[Buildroot] [PATCH] package/xerces: security bump to v3.3.0
Titouan Christophe
titouan.christophe at mind.be
Mon Oct 6 15:09:49 UTC 2025
This fixes the following vulnerability:
- CVE-2024-23807:
The Apache Xerces C++ XML parser on versions 3.0.0 before 3.2.5
contains a use-after-free error triggered during the scanning of
external DTDs. Users are recommended to upgrade to version 3.2.5
which fixes the issue, or mitigate the issue by disabling DTD
processing. This can be accomplished via the DOM using a standard
parser feature, or via SAX using the XERCES_DISABLE_DTD environment
variable. This issue has been disclosed before as CVE-2018-1311, but
unfortunately that advisory incorrectly stated the issue would be
fixed in version 3.2.3 or 3.2.4.
https://www.cve.org/CVERecord?id=CVE-2024-23807
Also update the download location to use HTTPS. Unfortunately, v3.2.5 is
not available from the download site, so we bump to v3.3.0 instead.
Signed-off-by: Titouan Christophe <titouan.christophe at mind.be>
---
package/xerces/xerces.hash | 4 ++--
package/xerces/xerces.mk | 6 +++---
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/package/xerces/xerces.hash b/package/xerces/xerces.hash
index e6b5b922d2..1bcc5422a3 100644
--- a/package/xerces/xerces.hash
+++ b/package/xerces/xerces.hash
@@ -1,5 +1,5 @@
-# From http://www.apache.org/dist/xerces/c/3/sources/xerces-c-3.2.4.tar.xz.sha256
-sha256 075bc57940da0f9be6dd183c550c8ce0b9833e4550dc382048377a1a5e3b2bd9 xerces-c-3.2.4.tar.xz
+# From https://downloads.apache.org/xerces/c/3/sources/xerces-c-3.3.0.tar.gz.sha256
+sha256 9555f1d06f82987fbb4658862705515740414fd34b4db6ad2ed76a2dc08d3bde xerces-c-3.3.0.tar.gz
# Hash for license file
sha256 cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30 LICENSE
diff --git a/package/xerces/xerces.mk b/package/xerces/xerces.mk
index 08efa6fb5c..36191caf9d 100644
--- a/package/xerces/xerces.mk
+++ b/package/xerces/xerces.mk
@@ -4,9 +4,9 @@
#
################################################################################
-XERCES_VERSION = 3.2.4
-XERCES_SOURCE = xerces-c-$(XERCES_VERSION).tar.xz
-XERCES_SITE = http://archive.apache.org/dist/xerces/c/3/sources
+XERCES_VERSION = 3.3.0
+XERCES_SOURCE = xerces-c-$(XERCES_VERSION).tar.gz
+XERCES_SITE = https://downloads.apache.org/xerces/c/3/sources
XERCES_LICENSE = Apache-2.0
XERCES_LICENSE_FILES = LICENSE
XERCES_CPE_ID_VENDOR = apache
--
2.51.0
More information about the buildroot
mailing list