Arch Linux Security Advisory ASA-201504-32
=========================================

Severity: low
Date    : 2015-04-30
CVE-ID  : CVE-2015-3451
Package : perl-xml-libxml
Type    : XML External Entity
Remote  : yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package perl-xml-libxml before version 2.0119-1 is vulnerable to a 
XML-External-Entity-Vulnerability.

Resolution
==========

Upgrade to 2.0119-1

# pacman -Syu "perl-xml-libxml>=2.0119-1"

The problem has been fixed upstream in version 2.0119.

Workaround
==========

None.

Description
===========

Unpreserved unset options after a _clone() call (e.g: in load_xml())
leads to not preserved expand_entities. Therefore it leads to a
XML-External-Entity Vulnerability.

Impact
======

This vulnerability may lead to the disclosure of confidential data, denial of
service, port scanning from the perspective of the machine where the parser is
located, and other system impacts.

References
==========

http://www.openwall.com/lists/oss-security/2015/04/30/1
https://bitbucket.org/shlomif/perl-xml-libxml/commits/5962fd067580767777e94640b129ae8930a68a30
http://cpansearch.perl.org/src/SHLOMIF/XML-LibXML-2.0119/Changes

Attachment: pgpHFp9Fg12Bw.pgp
Description: PGP signature

Reply via email to