CVE-2009-2625
Published: 6 August 2009
XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.
Notes
| Author | Note |
|---|---|
| jdstrand | this originally come out as a bug in expat (#1990430). CVE-2009-3720 was later assigned to this identical issue, since this issue was worded as a Java vulnerability. Our USN references this CVE and CVE-2009-3720 will be ignored. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
expat Launchpad, Ubuntu, Debian |
dapper |
Released
(1.95.8-3ubuntu0.1)
|
| hardy |
Released
(2.0.1-0ubuntu1.1)
|
|
| intrepid |
Released
(2.0.1-4ubuntu0.8.10.1)
|
|
| jaunty |
Released
(2.0.1-4ubuntu0.9.04.1)
|
|
| karmic |
Released
(2.0.1-4ubuntu1.1)
|
|
| lucid |
Released
(2.0.1-7ubuntu1)
|
|
| maverick |
Released
(2.0.1-7ubuntu1)
|
|
| upstream |
Needed
|
|
|
Patches: upstream: http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.13&r2=1.15&view=patch |
||
|
openjdk-6 Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| hardy |
Released
(6b18-1.8.2-4ubuntu1~8.04.1)
|
|
| intrepid |
Released
(6b12-0ubuntu6.5)
|
|
| jaunty |
Released
(6b14-1.4.1-0ubuntu11)
|
|
| karmic |
Not vulnerable
(6b16-1.6.1-0ubuntu1)
|
|
| lucid |
Not vulnerable
(6b16-1.6.1-0ubuntu1)
|
|
| maverick |
Not vulnerable
(6b16-1.6.1-0ubuntu1)
|
|
| upstream |
Released
(6b16)
|
|
|
sun-java5 Launchpad, Ubuntu, Debian |
dapper |
Ignored
(end of life)
|
| gutsy |
Ignored
(end of life, was needs-triage)
|
|
| hardy |
Not vulnerable
(1.5.0-22-0ubuntu0.8.04)
|
|
| intrepid |
Ignored
(end of life, was needs-triage)
|
|
| jaunty |
Ignored
(end of life)
|
|
| karmic |
Does not exist
|
|
| lucid |
Does not exist
|
|
| maverick |
Does not exist
|
|
| upstream |
Released
(1.5.0-20)
|
|
|
sun-java6 Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| hardy |
Released
(6.20dlj-0ubuntu1.8.04)
|
|
| intrepid |
Ignored
(end of life, was needs-triage)
|
|
| jaunty |
Released
(6.20dlj-0ubuntu1.9.04)
|
|
| karmic |
Released
(6-15-1)
|
|
| lucid |
Released
(6-15-1)
|
|
| maverick |
Not vulnerable
|
|
| upstream |
Released
(6.15)
|
|
References
- http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1
- http://www.cert.fi/en/reports/2009/vulnerability2009085.html
- http://www.codenomicon.com/labs/xml/
- https://ubuntu.com/security/notices/USN-814-1
- https://ubuntu.com/security/notices/USN-890-1
- https://www.cve.org/CVERecord?id=CVE-2009-2625
- NVD
- Launchpad
- Debian