CVE-2009-2625 in Ubuntu

CVE-2009-2625

Priority

Description

XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime
Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0
before Update 20, and in other products, allows remote attackers to cause a
denial of service (infinite loop and application hang) via malformed XML
input, as demonstrated by the Codenomicon XML fuzzing framework.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625
http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1
http://www.cert.fi/en/reports/2009/vulnerability2009085.html
http://www.codenomicon.com/labs/xml/
https://ubuntu.com/security/notices/USN-814-1
https://ubuntu.com/security/notices/USN-890-1

Notes

jdstrand

this originally come out as a bug in expat (#1990430).
CVE-2009-3720 was later assigned to this identical issue, since
this issue was worded as a Java vulnerability. Our USN references
this CVE and CVE-2009-3720 will be ignored.

Package

Source: expat (LP Ubuntu Debian)

Upstream:	needed
Ubuntu 22.04 LTS (Jammy Jellyfish):	released (2.0.1-7ubuntu1)

Patches:

Upstream:

http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.13&r2=1.15&view=patch

Package

Source: openjdk-6 (LP Ubuntu Debian)

Upstream:	released (6b16)
Ubuntu 22.04 LTS (Jammy Jellyfish):	not-affected (6b16-1.6.1-0ubuntu1)

Patches:

Package

Source: sun-java5 (LP Ubuntu Debian)

Upstream:	released (1.5.0-20)
Ubuntu 22.04 LTS (Jammy Jellyfish):	DNE

Patches:

Package

Source: sun-java6 (LP Ubuntu Debian)

Upstream:	released (6.15)
Ubuntu 22.04 LTS (Jammy Jellyfish):	DNE

Patches:

More Information

Updated: 2022-02-10 23:38:00 UTC (commit acb3d89ab51f1d5e5543fa993969c0eb13c71f04)