SCIENTIFIC-LINUX-DEVEL Archives

September 2014

SCIENTIFIC-LINUX-DEVEL@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Fw: Security ERRATA Moderate: xerces-j2 on SL6.x i386/x86_64
From:
Andras Horvath <[log in to unmask]>
Reply To:
Andras Horvath <[log in to unmask]>
Date:
Tue, 30 Sep 2014 18:47:42 +0200
Content-Type:
text/plain
Parts/Attachments:
text/plain (77 lines) 
Thanks for considering.

Andras


On Tue, 30 Sep 2014 08:51:59 -0500
Pat Riehecky <[log in to unmask]> wrote:

> Historically, SL has not included the more detailed description to try 
> and cut to the heart of the security issue.  Our focus being along the 
> lines of "since we ship with security errata on by default, here is why 
> this package is changing".  We know everyone is busy and are hoping to 
> get straight to the point.
> 
> Putting the package background in the message is an interesting idea.  
> We'll have to ponder it a bit....
> 
> Thanks for the feedback!
> 
> Pat
> 
> On 09/30/2014 12:37 AM, Andras Horvath wrote:
> > (Sorry, sent to the wrong list).
> >
> > Hi,
> >
> > With all respect for the work, may I ask if there is any possibility to include a short description of the package's functionality in the security errata report? There was one included in the past as far as I remember. I'd find it more than practical to have it because it gives a useful info to sysadmins about which are of the system is affected. Which software layer etc.
> >
> > Of course I could run a "yum info", just thought it may be good for everyone not having to.
> >
> >
> > Andras
> >
> >
> > On Mon, 29 Sep 2014 21:37:02 +0000
> > Pat Riehecky <[log in to unmask]> wrote:
> >
> >> Synopsis:          Moderate: xerces-j2 security update
> >> Advisory ID:       SLSA-2014:1319-1
> >> Issue Date:        2014-09-29
> >> CVE Numbers:       CVE-2013-4002
> >> --
> >>
> >> A resource consumption issue was found in the way Xerces-J handled XML
> >> declarations. A remote attacker could use an XML document with a specially
> >> crafted declaration using a long pseudo-attribute name that, when parsed
> >> by an application using Xerces-J, would cause that application to use an
> >> excessive amount of CPU. (CVE-2013-4002)
> >>
> >> Applications using the Xerces-J must be restarted for this update to take
> >> effect.
> >> --
> >>
> >> SL6
> >>    x86_64
> >>      xerces-j2-2.7.1-12.7.el6_5.x86_64.rpm
> >>      xerces-j2-debuginfo-2.7.1-12.7.el6_5.x86_64.rpm
> >>      xerces-j2-demo-2.7.1-12.7.el6_5.x86_64.rpm
> >>      xerces-j2-javadoc-apis-2.7.1-12.7.el6_5.x86_64.rpm
> >>      xerces-j2-javadoc-impl-2.7.1-12.7.el6_5.x86_64.rpm
> >>      xerces-j2-javadoc-other-2.7.1-12.7.el6_5.x86_64.rpm
> >>      xerces-j2-javadoc-xni-2.7.1-12.7.el6_5.x86_64.rpm
> >>      xerces-j2-scripts-2.7.1-12.7.el6_5.x86_64.rpm
> >>    i386
> >>      xerces-j2-2.7.1-12.7.el6_5.i686.rpm
> >>      xerces-j2-debuginfo-2.7.1-12.7.el6_5.i686.rpm
> >>      xerces-j2-demo-2.7.1-12.7.el6_5.i686.rpm
> >>      xerces-j2-javadoc-apis-2.7.1-12.7.el6_5.i686.rpm
> >>      xerces-j2-javadoc-impl-2.7.1-12.7.el6_5.i686.rpm
> >>      xerces-j2-javadoc-other-2.7.1-12.7.el6_5.i686.rpm
> >>      xerces-j2-javadoc-xni-2.7.1-12.7.el6_5.i686.rpm
> >>      xerces-j2-scripts-2.7.1-12.7.el6_5.i686.rpm
> >>
> >> - Scientific Linux Development Team
> 
>

ATOM RSS1 RSS2