Return-Path: Delivered-To: apmail-xerces-j-users-archive@www.apache.org Received: (qmail 94255 invoked from network); 10 Aug 2009 21:19:20 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 10 Aug 2009 21:19:20 -0000 Received: (qmail 14847 invoked by uid 500); 10 Aug 2009 21:19:26 -0000 Delivered-To: apmail-xerces-j-users-archive@xerces.apache.org Received: (qmail 14798 invoked by uid 500); 10 Aug 2009 21:19:26 -0000 Mailing-List: contact j-users-help@xerces.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: j-users@xerces.apache.org Delivered-To: mailing list j-users@xerces.apache.org Received: (qmail 14790 invoked by uid 99); 10 Aug 2009 21:19:26 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 10 Aug 2009 21:19:26 +0000 X-ASF-Spam-Status: No, hits=0.2 required=10.0 tests=RCVD_IN_DNSWL_LOW,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [212.53.95.92] (HELO smtp1.easily.co.uk) (212.53.95.92) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 10 Aug 2009 21:19:16 +0000 Received: from [79.68.218.145] (port=60793 helo=[192.168.2.2]) by smtp1.easily.co.uk with esmtpa (Exim 4.43) id 1MacGb-0002DI-Pw for j-users@xerces.apache.org; Mon, 10 Aug 2009 22:18:53 +0100 Subject: Denial of service with Xerces? From: Jeffrey Sinclair To: j-users@xerces.apache.org Content-Type: text/plain Date: Mon, 10 Aug 2009 22:18:53 +0100 Message-Id: <1249939133.6241.12.camel@Lini> Mime-Version: 1.0 X-Mailer: Evolution 2.24.3 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org j-users, There was a vulnerability report relating to a denial of service attack with Xerces recently [1]. The vulnerability report does not appear to go into much detail, however the link [2] to the C++ impl of Xerces would suggest it relates to nested DTD structures (I assume infinite recursion). The report lists all versions of Apache Xerces as being impacted. Would someone be able to confirm if there is an issue with Xerces for Java and if so what the actual issue is? Thanks in advance for any help. Regards, Jeff [1] https://www.cert.fi/en/reports/2009/vulnerability2009085.html [2] http://svn.apache.org/viewvc?view=rev&revision=781488 --------------------------------------------------------------------- To unsubscribe, e-mail: j-users-unsubscribe@xerces.apache.org For additional commands, e-mail: j-users-help@xerces.apache.org