Date: Fri, 05 Jul 2013 09:30:07 -0400 From: Marc Deslauriers <marc.deslauriers@...onical.com> To: oss-security@...ts.openwall.com Subject: Re: CVE Request: libxml2 external parsed entities issue On 13-07-05 09:17 AM, Marcus Meissner wrote: > On Fri, Jul 05, 2013 at 08:48:04AM -0400, Marc Deslauriers wrote: >> Hello, >> >> libxml2 earlier than 2.9.0 fetches external parsed entities by default, with no >> way to disable the behaviour. >> >> Fixed by the following commit: >> >> https://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f >> >> More Information: >> https://mail.gnome.org/archives/xml/2012-October/msg00045.html >> https://github.com/sparklemotion/nokogiri/issues/693 >> https://bugs.launchpad.net/ubuntu/+source/libxml2/+bug/1194410 >> >> >> Could a CVE please be assigned to this issue? > > Sounds like http://seclists.org/oss-sec/2013/q1/391 > and > "Please use CVE-2013-0339 for libxml2 external entities expansion" > > ? > Hrm, I would have thought CVE-2013-0339 was for the entities expansion DoS issue fixed by this commit: https://git.gnome.org/browse/libxml2/commit/?id=23f05e0c33987d6605387b300c4be5da2120a7ab The other one is for external entities expansion being enabled by default with no way to turn it off. You would lump them together? Marc.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.