search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
18.34k stars 14.3k forks source link

Vulnerability roundup 113: xerces-c-3.2.3: 1 advisory [8.1] #168694

Closed ckauhaus closed 5 months ago

ckauhaus commented 2 years ago

search, files

CVE details

CVE-2018-1311

The Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-free error triggered during the scanning of external DTDs. This flaw has not been addressed in the maintained version of the library and has no current mitigation other than to disable DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable.

Scanned versions: nixos-21.11: a62ce97f92b; nixos-unstable: ff9efb0724d.

JohnRTitor commented 5 months ago

Fixed in https://github.com/apache/xerces-c/commit/e0024267504188e42ace4dd9031d936786914835 which is in 3.2.5 (updated in nixpkgs in #276628)