Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 30 Apr 2015 00:54:53 -0400 (EDT)
From: cve-assign@...re.org
To: tilmann.haak@...g.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: Perl XML::LibXML

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> XEE vulnerability in Perl's XML::LibXML
> 
> The output of XEE-XML-LibXML-demo.pl should not contain external
> entities, but "expand_entities" is ignored.
> 
> Using "$XML_DOC = XML::LibXML->load_xml" works as documented, using 
> $parser = XML::LibXML->new and $XML_DOC = $parser->load_xml does not.
> 
> The vulnerability is fixed in version 2.0119.
> 
> https://bitbucket.org/shlomif/perl-xml-libxml/commits/5962fd067580767777e94640b129ae8930a68a30
> 
> http://cpansearch.perl.org/src/SHLOMIF/XML-LibXML-2.0119/Changes

> LibXML.pm
> 
> $new->{XML_LIBXML_PARSER_OPTIONS} = $self->{XML_LIBXML_PARSER_OPTIONS};

> 2.0119  2015-04-23
>     - Preserve unset options after a _clone() call (e.g: in load_xml()).
>         - This caused expand_entities(0) to not be preserved/etc.
>         - Thanks to Tilmann Haak from xing.com for the report.

Use CVE-2015-3451.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVQbTrAAoJEKllVAevmvmsNSwIAIDOfW0/Xl/RNoF0HcUmeheL
U18aIX75+PcsFCkL01Zc25JgpYEjXfVqyH0reFrmOM2vzK2k92VKN86k8S83bEYJ
/V81+C0iBNBe/mgk2Eg01lbtlrZEpODIr1peYjZjQ1cx6rLGhgYlMrQrblRXkhFn
MJ6Hko+TbzDc8rUEpw9vgBFgmrhsXIq+/OA6xuBrafv6aBp43TDreX97/UYZtW7G
QERMz2mHf3rYLv58MlR8IpZOrs/EkV4O/KuA3g0RahiuQjArXX0BCHr4Qo+rEnDd
HxshKFuuvr19yTNO2oJiWc/n0qi/4exQWkgBZXMkgz9FWsX8AxuMkk+onfnA+mw=
=ECuO
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ