Bugzilla – Bug 1129537
VUL-0: CVE-2019-9628: xmltooling: incorrect handling of exceptions on malformed XML leading to denial of service
Last modified: 2020-12-02 14:15:07 UTC
CVE-2019-9628 Ross Geerlings discovered that the XMLTooling library didn't correctly handle exceptions on malformed XML declarations, which could result in denial of service against the application using XMLTooling. For the stable distribution (stretch), this problem has been fixed in version 1.6.0-4+deb9u2. We recommend that you upgrade your xmltooling packages. For the detailed security status of xmltooling please refer to its security tracker page at: https://security-tracker.debian.org/tracker/xmltooling References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9628 http://www.debian.org/security/2019/dsa-4407
Helpful references / commits / fixes: https://shibboleth.net/community/advisories/secadv_20190311.txt https://issues.shibboleth.net/jira/browse/CPPXT-143 https://git.shibboleth.net/view/?p=cpp-xmltooling.git;a=commit;h=af27c422f551e16989ff6f1722d83614c8550eb5
Both SUSE:SLE-12-SP1:Update as well as SUSE:SLE-15:Update contain the vulnerable code. The upstream commit should be applicable without any complications as far as I can see.
| Codestream | Request | |------------------|---------| | SLE-12-SP1 | 187678 | | SLE-15 | 187680 | | openSUSE:Leap | via SLE | | openSUSE:Factory | 686947 | Done, I'm reassigning it to the security team.
SUSE-SU-2019:0929-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1129537 CVE References: CVE-2019-9628 Sources used: SUSE Linux Enterprise Module for Server Applications 15 (src): xmltooling-1.6.4-3.3.2 *** NOTE: This information is not intended to be used for external communication, because this may only be a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:0928-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1129537 CVE References: CVE-2019-9628 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP4 (src): xmltooling-1.5.6-3.9.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): xmltooling-1.5.6-3.9.1 SUSE Linux Enterprise Server 12-SP4 (src): xmltooling-1.5.6-3.9.1 SUSE Linux Enterprise Server 12-SP3 (src): xmltooling-1.5.6-3.9.1 *** NOTE: This information is not intended to be used for external communication, because this may only be a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:1235-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1129537 CVE References: CVE-2019-9628 Sources used: openSUSE Leap 15.0 (src): xmltooling-1.6.4-lp150.2.3.1
openSUSE-SU-2019:1276-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1129537 CVE References: CVE-2019-9628 Sources used: openSUSE Leap 42.3 (src): xmltooling-1.5.6-12.1
Done