Control: tags -1 + confirmed On Thu, 2018-04-26 at 03:53 -0400, William Blough wrote: > I would like to update xerces-c in a future point release. This > update > will fix one issue: > > * Fix CVE-2017-12627: Alberto Garcia, Francisco Oca and Suleman Ali > of > Offensive Research discovered that the Xerces-C XML parser > mishandles > certain kinds of external DTD references, resulting in > dereference of a > NULL pointer while processing the path to the DTD. The bug allows > for a > denial of service attack in applications that allow DTD > processing and do > not prevent external DTD usage, and could conceivably result in > remote code > execution.
Please go ahead. Regards, Adam
