Bug 109129 - XXE [CWE-611]
Summary: XXE [CWE-611]
Status: RESOLVED FIXED
Alias: None
Product: ZCS
Classification: Unclassified
Component: Mail - Server (show other bugs)
Version: 8.7.15_ZCS_JudasPriest
Hardware: All Browsers All
: P1 blocker
Target Milestone: ---
Assignee: Bug Owner
QA Contact: Dawood Shaikh
URL: https://nvd.nist.gov/vuln-metrics/cvs...
Keywords: Security
Depends on:
Blocks:
 
Reported: 2019-03-08 14:03 EST by Phil Pearl
Modified: 2021-11-02 16:24 EDT (History)
3 users (show)

See Also:
Feature Notes:
Eng Days:
QA Days:
Root Cause: ---
Fix Type: ---
QA Analysis: ---
CVE Number: CVE-2019-9670
CVSS Score: 6.4
CVE Reporter: An Trinh <tint0@outlook.com>
ZCO Subcategory:
Queue Position:
Test Stories:
User Stories:
UX:
Developer:
PM:
QA:
Docs:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Phil Pearl 2019-03-08 14:03:38 EST
All supported releases of ZCS before 8.7.11p10 have an XXE vulnerability.  Details to follow.
Comment 4 Phil Pearl 2019-05-28 16:26:46 EDT
This issue impacted 8.7.x branch.

Fixed in 8.7.11 Patch10

See also https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P10
Comment 6 amez365 2021-02-09 12:49:27 EST
how does the gig economy work

Considered a haven for tech companies, entrepreneurs and savvy investors, California is home to numerous Fortune 500 companies. What’s more – it’s the most popular state for companies to base their headquarters. Currently, the headquarters of 20% of public companies in the US are in California, and it’s a trend which doesn’t show any signs of slowing down.

https://www.fieldengineer.com/blogs/how-field-engineer-helps-california-businesses-cut-costs-by-60
Comment 7 Casenet 2021-09-06 18:32:16 EDT
Considered a haven for tech companies, entrepreneurs and savvy investors, California is home to numerous Fortune 500 companies. What’s more – it’s the most popular state for companies to base their headquarters. Currently, the headquarters of 20% of public companies in the US are in California, and it’s a trend which doesn’t show any signs of slowing down. via https://casenet.us/
Comment 8 Cihan 2021-11-02 16:24:50 EDT
/gdb/arch/arc.c:117:43:   required from here http://www.compilatori.com/ 
/usr/include/c++/4.8.2/bits/hashtable_policy.h:195:39: error: no matching https://www.mktrade.fi/ function for call to ‘std::pair<const arc_arch_features, const std::unique_ptr<target_desc, http://www-look-4.com/ target_desc_deleter> >::pair(const arc_arch_features&, target_desc*&)’
  : _M_v(std::forward<_Args>(__args)...) { } http://www.acpirateradio.co.uk/
                                       ^ 
/usr/include/c++/4.8.2/bits/hashtable_policy.h:195:39: note: candidates are: https://www.webb-dev.co.uk/
In file included from /usr/include/c++/4.8.2/utility:70:0,
                 from /usr/include/c++/4.8.2/tuple:38, http://www.logoarts.co.uk/
                 from /usr/include/c++/4.8.2/functional:55, 
                 from ../../gdb/../gdbsupport/ptid.h:35, https://komiya-dental.com/
                 from ../../gdb/../gdbsupport/common-defs.h:123,
                 from ../../gdb/arch/arc.c:19: http://www.slipstone.co.uk/ 
/usr/include/c++/4.8.2/bits/stl_pair.h:206:9: note: template<class ... _Args1, long unsigned int ..._Indexes1, http://the-hunters.org/  class ... _Args2, long unsigned int ..._Indexes2> std::pair<_T1, http://embermanchester.uk/   _T2>::pair(std::tuple<_Args1 ...>&, std::tuple<_Args2 ...>&, std::_Index_tuple http://fishingnewsletters.co.uk/
 <_Indexes1 ...>, std::_Index_tuple<_Indexes2 ...>)
         pair(tuple<_Args1...>&, tuple<_Args2...>&, http://connstr.net/
         ^
-------->8---------
http://joerg.li/
Thanks to Tome de Vries' investigation, same fix applies in ARC's case as well:
--------8<--------- http://www.jopspeech.com/
diff --git a/gdb/arch/arc.c b/gdb/arch/arc.c
index 3808f9f..a5385ce 100644 http://www.go-mk-websites.co.uk/
--- a/gdb/arch/arc.c
+++ b/gdb/arch/arc.c http://www.wearelondonmade.com/ 
@@ -114,7 +114,7 @@ struct arc_arch_features_hasher
   target_desc *tdesc = arc_create_target_description (features); https://waytowhatsnext.com/

   /* Add the newly created target description to the repertoire.  */ http://www.mconstantine.co.uk/
 -  arc_tdesc_cache.emplace (features, tdesc); http://www.iu-bloomington.com/
+  arc_tdesc_cache.emplace (features, target_desc_up (tdesc));