Your submission was sent successfully! Close

CVE-2009-2625

Published: 6 August 2009

XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.

Notes

AuthorNote
jdstrand
this originally come out as a bug in expat (#1990430).
CVE-2009-3720 was later assigned to this identical issue, since
this issue was worded as a Java vulnerability. Our USN references
this CVE and CVE-2009-3720 will be ignored.
Priority

Medium

Status

Package Release Status
expat
Launchpad, Ubuntu, Debian
dapper
Released (1.95.8-3ubuntu0.1)
hardy
Released (2.0.1-0ubuntu1.1)
intrepid
Released (2.0.1-4ubuntu0.8.10.1)
jaunty
Released (2.0.1-4ubuntu0.9.04.1)
karmic
Released (2.0.1-4ubuntu1.1)
lucid
Released (2.0.1-7ubuntu1)
maverick
Released (2.0.1-7ubuntu1)
upstream Needed

Patches:
upstream: http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.13&r2=1.15&view=patch
openjdk-6
Launchpad, Ubuntu, Debian
dapper Does not exist

hardy
Released (6b18-1.8.2-4ubuntu1~8.04.1)
intrepid
Released (6b12-0ubuntu6.5)
jaunty
Released (6b14-1.4.1-0ubuntu11)
karmic Not vulnerable
(6b16-1.6.1-0ubuntu1)
lucid Not vulnerable
(6b16-1.6.1-0ubuntu1)
maverick Not vulnerable
(6b16-1.6.1-0ubuntu1)
upstream
Released (6b16)
sun-java5
Launchpad, Ubuntu, Debian
dapper Ignored
(reached end-of-life)
gutsy Needs triage
(reached end-of-life)
hardy Not vulnerable
(1.5.0-22-0ubuntu0.8.04)
intrepid Needs triage
(reached end-of-life)
jaunty Ignored
(reached end-of-life)
karmic Does not exist

lucid Does not exist

maverick Does not exist

upstream
Released (1.5.0-20)
sun-java6
Launchpad, Ubuntu, Debian
dapper Does not exist

hardy
Released (6.20dlj-0ubuntu1.8.04)
intrepid Needs triage
(reached end-of-life)
jaunty
Released (6.20dlj-0ubuntu1.9.04)
karmic
Released (6-15-1)
lucid
Released (6-15-1)
maverick Not vulnerable

upstream
Released (6.15)