xalan-j2-2.7.0-9.9.AXS4

エラータID: AXSA:2014-224:01

Release date: 
Thursday, April 10, 2014 - 18:58
Subject: 
xalan-j2-2.7.0-9.9.AXS4
Affected Channels: 
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity: 
High
Description: 

Xalan is an XSLT processor for transforming XML documents into HTML, text, or other XML document types. It implements the W3C Recommendations for XSL Transformations (XSLT) and the XML Path Language (XPath). It can be used from the command line, in an applet or a servlet, or as a module in other program.

Security issues fixed with this release:

• CVE-2014-0107
No information available at the time of writing, please refer to the CVE link below.

Solution: 

Update packages.

CVEs: 
CVE-2014-0107
The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.


Additional Info: 

N/A

Download: 

SRPMS
  1. xalan-j2-2.7.0-9.9.AXS4.src.rpm
    MD5: a8a42e98590e6dbb52fdd709344ca314
    SHA-256: c996fe29ffea7cbbcf9dd2b92ed5ea2306ced3f618cb0d9806823e0b01176d25
    Size: 5.99 MB

Asianux Server 4 for x86
  1. xalan-j2-2.7.0-9.9.AXS4.noarch.rpm
    MD5: 4d27b17190193ec9c3a11b93228a8e94
    SHA-256: e9748b6dc76e80e50c96ccc0c556de789fba1ccbae5f83839fe0e47ebb87377a
    Size: 1.75 MB

Asianux Server 4 for x86_64
  1. xalan-j2-2.7.0-9.9.AXS4.noarch.rpm
    MD5: 2d12578e3390bc26f47555a666dd811e
    SHA-256: 685e0390a95cd284942ce39971151674d23f1d607936ff48120b2385667835af
    Size: 1.75 MB