Date: Tue, 29 Oct 2013 08:44:45 +0530 From: Huzaifa Sidhpurwala <huzaifas@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: CVE Request: libxml2 external parsed entities issue On 10/28/2013 11:47 PM, Nicolas Grégoire wrote: > For RedHat, it covers both but "libxml2 already provides mechanisms to > disable external entities which applications can use. Closing this flaw > as 'wontfix'": https://bugzilla.redhat.com/show_bug.cgi?id=915149 > > And the official page for the CVE isn't helpful: libxml has an API to disable external entity expansion. Applications linked against libxml, can use this API if they dont have enough protections built-in. For this reason we believe that the responsibility for correctly handling XEE lies with the app. and not the library. -- Huzaifa Sidhpurwala / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.