Errata overview
Errata ID 242
Date 2016-09-07
Source package xerces-c
Fixed in version 3.1.1-3.7.201608291255
This update addresses the following issue(s):
* Denial of service in internal/XMLReader.cpp via crafted XML data
* Apache Xerces-C XML Parser Crashes on Malformed Input
* Use-after-free vulnerability in validators/DTD/DTDScanner.cpp in
  Apache Xerces C++ 3.1.3 and earlier does not properly handle
  exceptions raised in the XMLReader class, which allows
  context-dependent attackers to have unspecified impact via an
  invalid character in an XML document. (CVE-2016-2099)
* Brandon Perry discovered that xerces-c, a validating XML parser
  library for C++, fails to successfully parse a DTD that is deeply
  nested, causing a stack overflow. A remote unauthenticated attacker
  can take advantage of this flaw to cause a denial of service
  against applications using the xerces-c library. (CVE-2016-4463)
* Additionally this update includes an enhancement to enable
  applications to fully disable DTD processing through the use of an
  environment variable (XERCES_DISABLE_DTD).
Additional notes
CVE ID CVE-2015-0252
UCS Bug number #38207