[Buildroot] [PATCH] package/xerces: security bump to v3.3.0
Thomas Perale
thomas.perale at mind.be
Mon Oct 6 16:37:39 UTC 2025
Hi Titouan,
In reply of:
> This fixes the following vulnerability:
> - CVE-2024-23807:
> The Apache Xerces C++ XML parser on versions 3.0.0 before 3.2.5
> contains a use-after-free error triggered during the scanning of
> external DTDs. Users are recommended to upgrade to version 3.2.5
> which fixes the issue, or mitigate the issue by disabling DTD
> processing. This can be accomplished via the DOM using a standard
> parser feature, or via SAX using the XERCES_DISABLE_DTD environment
> variable. This issue has been disclosed before as CVE-2018-1311, but
> unfortunately that advisory incorrectly stated the issue would be
> fixed in version 3.2.3 or 3.2.4.
> https://www.cve.org/CVERecord?id=CVE-2024-23807
>
> Also update the download location to use HTTPS. Unfortunately, v3.2.5 is
> not available from the download site, so we bump to v3.3.0 instead.
>
> Signed-off-by: Titouan Christophe <titouan.christophe at mind.be>
> ---
> package/xerces/xerces.hash | 4 ++--
> package/xerces/xerces.mk | 6 +++---
> 2 files changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/package/xerces/xerces.hash b/package/xerces/xerces.hash
> index e6b5b922d2..1bcc5422a3 100644
> --- a/package/xerces/xerces.hash
> +++ b/package/xerces/xerces.hash
> @@ -1,5 +1,5 @@
> -# From http://www.apache.org/dist/xerces/c/3/sources/xerces-c-3.2.4.tar.xz.sha256
> -sha256 075bc57940da0f9be6dd183c550c8ce0b9833e4550dc382048377a1a5e3b2bd9 xerces-c-3.2.4.tar.xz
> +# From https://downloads.apache.org/xerces/c/3/sources/xerces-c-3.3.0.tar.gz.sha256
> +sha256 9555f1d06f82987fbb4658862705515740414fd34b4db6ad2ed76a2dc08d3bde xerces-c-3.3.0.tar.gz
>
> # Hash for license file
> sha256 cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30 LICENSE
> diff --git a/package/xerces/xerces.mk b/package/xerces/xerces.mk
> index 08efa6fb5c..36191caf9d 100644
> --- a/package/xerces/xerces.mk
> +++ b/package/xerces/xerces.mk
> @@ -4,9 +4,9 @@
> #
> ################################################################################
>
> -XERCES_VERSION = 3.2.4
> -XERCES_SOURCE = xerces-c-$(XERCES_VERSION).tar.xz
> -XERCES_SITE = http://archive.apache.org/dist/xerces/c/3/sources
I would keep the link to the 'archive' location, the 3.2.5 is available over
there and once the next version will be released the 'download.apache.org'
mirror will 404 for the v3.3.0 and make the autobuilder fail.
See '7407f797a6 package/apache: update mirror url'.
Thomas
> +XERCES_VERSION = 3.3.0
> +XERCES_SOURCE = xerces-c-$(XERCES_VERSION).tar.gz
> +XERCES_SITE = https://downloads.apache.org/xerces/c/3/sources
> XERCES_LICENSE = Apache-2.0
> XERCES_LICENSE_FILES = LICENSE
> XERCES_CPE_ID_VENDOR = apache
> --
> 2.51.0
>
> _______________________________________________
> buildroot mailing list
> buildroot at buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
More information about the buildroot
mailing list