Bug 1220080 (CVE-2024-23807)

Summary: VUL-0: CVE-2024-23807: xerces-c: duplicate CVE of CVE-2018-1311 to announce correct fixed-in versions
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: andrea.mattiazzo, camila.matos, danilo.spinella, david.anes
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/394375/
See Also: https://bugzilla.suse.com/show_bug.cgi?id=1220300
Whiteboard: CVSSv3.1:SUSE:CVE-2024-23807:8.1:(AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-02-19 14:57:29 UTC 
Posted by Arnout Engelen on Feb 16
Severity: moderate

Affected versions:

- Apache Xerces C++ 3.0.0 before 3.2.5

Description:

The Apache Xerces C++ XML parser on versions 3.0.0 before 3.2.5 contains a use-after-free error triggered during the 
scanning of external DTDs.

Users are recommended to upgrade to version 3.2.5 which fixes the issue, or mitigate the issue by disabling DTD 
processing. This can be accomplished via the DOM using a standard parser feature, or via SAX...

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23807
https://seclists.org/oss-sec/2024/q1/138
https://bugzilla.redhat.com/show_bug.cgi?id=2264581
https://www.cve.org/CVERecord?id=CVE-2024-23807
http://www.openwall.com/lists/oss-security/2024/02/16/1

Patch:
https://github.com/apache/xerces-c/commit/e0024267504188e42ace4dd9031d936786914835
Comment 1 Andrea Mattiazzo 2024-02-19 15:09:34 UTC 
Following thread [0], only SUSE:SLE-15:Update/xerces-c is missing the updated patch, the other codestreams are already fixed.

[0] https://bugzilla.suse.com/show_bug.cgi?id=1159552