-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.1626
                         xerces-c security update
                               30 June 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           xerces-c
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-4463  

Original Bulletin: 
   http://www.debian.org/security/2016/dsa-3610

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running xerces-c check for an updated version of the software for 
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3610-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 29, 2016                         https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : xerces-c
CVE ID         : CVE-2016-4463
Debian Bug     : 828990

Brandon Perry discovered that xerces-c, a validating XML parser library
for C++, fails to successfully parse a DTD that is deeply nested,
causing a stack overflow. A remote unauthenticated attacker can take
advantage of this flaw to cause a denial of service against applications
using the xerces-c library.

Additionally this update includes an enhancement to enable applications
to fully disable DTD processing through the use of an environment
variable (XERCES_DISABLE_DTD).

For the stable distribution (jessie), this problem has been fixed in
version 3.1.1-5.1+deb8u3.

We recommend that you upgrade your xerces-c packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJXdCslAAoJEAVMuPMTQ89EBXUP/1wAze1hP0PcbqqkMsBDevp4
N/+3a8ZYpq4XmcjDcZYVKwekYABJtOWnHTg/7h23dCyJUDjd28atk+DkiOtqbG19
5+SpnRnLAiRj6+2Ua8Bf7dh+ZyO3EoMMyQ0QVByADaRP/N4BIdYtImjDJcBCNyZd
2zwWhAEiIB55u30GAhvDCWsGwN5ucngOsjBI32MzKDGoYGM5gH1igTMz+21O0j7J
411BuZynQK/ZFOaQNnNRQh5Ne1ULCWHFlZOdaLv3Zietdtm9XrVaJZ6NnwK9HYvR
UTXXVj5JpJR0XOS85fmYogpjoL2aUUao8zVeGRPlSeg2rPg7IjS/fQXWAWjBVpt8
xkDMiPOo+ED+MNNGPSrsMdncNoD8PhdOGjOwhyHHD3e2wDq3p+6WoVRDU/pTLAc0
eNmMwcvbjugxzEhXMInTtRu9D++X65H/dVWoH/UWw9bMoQfz810+8AUBrc3Tgj3F
roFdmhvl2GJtoLtPYc9fIMuORuxe4cejMshhAweUJd0dZhtjQhQUj8jfeBSSaRJs
ova3BXgiegGbpl4liT2ds6ZUucJg9mZFSoRwEnZk3iXiBFM0G42BU8kajx6r+XWb
5N89ltkPa+QaRknhAGOcQGKZOtchYo4vb2jsryU99C2g1XZv81wrmqUnsdwbCSD5
2X7QhWMcTqpGgfm605x7
=6vFH
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBV3R/VIx+lLeg9Ub1AQjSwhAAiMqpYYZiGAzXb+8aTr/tl63WSewRgMGg
w8sQlZDJwchqbXTLBecZZQ1qZDfZTihr84rjEi6ul+aWHkQdiErc28aFU8BDIAX/
qzrJA76lZpevyjGV/uWtrscoQmwqrsRP7/Bvw3kq2egjzA4yOKT0UQg6exm3cgtM
OUWOTO67rHbbXMG9aHFezgNeS+J6GcQHwfJRGX5axKiPSdjqextxXVHJLFJwdMiM
QR/Iy4DG3vhoo+6anniJttM8owZgW1jZm9gLFYije+p4QFpNe80mZxnBF96nO+2J
T+8sACtSgxueUz5cXX0ZN98I0KJuYBUL5+tZmJGd6g1TsuBLosBUe9SVUiEt9A7A
SX0CJz9l6r2o5Z8lfhUFqX0tQOYgzK8/L9giUrwbPX3rZk5LZWblK54tJsF68cOK
gRpaSwyBgaxMhMhgO2S5wT3VJI6ZKyFr/LqUJqn0X4ndBmM4mk+D9JCRECXB/5YV
kPA95c6XClQGBg4p8PeCoqeebqHXzPeDZRUJUcoQifSz9HsDQ5JQ4Hk29LC9SODe
8Q7Q45BpdjZ6sC2s23PXsAPv4Tphlmzg+lpeppVlbiuOu4ghymHwbC4KtT9BrABy
dQf6rPyyO2HgEdDjbMF+6DO10TncqFa4DqbZkiVz8PEK7SF+VxWeHHJoUGWSxbjI
7/rTUJkXplo=
=QgJX
-----END PGP SIGNATURE-----