On Tue, Jan 21, 2014 at 12:38 PM, Galen Charlton <gmcha...@gmail.com> wrote: > Hi, > > I have uploaded [1] version 1.0.2 of MARC::File::XML. This is a > security release that repairs an XML external entity (XXE) > vulnerability. I recommend that all uses of MARC::File::XML upgrade > promptly. > > Here is the change log entry: > > 1.0.2 Tue Jan 21 17:18:37 UTC 2014 > - MARC::File::XML will now die upon parsing a record that > declares an external entity and tries to use it. This > prevents the potential unwanted disclosure of the contents > of files on the server by applications that embed this module. > If, for some reason, an application needs to process MARCXML > records that contain external entities, set_parser() can be > used to force the use of an XML::LibXML parser that is > configured to process external entities. > > The issue was reported by John Lightsey. > > [1] https://metacpan.org/release/GMCHARLT/MARC-XML-1.0.2
RPMs are available for manual download for Fedora 19 [a] and Fedora 20 [b], but will not be available through the normal updates process until sufficient testing karma has been granted. If you have a Fedora account and can test the packages & grant them karma, please do so! a. https://admin.fedoraproject.org/updates/perl-MARC-XML-1.0.2-1.fc19 b. https://admin.fedoraproject.org/updates/perl-MARC-XML-1.0.2-1.fc20 Thanks, Dan
