oss-sec mailing list archives
Re: CVE Request: libxml2 external parsed entities issue
From: Marc Deslauriers <marc.deslauriers () canonical com>
Date: Fri, 05 Jul 2013 09:30:07 -0400
On 13-07-05 09:17 AM, Marcus Meissner wrote:
On Fri, Jul 05, 2013 at 08:48:04AM -0400, Marc Deslauriers wrote:Hello, libxml2 earlier than 2.9.0 fetches external parsed entities by default, with no way to disable the behaviour. Fixed by the following commit: https://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f More Information: https://mail.gnome.org/archives/xml/2012-October/msg00045.html https://github.com/sparklemotion/nokogiri/issues/693 https://bugs.launchpad.net/ubuntu/+source/libxml2/+bug/1194410 Could a CVE please be assigned to this issue?Sounds like http://seclists.org/oss-sec/2013/q1/391 and "Please use CVE-2013-0339 for libxml2 external entities expansion" ?
Hrm, I would have thought CVE-2013-0339 was for the entities expansion DoS issue fixed by this commit: https://git.gnome.org/browse/libxml2/commit/?id=23f05e0c33987d6605387b300c4be5da2120a7ab The other one is for external entities expansion being enabled by default with no way to turn it off. You would lump them together? Marc.
Current thread:
- CVE Request: libxml2 external parsed entities issue Marc Deslauriers (Jul 05)
- Re: CVE Request: libxml2 external parsed entities issue Marcus Meissner (Jul 05)
- Re: CVE Request: libxml2 external parsed entities issue Marc Deslauriers (Jul 05)
- Re: CVE Request: libxml2 external parsed entities issue Marcus Meissner (Jul 05)
- Re: CVE Request: libxml2 external parsed entities issue Kurt Seifried (Jul 05)
- Re: CVE Request: libxml2 external parsed entities issue Marc Deslauriers (Jul 05)
- Re: CVE Request: libxml2 external parsed entities issue Marcus Meissner (Jul 05)