CVE-2012-0876

Description

The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML file with many identifiers with the same value.

How to fix CVE-2012-0876

To remediate CVE-2012-0876, upgrade the affected package to a fixed version below.

• Debian/expat—upgrade to 2.1.0~beta3-1 or later
• Debian/expat—upgrade to 2.0.1-7+squeeze1 or later
• —no fix listed
• —upgrade to 1.16.33-3.2 or later

Is CVE-2012-0876 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• from 0, < 2.1.0~beta3-1
• from 0, < 2.0.1-7+squeeze1
• from 0
• from 0, < 1.16.33-3.2

References (1)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2012-0876