This is an automated email from the ASF dual-hosted git repository.
scantor pushed a commit to branch xerces-3.3
in repository https://gitbox.apache.org/repos/asf/xerces-c.git
The following commit(s) were added to refs/heads/xerces-3.3 by this push:
new f52acc01a website: improve security page
f52acc01a is described below
commit f52acc01adb420faf8b77d706cf4774ca5ae2821
Author: Arnout Engelen <[email protected]>
AuthorDate: Mon Feb 24 15:14:07 2025 +0100
website: improve security page
Add reference to CVE-2012-0880, security model, and reporting
guidelines.
---
doc/Makefile.am | 3 +++
doc/html/secadv/CVE-2012-0880.txt | 14 ++++++++++++++
doc/readme.xml | 6 ++++--
doc/secadv.xml | 19 ++++++++++++++++++-
doc/xerces-c_book.xml | 2 +-
5 files changed, 40 insertions(+), 4 deletions(-)
diff --git a/doc/Makefile.am b/doc/Makefile.am
index 0de016a34..cbdde7757 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -105,9 +105,12 @@ EXTRA_DIST = CMakeLists.txt \
faq-parse.xml \
feedback.xml \
html/ApacheDOMC++Binding.html \
+ html/secadv/CVE-2012-0880.txt \
html/secadv/CVE-2015-0252.txt \
html/secadv/CVE-2016-0729.txt \
html/secadv/CVE-2016-4463.txt \
+ html/secadv/CVE-2017-12627.txt \
+ html/secadv/CVE-2018-1311.txt \
install.xml \
mailing-lists.xml \
memparse.xml \
diff --git a/doc/html/secadv/CVE-2012-0880.txt
b/doc/html/secadv/CVE-2012-0880.txt
new file mode 100644
index 000000000..cf17cf445
--- /dev/null
+++ b/doc/html/secadv/CVE-2012-0880.txt
@@ -0,0 +1,14 @@
+CVE-2012-0880 xml: xerces-c hash table collisions CPU usage DoS
(oCERT-2011-003)
+
+Vendor: Red Hat, Inc
+
+Versions Affected: all
+
+Description: Apache Xerces-C++ allows remote attackers to cause a denial of
service (CPU consumption) via a crafted message sent to an XML service that
causes hash table collisions.
+
+Xerces project note: Exploitation of this issue is not trivial. We are not
aware of any well-known method to attack the hash function we use, but
mathematically speaking we should assume it to be possible.
+
+References:
+https://bugzilla.redhat.com/show_bug.cgi?id=787103
+https://seclists.org/oss-sec/2014/q3/96
+https://ocert.org/advisories/ocert-2011-003.html
diff --git a/doc/readme.xml b/doc/readme.xml
index a03d553e2..4307261e3 100644
--- a/doc/readme.xml
+++ b/doc/readme.xml
@@ -39,8 +39,10 @@
portability, care has been taken to make minimal use of templates and
minimal use of
#ifdefs.</p>
- <note>Please note that &XercesCName; currently lacks active
maintainers and
- therefore may not be able to promptly address bugs and security
vulnerabilities.</note>
+ <note>Please note that Xerces-C++ currently lacks active maintainers
and therefore may
+ not be able to promptly address all bugs and security risks. See the
+ <jump href="secadv.html">Security page</jump> for important
information about using
+ Xerces-C++ securely.</note>
</s2>
<s2 title="Applications of the &XercesCProjectName; Parser">
diff --git a/doc/secadv.xml b/doc/secadv.xml
index fca26990a..09ec6e517 100644
--- a/doc/secadv.xml
+++ b/doc/secadv.xml
@@ -18,13 +18,30 @@
<!DOCTYPE s1 SYSTEM "sbk:/style/dtd/document.dtd">
-<s1 title="Security Advisories">
+<s1 title="Security">
+
+<s2 title="Security Model">
+
+<p>Apache Xerces-C++ currently lacks active maintainers and therefore needs to
tightly scope what security guarantees it provides.</p>
+
+<p>We recommend that users that process untrusted input take their own
precautions to make sure their applications fail gracefully when the input
takes inappropriate amounts of memory or CPU to process.</p>
+
+<p>Therefore we will no longer accept Denial of Service reports as security
vulnerabilities. We will still consider reports where Xerces-C++ processes
external paths (when it is correctly configured not to), or where it allows
arbitrary code execution.</p>
+
+</s2>
+
+<s2 title="Reporting">
+
+<p>To report a problem where Xerces-C++ behaves in a way that violates the
security model described above, please use the <jump
href="https://security.apache.org/report-code/";>ASF-wide reporting
process</jump>.</p>
+
+</s2>
<s2 title="Addressed in 3.2.5 and Later Releases">
<p>The following security advisories apply to versions of
Xerces-C older than V3.2.5:</p>
<ul>
<li><jump href="secadv/CVE-2018-1311.txt">CVE-2018-1311: Apache Xerces-C
use-after-free vulnerability scanning external DTD</jump></li>
+ <li><jump href="secadv/CVE-2012-0880.txt">CVE-2012-0880: Apache Xerces-C
hash table collisions CPU usage DoS</jump></li>
</ul>
</s2>
diff --git a/doc/xerces-c_book.xml b/doc/xerces-c_book.xml
index 1ae300640..41c5a4b6d 100644
--- a/doc/xerces-c_book.xml
+++ b/doc/xerces-c_book.xml
@@ -27,7 +27,7 @@
<document id="index" label="Overview" source="readme.xml"/>
<document id="charter" label="Charter" source="charter.xml"/>
<document id="releases" label="Release Info"
source="releases.xml"/>
- <document id="secadv" label="Advisories" source="secadv.xml"/>
+ <document id="secadv" label="Security" source="secadv.xml"/>
<hidden id="releases_archive"
source="releases_archive.xml"/>
<hidden id="releases_plan" source="releases_plan.xml"/>
<external href="http://&XercesDistDir;"; label="Download"/>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
