Date: Tue, 21 Jan 2014 10:59:53 -0800 From: Galen Charlton <gmc@...library.com> To: oss-security@...ts.openwall.com Subject: CVE request: Perl module MARC::File::XML Hi, I am the maintainer of the Perl module MARC::File::XML, which is used by various applications to manipulate a metadata format used by libraries, and would like to request the allocation of a CVE identifier for an XXE vulnerability that is fixed in version 1.0.2 of the module. I have evidence that the vulnerability can be used in at least one F/LOSS integrated library system, Koha, to perform an application-level privilege escalation, and another one, Evergreen, is likely vulnerable to disclosure of the contents of arbitrary files on the server. I am a committer to both of those projects. Fix: http://sourceforge.net/p/marcpm/code/ci/cf2d36597a56eeeffd53b38182b8557c7bf569ac/ ChangeLog: https://metacpan.org/changes/distribution/MARC-XML Announcements: http://www.nntp.perl.org/group/perl.perl4lib/2014/01/msg3073.html http://lists.katipo.co.nz/pipermail/koha/2014-January/038430.html http://libmail.georgialibraries.org/pipermail/open-ils-general/2014-January/009442.html Thanks, Galen -- Galen Charlton Manager of Implementation Equinox Software, Inc. / The Open Source Experts email: gmc@...library.com direct: +1 770-709-5581 cell: +1 404-984-4366 skype: gmcharlt web: http://www.esilibrary.com/ Supporting Koha and Evergreen: http://koha-community.org & http://evergreen-ils.org
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.