SCIENTIFIC-LINUX-DEVEL Archives

September 2014

SCIENTIFIC-LINUX-DEVEL@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Fw: Security ERRATA Moderate: xerces-j2 on SL6.x i386/x86_64
From:
Pat Riehecky <[log in to unmask]>
Reply To:
Pat Riehecky <[log in to unmask]>
Date:
Tue, 30 Sep 2014 08:51:59 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (74 lines) 
Historically, SL has not included the more detailed description to try 
and cut to the heart of the security issue.  Our focus being along the 
lines of "since we ship with security errata on by default, here is why 
this package is changing".  We know everyone is busy and are hoping to 
get straight to the point.

Putting the package background in the message is an interesting idea.  
We'll have to ponder it a bit....

Thanks for the feedback!

Pat

On 09/30/2014 12:37 AM, Andras Horvath wrote:
> (Sorry, sent to the wrong list).
>
> Hi,
>
> With all respect for the work, may I ask if there is any possibility to include a short description of the package's functionality in the security errata report? There was one included in the past as far as I remember. I'd find it more than practical to have it because it gives a useful info to sysadmins about which are of the system is affected. Which software layer etc.
>
> Of course I could run a "yum info", just thought it may be good for everyone not having to.
>
>
> Andras
>
>
> On Mon, 29 Sep 2014 21:37:02 +0000
> Pat Riehecky <[log in to unmask]> wrote:
>
>> Synopsis:          Moderate: xerces-j2 security update
>> Advisory ID:       SLSA-2014:1319-1
>> Issue Date:        2014-09-29
>> CVE Numbers:       CVE-2013-4002
>> --
>>
>> A resource consumption issue was found in the way Xerces-J handled XML
>> declarations. A remote attacker could use an XML document with a specially
>> crafted declaration using a long pseudo-attribute name that, when parsed
>> by an application using Xerces-J, would cause that application to use an
>> excessive amount of CPU. (CVE-2013-4002)
>>
>> Applications using the Xerces-J must be restarted for this update to take
>> effect.
>> --
>>
>> SL6
>>    x86_64
>>      xerces-j2-2.7.1-12.7.el6_5.x86_64.rpm
>>      xerces-j2-debuginfo-2.7.1-12.7.el6_5.x86_64.rpm
>>      xerces-j2-demo-2.7.1-12.7.el6_5.x86_64.rpm
>>      xerces-j2-javadoc-apis-2.7.1-12.7.el6_5.x86_64.rpm
>>      xerces-j2-javadoc-impl-2.7.1-12.7.el6_5.x86_64.rpm
>>      xerces-j2-javadoc-other-2.7.1-12.7.el6_5.x86_64.rpm
>>      xerces-j2-javadoc-xni-2.7.1-12.7.el6_5.x86_64.rpm
>>      xerces-j2-scripts-2.7.1-12.7.el6_5.x86_64.rpm
>>    i386
>>      xerces-j2-2.7.1-12.7.el6_5.i686.rpm
>>      xerces-j2-debuginfo-2.7.1-12.7.el6_5.i686.rpm
>>      xerces-j2-demo-2.7.1-12.7.el6_5.i686.rpm
>>      xerces-j2-javadoc-apis-2.7.1-12.7.el6_5.i686.rpm
>>      xerces-j2-javadoc-impl-2.7.1-12.7.el6_5.i686.rpm
>>      xerces-j2-javadoc-other-2.7.1-12.7.el6_5.i686.rpm
>>      xerces-j2-javadoc-xni-2.7.1-12.7.el6_5.i686.rpm
>>      xerces-j2-scripts-2.7.1-12.7.el6_5.i686.rpm
>>
>> - Scientific Linux Development Team


-- 
Pat Riehecky

Scientific Linux developer
http://www.scientificlinux.org/

ATOM RSS1 RSS2