** Description changed:
libxml's libxml_disable_entity_loader was not threadsafe on php-fpm
prior to 5.5.22 and 5.6.6. This allowed attackers to perform an XXE
attack even though the entity loader was disabled in your code.
Zend came up with a separate library for this:
https://github.com/zendframework/ZendXml however I don't think it is
that widely used and the fix itself is hard: the library itself had to
be patched again ([ZF2015-06])
AFAIK the patch to fix this issue has not yet been backported. I think
it would be a much needed security enhancement, given that the
workaround is hard and as history has shown prone to complicated unicode
encoding attacks.
For more information, please see:
- * https://bugs.php.net/bug.php?id=64938
+ * https://bugs.php.net/bug.php?id=64938 (fixed in 5.5.22)
* https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing
** Also affects: php5 (Ubuntu Trusty)
Importance: Undecided
Status: New
** Summary changed:
- Please backport PHP fix #64938 (fixed in 5.5.22) on 14.04
+ libxml_disable_entity_loader is not theadsafe
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to php5 in Ubuntu.
https://bugs.launchpad.net/bugs/1509817
Title:
libxml_disable_entity_loader is not theadsafe
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1509817/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
