[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Re: CVE request: Perl XML::LibXML
From: cve-assign () mitre ! org
Date: 2015-04-30 4:54:53
Message-ID: 20150430045453.A4BC642E0BA () smtpvbsrv1 ! mitre ! org
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> XEE vulnerability in Perl's XML::LibXML
>
> The output of XEE-XML-LibXML-demo.pl should not contain external
> entities, but "expand_entities" is ignored.
>
> Using "$XML_DOC = XML::LibXML->load_xml" works as documented, using
> $parser = XML::LibXML->new and $XML_DOC = $parser->load_xml does not.
>
> The vulnerability is fixed in version 2.0119.
>
> https://bitbucket.org/shlomif/perl-xml-libxml/commits/5962fd067580767777e94640b129ae8930a68a30
>
> http://cpansearch.perl.org/src/SHLOMIF/XML-LibXML-2.0119/Changes
> LibXML.pm
>
> $new->{XML_LIBXML_PARSER_OPTIONS} = $self->{XML_LIBXML_PARSER_OPTIONS};
> 2.0119 2015-04-23
> - Preserve unset options after a _clone() call (e.g: in load_xml()).
> - This caused expand_entities(0) to not be preserved/etc.
> - Thanks to Tilmann Haak from xing.com for the report.
Use CVE-2015-3451.
- --
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)
iQEcBAEBAgAGBQJVQbTrAAoJEKllVAevmvmsNSwIAIDOfW0/Xl/RNoF0HcUmeheL
U18aIX75+PcsFCkL01Zc25JgpYEjXfVqyH0reFrmOM2vzK2k92VKN86k8S83bEYJ
/V81+C0iBNBe/mgk2Eg01lbtlrZEpODIr1peYjZjQ1cx6rLGhgYlMrQrblRXkhFn
MJ6Hko+TbzDc8rUEpw9vgBFgmrhsXIq+/OA6xuBrafv6aBp43TDreX97/UYZtW7G
QERMz2mHf3rYLv58MlR8IpZOrs/EkV4O/KuA3g0RahiuQjArXX0BCHr4Qo+rEnDd
HxshKFuuvr19yTNO2oJiWc/n0qi/4exQWkgBZXMkgz9FWsX8AxuMkk+onfnA+mw=
=ECuO
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic