[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
Re: [xml-dev] Article: Vulnerability In XML Libraries Discovered... what are the vulnerabilities?
- From: Chuck Bearden <cbearden@rice.edu>
- To: "Costello, Roger L." <costello@mitre.org>
- Date: Thu, 13 Aug 2009 08:58:31 -0500
Costello, Roger L. wrote:
> Hi Folks,
>
> This article [1] says that:
>
> Researchers have uncovered numerous vulnerabilities
> in popular XML libraries from Sun Microsystems,
> Python and the Apache Software Foundation.
>
> But it doesn't say *what* the vulnerabilities are.
>
> It says that:
>
> More details about some of the XML vulnerabilities
> that were found [will be released] at the Hacker Halted
> 2009 security conference in Miami, Florida, in September.
>
> Do you have information on specifically what the vulnerabilities are?
>
> /Roger
>
> [1] http://www.eweekeurope.co.uk/news/vulnerability-in-xml-libraries-discovered-1554
Finland CERT issued an advisory:
<http://cert.fi/en/reports/2009/vulnerability2009085.html>
"The vulnerabilities are related to the parsing of XML elements with
unexpected byte values and recursive parentheses, which cause the
program to access memory out of bounds, or to loop indefinitely.
The effects of the vulnerabilities include denial of service and
potentially code execution. The vulnerabilities can be exploited by
enticing a user to open a specially modified file, or by submitting
it to a server that handles XML content."
libxml2 was added to the list after the initial announcement.
Chuck
--
Chuck Bearden (cbearden@rice.edu ; 713.348.3661)
XML Engineer, Connexions
http://cnx.org/
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
