From ${URL} : We found a use-after-free in Xerces 3.1.3 parsing an xml file (also affecting older versions). Technical details and a patch are available here: https://issues.apache.org/jira/browse/XERCESC-2066 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
the upstream patches was applied to the trunk. See also: http://svn.apache.org/viewvc?view=revision&revision=1747619 http://svn.apache.org/viewvc?view=revision&revision=1747620
3.1.4 contains the fix, please stabilize commit 305cee3cfcf1b0a2a787aad8ae9c5ac854b2533d Author: David Seifert <soap@gentoo.org> Date: Sat Oct 15 11:30:09 2016 +0200 dev-libs/xerces-c: Version bump to 3.1.4 Gentoo-bug: 584506 * EAPI=6
@arches, please stabilize the following: =dev-libs/xerces-c-3.1.4
amd64 stable
x86 stable
@Jer, why the version change to -r1?
-r1 includes the sample binaries in order for ago to perform his fuzzing tests. Hence, please stabilize -r1.
Stable on alpha.
Stable for HPPA PPC64.
An automated check of this bug failed - the following atom is unknown: dev-libs/xerces-c-3.1.4 Please verify the atom list.
An automated check of this bug succeeded - the previous repoman errors are now resolved.
sparc stable
ppc stable. Maintainer(s), please cleanup.
All old versions removed. commit 44485bad3bbf280839f823b81a1051e56db5c93f Author: David Seifert <soap@gentoo.org> Date: Wed Dec 21 09:07:45 2016 +0100 dev-libs/xerces-c: Remove old
This issue was resolved and addressed in GLSA 201612-46 at https://security.gentoo.org/glsa/201612-46 by GLSA coordinator Aaron Bauman (b-man).