Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 21 Jan 2014 10:59:53 -0800
From: Galen Charlton <gmc@...library.com>
To: oss-security@...ts.openwall.com
Subject: CVE request: Perl module MARC::File::XML

Hi,

I am the maintainer of the Perl module MARC::File::XML, which is used
by various applications to manipulate a metadata format used by
libraries, and would like to request the allocation of a CVE
identifier for an XXE vulnerability that is fixed in version 1.0.2 of
the module.  I have evidence that the vulnerability can be used in at
least one F/LOSS integrated library system, Koha, to perform an
application-level privilege escalation, and another one, Evergreen, is
likely vulnerable to disclosure of the contents of arbitrary files on
the server.  I am a committer to both of those projects.

Fix: http://sourceforge.net/p/marcpm/code/ci/cf2d36597a56eeeffd53b38182b8557c7bf569ac/

ChangeLog: https://metacpan.org/changes/distribution/MARC-XML

Announcements:

http://www.nntp.perl.org/group/perl.perl4lib/2014/01/msg3073.html
http://lists.katipo.co.nz/pipermail/koha/2014-January/038430.html
http://libmail.georgialibraries.org/pipermail/open-ils-general/2014-January/009442.html

Thanks,

Galen
-- 
Galen Charlton
Manager of Implementation
Equinox Software, Inc. / The Open Source Experts
email:  gmc@...library.com
direct: +1 770-709-5581
cell:   +1 404-984-4366
skype:  gmcharlt
web:    http://www.esilibrary.com/
Supporting Koha and Evergreen: http://koha-community.org &
http://evergreen-ils.org

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ