oss-sec mailing list archives
CVE request: Perl module MARC::File::XML
From: Galen Charlton <gmc () esilibrary com>
Date: Tue, 21 Jan 2014 10:59:53 -0800
Hi, I am the maintainer of the Perl module MARC::File::XML, which is used by various applications to manipulate a metadata format used by libraries, and would like to request the allocation of a CVE identifier for an XXE vulnerability that is fixed in version 1.0.2 of the module. I have evidence that the vulnerability can be used in at least one F/LOSS integrated library system, Koha, to perform an application-level privilege escalation, and another one, Evergreen, is likely vulnerable to disclosure of the contents of arbitrary files on the server. I am a committer to both of those projects. Fix: http://sourceforge.net/p/marcpm/code/ci/cf2d36597a56eeeffd53b38182b8557c7bf569ac/ ChangeLog: https://metacpan.org/changes/distribution/MARC-XML Announcements: http://www.nntp.perl.org/group/perl.perl4lib/2014/01/msg3073.html http://lists.katipo.co.nz/pipermail/koha/2014-January/038430.html http://libmail.georgialibraries.org/pipermail/open-ils-general/2014-January/009442.html Thanks, Galen -- Galen Charlton Manager of Implementation Equinox Software, Inc. / The Open Source Experts email: gmc () esilibrary com direct: +1 770-709-5581 cell: +1 404-984-4366 skype: gmcharlt web: http://www.esilibrary.com/ Supporting Koha and Evergreen: http://koha-community.org & http://evergreen-ils.org
Current thread:
- CVE request: Perl module MARC::File::XML Galen Charlton (Jan 21)
- Re: CVE request: Perl module MARC::File::XML cve-assign (Jan 21)