 
| Subject: | |
| From: | |
| Reply To: | |
| Date: | Tue, 30 Sep 2014 16:12:14 +0100 |
| Content-Type: | text/plain |
| Parts/Attachments: |
|
|
I'd also seemed to think this information was included (previously),
but I guess it's in my head from reading TUV's errata notices.
I'd like to second having this information in SL's security
advisories. It's just a little bit of extra information that gives me
a clue about "should I [really, really] care about getting this update
[done asap]."
David.
On Tue, Sep 30, 2014 at 2:51 PM, Pat Riehecky <[log in to unmask]> wrote:
> Historically, SL has not included the more detailed description to try and
> cut to the heart of the security issue. Our focus being along the lines of
> "since we ship with security errata on by default, here is why this package
> is changing". We know everyone is busy and are hoping to get straight to
> the point.
>
> Putting the package background in the message is an interesting idea. We'll
> have to ponder it a bit....
>
> Thanks for the feedback!
>
> Pat
>
> On 09/30/2014 12:37 AM, Andras Horvath wrote:
>>
>> (Sorry, sent to the wrong list).
>>
>> Hi,
>>
>> With all respect for the work, may I ask if there is any possibility to
>> include a short description of the package's functionality in the security
>> errata report? There was one included in the past as far as I remember. I'd
>> find it more than practical to have it because it gives a useful info to
>> sysadmins about which are of the system is affected. Which software layer
>> etc.
>>
>> Of course I could run a "yum info", just thought it may be good for
>> everyone not having to.
>>
>>
>> Andras
>>
>>
>> On Mon, 29 Sep 2014 21:37:02 +0000
>> Pat Riehecky <[log in to unmask]> wrote:
>>
>>> Synopsis: Moderate: xerces-j2 security update
>>> Advisory ID: SLSA-2014:1319-1
>>> Issue Date: 2014-09-29
>>> CVE Numbers: CVE-2013-4002
>>> --
>>>
>>> A resource consumption issue was found in the way Xerces-J handled XML
>>> declarations. A remote attacker could use an XML document with a
>>> specially
>>> crafted declaration using a long pseudo-attribute name that, when parsed
>>> by an application using Xerces-J, would cause that application to use an
>>> excessive amount of CPU. (CVE-2013-4002)
>>>
>>> Applications using the Xerces-J must be restarted for this update to take
>>> effect.
>>> --
>>>
>>> SL6
>>> x86_64
>>> xerces-j2-2.7.1-12.7.el6_5.x86_64.rpm
>>> xerces-j2-debuginfo-2.7.1-12.7.el6_5.x86_64.rpm
>>> xerces-j2-demo-2.7.1-12.7.el6_5.x86_64.rpm
>>> xerces-j2-javadoc-apis-2.7.1-12.7.el6_5.x86_64.rpm
>>> xerces-j2-javadoc-impl-2.7.1-12.7.el6_5.x86_64.rpm
>>> xerces-j2-javadoc-other-2.7.1-12.7.el6_5.x86_64.rpm
>>> xerces-j2-javadoc-xni-2.7.1-12.7.el6_5.x86_64.rpm
>>> xerces-j2-scripts-2.7.1-12.7.el6_5.x86_64.rpm
>>> i386
>>> xerces-j2-2.7.1-12.7.el6_5.i686.rpm
>>> xerces-j2-debuginfo-2.7.1-12.7.el6_5.i686.rpm
>>> xerces-j2-demo-2.7.1-12.7.el6_5.i686.rpm
>>> xerces-j2-javadoc-apis-2.7.1-12.7.el6_5.i686.rpm
>>> xerces-j2-javadoc-impl-2.7.1-12.7.el6_5.i686.rpm
>>> xerces-j2-javadoc-other-2.7.1-12.7.el6_5.i686.rpm
>>> xerces-j2-javadoc-xni-2.7.1-12.7.el6_5.i686.rpm
>>> xerces-j2-scripts-2.7.1-12.7.el6_5.i686.rpm
>>>
>>> - Scientific Linux Development Team
>
>
>
> --
> Pat Riehecky
>
> Scientific Linux developer
> http://www.scientificlinux.org/
|
|
|
