Bugzilla – Bug 1220080
VUL-0: CVE-2024-23807: xerces-c: duplicate CVE of CVE-2018-1311 to announce correct fixed-in versions
Last modified: 2024-05-10 14:03:58 UTC
Posted by Arnout Engelen on Feb 16 Severity: moderate Affected versions: - Apache Xerces C++ 3.0.0 before 3.2.5 Description: The Apache Xerces C++ XML parser on versions 3.0.0 before 3.2.5 contains a use-after-free error triggered during the scanning of external DTDs. Users are recommended to upgrade to version 3.2.5 which fixes the issue, or mitigate the issue by disabling DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX... References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23807 https://seclists.org/oss-sec/2024/q1/138 https://bugzilla.redhat.com/show_bug.cgi?id=2264581 https://www.cve.org/CVERecord?id=CVE-2024-23807 http://www.openwall.com/lists/oss-security/2024/02/16/1 Patch: https://github.com/apache/xerces-c/commit/e0024267504188e42ace4dd9031d936786914835
Following thread [0], only SUSE:SLE-15:Update/xerces-c is missing the updated patch, the other codestreams are already fixed. [0] https://bugzilla.suse.com/show_bug.cgi?id=1159552