Summary: | dev-java/xerces: hash table collisions CPU usage DoS (CVE-2012-0881) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | java |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=787104 | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 268619 | ||
Bug Blocks: | 396397 |
Description
Agostino Sarubbo
2014-08-09 12:21:56 UTC
This CVE is not really explanatory: which version is affected? what is the fix? We ship xerces-1.3 and the very latest version available at http://xerces.apache.org/mirrors.cgi, that is 2.11.0. I guess it might affect older versions. The only package relying on xerces-1.3 is castor and it's been marked for removal. I will remove it after castor is removed. Please note that RH closed the bug as WONTFIX: https://bugzilla.redhat.com/show_bug.cgi?id=787104. * commit 95e1895 | Author: Patrice Clement <monsieurp@gentoo.org> | Date: Wed Dec 2 16:19:49 2015 +0000 | | dev-java/xerces: Remove vulnerable version. Fixes security bug 519502. | | Package-Manager: portage-2.2.20.1 | Signed-off-by: Patrice Clement <monsieurp@gentoo.org> | | delete mode 100644 dev-java/xerces/files/xerces-1.3.1-build.xml | delete mode 100644 dev-java/xerces/files/xerces-2.3.0-gentoo.patch | delete mode 100644 dev-java/xerces/files/xerces-2.9.0-gentoo.patch | delete mode 100644 dev-java/xerces/files/xerces-2.9.0-no_dom3.patch | delete mode 100644 dev-java/xerces/files/xerces-2.9.1-gentoo.patch | delete mode 100644 dev-java/xerces/files/xerces-2.9.1-no_dom3.patch | delete mode 100644 dev-java/xerces/xerces-1.3.1-r2.ebuild Security team, Please vote. Please review https://www.gentoo.org/support/security/vulnerability-treatment-policy.html for the future. Vote is not one of the whiteboards :) Security Please Vote. GLSA Vote: No Thank you all. Closing as noglsa. |