fedora, openSUSE Leap, SUSE Linux Enterprise Desktop, SLES.
Severity of this weakness: 1/4.
Creation date: 01/03/2018.
Références of this bulletin: CVE-2017-12627, DLA-1328-1, FEDORA-2018-51ce232320, FEDORA-2018-7b97e553ff, openSUSE-SU-2019:1283-1, SUSE-SU-2018:3277-1, SUSE-SU-2019:0977-1, SUSE-SU-2020:2225-1, VIGILANCE-VUL-25404.

Description of the vulnerability 

An attacker can force Apache Xerces-C++ dereference a NULL pointer while processing the path to the external DTD, in order to trigger a denial of service.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This weakness impacts software or systems such as Xerces-C++, Debian, Fedora, openSUSE Leap, SUSE Linux Enterprise Desktop, SLES.

Our Vigil@nce team determined that the severity of this vulnerability announce is low.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this threat bulletin.

Solutions for this threat 

Apache Xerces-C++: version 3.2.1.
The version 3.2.1 is fixed:
  http://xerces.apache.org/xerces-c/download.cgi

Debian 7: new xerces-c packages.
New packages are available:
  Debian 7: xerces-c 3.1.1-3+deb7u5

Fedora 28: new mingw-gdal packages.
New packages are available:
  Fedora 28: mingw-gdal 2.2.4-5.fc28

Fedora 28: new mingw-xerces-c packages.
New packages are available:
  Fedora 28: mingw-xerces-c 3.2.1-1.fc28

Fedora 29: new xerces-c27 packages.
New packages are available:
  Fedora 29: xerces-c27 2.7.0-28.fc29

openSUSE Leap 15.0: new xerces-c packages.
New packages are available:
  openSUSE Leap 15.0: libxerces-c-3_1 3.1.4-lp150.2.3.1

SUSE LE 11 SP4: new Xerces-c packages.
New packages are available:
  SUSE LE 11 SP4: Xerces-c 2.8.0-29.17.5.1

SUSE LE 12: new xerces-c packages.
New packages are available:
  SUSE LE 12 SP2: xerces-c 3.1.1-13.3.6
  SUSE LE 12 SP3: xerces-c 3.1.1-13.3.6
  SUSE LE 12 SP4: xerces-c 3.1.1-13.3.6
  SUSE LE 12 SP5: xerces-c 3.1.1-13.3.6

SUSE LE 15: new xerces-c packages.
New packages are available:
  SUSE LE 15 RTM: xerces-c 3.1.4-3.3.25
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a software vulnerabilities announce. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.