-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2011:108 http://www.mandriva.com/security/ _______________________________________________________________________ Package : xerces-j2 Date : June 13, 2011 Affected: 2009.0, 2010.1, Enterprise Server 5.0 _______________________________________________________________________ Problem Description: A vulnerability was discovered and corrected in xerces-j2: Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework (CVE-2009-2625). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=490 The updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625 _______________________________________________________________________ Updated Packages: Mandriva Linux 2009.0: 37cb066faf70adc13f94dde20a432baa 2009.0/i586/xerces-j2-2.9.0-9.1mdv2009.0.i586.rpm d4eae4a3c3598d4a8aa937e06a666a4c 2009.0/i586/xerces-j2-demo-2.9.0-9.1mdv2009.0.i586.rpm 726068ab70043a5ffec264a74584bbd1 2009.0/i586/xerces-j2-javadoc-apis-2.9.0-9.1mdv2009.0.i586.rpm ebea985ed82f10cba85c7dc63ebe3292 2009.0/i586/xerces-j2-javadoc-impl-2.9.0-9.1mdv2009.0.i586.rpm 88990006a3d52f94bf1d92cba4974dfd 2009.0/i586/xerces-j2-javadoc-other-2.9.0-9.1mdv2009.0.i586.rpm c43bddc774e3740943a09ec7c944c90d 2009.0/i586/xerces-j2-javadoc-xni-2.9.0-9.1mdv2009.0.i586.rpm 45259a83b9e785c45c36ad3af81e7c1a 2009.0/i586/xerces-j2-scripts-2.9.0-9.1mdv2009.0.i586.rpm ddf57cd31d55064c33889faf9e9f74b8 2009.0/SRPMS/xerces-j2-2.9.0-9.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: cf0fe4b70ed214ea14b466edf8981edb 2009.0/x86_64/xerces-j2-2.9.0-9.1mdv2009.0.x86_64.rpm 5e4b68b38f554355d423838f991cf642 2009.0/x86_64/xerces-j2-demo-2.9.0-9.1mdv2009.0.x86_64.rpm f81effc463e3da1f758b5f2b578956fd 2009.0/x86_64/xerces-j2-javadoc-apis-2.9.0-9.1mdv2009.0.x86_64.rpm c0483b80fb2b2ec4e72113c0440ae795 2009.0/x86_64/xerces-j2-javadoc-impl-2.9.0-9.1mdv2009.0.x86_64.rpm 48df56989967e0594d38d43c6c880a1f 2009.0/x86_64/xerces-j2-javadoc-other-2.9.0-9.1mdv2009.0.x86_64.rpm c2767225bb3a6017ca0e9e3b23ab70f6 2009.0/x86_64/xerces-j2-javadoc-xni-2.9.0-9.1mdv2009.0.x86_64.rpm f94f0123950744968da229f46d592770 2009.0/x86_64/xerces-j2-scripts-2.9.0-9.1mdv2009.0.x86_64.rpm ddf57cd31d55064c33889faf9e9f74b8 2009.0/SRPMS/xerces-j2-2.9.0-9.1mdv2009.0.src.rpm Mandriva Linux 2010.1: e5ad74cbbc7031d129612b6c295314f6 2010.1/i586/xerces-j2-2.9.0-12.1mdv2010.2.i586.rpm 36f1d2dc0ad0eaf65f3caf681a786b1c 2010.1/i586/xerces-j2-demo-2.9.0-12.1mdv2010.2.i586.rpm 8d3011a0fa4096193fc3a9b55f48cb62 2010.1/i586/xerces-j2-javadoc-apis-2.9.0-12.1mdv2010.2.i586.rpm 21959c92a02a399eaedc680ba94a852b 2010.1/i586/xerces-j2-javadoc-impl-2.9.0-12.1mdv2010.2.i586.rpm a3bf0c3fea849df6c75549b92bb2fc69 2010.1/i586/xerces-j2-javadoc-other-2.9.0-12.1mdv2010.2.i586.rpm 38736a69978ea27e8c86697b605de2bb 2010.1/i586/xerces-j2-javadoc-xni-2.9.0-12.1mdv2010.2.i586.rpm 71eb274ae0b1e3b8d311c825c07c583d 2010.1/i586/xerces-j2-scripts-2.9.0-12.1mdv2010.2.i586.rpm aa76ab8c436a2deea87042e948ee9b87 2010.1/SRPMS/xerces-j2-2.9.0-12.1mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: b10c8ed786180fcc564c913e81407d39 2010.1/x86_64/xerces-j2-2.9.0-12.1mdv2010.2.x86_64.rpm ddee966d3283e3ee881de32045705844 2010.1/x86_64/xerces-j2-demo-2.9.0-12.1mdv2010.2.x86_64.rpm 10faa110174a57e84b917df59d7354d9 2010.1/x86_64/xerces-j2-javadoc-apis-2.9.0-12.1mdv2010.2.x86_64.rpm f337e9478e4e7981b8fc5711bce6c374 2010.1/x86_64/xerces-j2-javadoc-impl-2.9.0-12.1mdv2010.2.x86_64.rpm 853857a2fa3423bfe570683130a04a30 2010.1/x86_64/xerces-j2-javadoc-other-2.9.0-12.1mdv2010.2.x86_64.rpm 464aa2803e1d2c6379ab1c4efde16458 2010.1/x86_64/xerces-j2-javadoc-xni-2.9.0-12.1mdv2010.2.x86_64.rpm 753a920e14066f0947e86eb3c58dc3b0 2010.1/x86_64/xerces-j2-scripts-2.9.0-12.1mdv2010.2.x86_64.rpm aa76ab8c436a2deea87042e948ee9b87 2010.1/SRPMS/xerces-j2-2.9.0-12.1mdv2010.2.src.rpm Mandriva Enterprise Server 5: 2d77d8eee7520a75d32006b0a6593b9a mes5/i586/xerces-j2-2.9.0-9.1mdvmes5.2.i586.rpm 498fa9165c65a49a91c2f554412ba08d mes5/i586/xerces-j2-demo-2.9.0-9.1mdvmes5.2.i586.rpm 1355593b2b99758401b7402fe4665c14 mes5/i586/xerces-j2-javadoc-apis-2.9.0-9.1mdvmes5.2.i586.rpm 024c4cc368b002a3c8e5e2093b71e3ff mes5/i586/xerces-j2-javadoc-impl-2.9.0-9.1mdvmes5.2.i586.rpm a35340802b118ca125976d040dbef05a mes5/i586/xerces-j2-javadoc-other-2.9.0-9.1mdvmes5.2.i586.rpm 05d9e1cae5c2ea4d36f6947efc351769 mes5/i586/xerces-j2-javadoc-xni-2.9.0-9.1mdvmes5.2.i586.rpm f461ae2ab3e94c21961a1e1b848576a4 mes5/i586/xerces-j2-scripts-2.9.0-9.1mdvmes5.2.i586.rpm a9991784656b7edd311cfbf57f27295c mes5/SRPMS/xerces-j2-2.9.0-9.1mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 380c338fa0a80984f1d0086005896b8b mes5/x86_64/xerces-j2-2.9.0-9.1mdvmes5.2.x86_64.rpm 815b14cc6277587cd9690aedfb23e52d mes5/x86_64/xerces-j2-demo-2.9.0-9.1mdvmes5.2.x86_64.rpm 745dd35db3c5ec94420ba33d31605115 mes5/x86_64/xerces-j2-javadoc-apis-2.9.0-9.1mdvmes5.2.x86_64.rpm 97f1be73c86d6e1057512840875ebe3d mes5/x86_64/xerces-j2-javadoc-impl-2.9.0-9.1mdvmes5.2.x86_64.rpm 3a6f08eb04c7f04dba7bba0af9728fe9 mes5/x86_64/xerces-j2-javadoc-other-2.9.0-9.1mdvmes5.2.x86_64.rpm 990027b4eeed11ac8689534e2721f789 mes5/x86_64/xerces-j2-javadoc-xni-2.9.0-9.1mdvmes5.2.x86_64.rpm a1601357c9d02a3cdc0d884c641fa207 mes5/x86_64/xerces-j2-scripts-2.9.0-9.1mdvmes5.2.x86_64.rpm a9991784656b7edd311cfbf57f27295c mes5/SRPMS/xerces-j2-2.9.0-9.1mdvmes5.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFN9fgnmqjQ0CJFipgRAmspAJ0Ylvf3cIGVxgWJThqUjCCElt52QgCeJKRh TzRhRpoAIyy00Twg1G8t8Mk= =0/P6 -----END PGP SIGNATURE-----