xalan-j2-2.7.0-6jpp.2.0.1.AXS3

エラータID: AXSA:2014-250:01

Release date: 
Thursday, April 10, 2014 - 15:50
Subject: 
xalan-j2-2.7.0-6jpp.2.0.1.AXS3
Affected Channels: 
Asianux Server 3 for x86_64
Asianux Server 3 for x86
Severity: 
High
Description: 

Xalan is an XSLT processor for transforming XML documents into HTML, text, or other XML document types. It implements the W3C Recommendations for XSL Transformations (XSLT) and the XML Path Language (XPath). It can be used from the command line, in an applet or a servlet, or as a module in other program.

Security issues fixed with this release:

• CVE-2014-0107
No information available at the time of writing, please refer to the CVE link below.

Solution: 

Update packages.

CVEs: 
CVE-2014-0107
The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.


Additional Info: 

N/A

Download: 

SRPMS
  1. xalan-j2-2.7.0-6jpp.2.0.1.AXS3.src.rpm
    MD5: ef3594ec3a445c7be12f92d55a9eeb62
    SHA-256: b5fc8e97ad828de45d2144e837aec31bb3a456fcca7ff70ba4d128e828bd06f0
    Size: 3.60 MB

Asianux Server 3 for x86
  1. xalan-j2-2.7.0-6jpp.2.0.1.AXS3.i386.rpm
    MD5: 957d008e34d3bffca3037c7063613c9d
    SHA-256: ad34a92d8b0d2b36ccb6c4900c176d7b85f153216b6df8fddc665a7eafc37d03
    Size: 3.96 MB

Asianux Server 3 for x86_64
  1. xalan-j2-2.7.0-6jpp.2.0.1.AXS3.x86_64.rpm
    MD5: a4c612ee2314514b6d2a51c5c38abb34
    SHA-256: eb6e414ad1765cc85ffcac1c0cac0e3d280e59c029247049fc4843f3ced1a563
    Size: 4.47 MB