** Description changed: libxml's libxml_disable_entity_loader was not threadsafe on php-fpm prior to 5.5.22 and 5.6.6. This allowed attackers to perform an XXE attack even though the entity loader was disabled in your code. Zend came up with a separate library for this: https://github.com/zendframework/ZendXml however I don't think it is that widely used and the fix itself is hard: the library itself had to be patched again ([ZF2015-06]) AFAIK the patch to fix this issue has not yet been backported. I think it would be a much needed security enhancement, given that the workaround is hard and as history has shown prone to complicated unicode encoding attacks. For more information, please see: - * https://bugs.php.net/bug.php?id=64938 + * https://bugs.php.net/bug.php?id=64938 (fixed in 5.5.22) * https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing
** Also affects: php5 (Ubuntu Trusty) Importance: Undecided Status: New ** Summary changed: - Please backport PHP fix #64938 (fixed in 5.5.22) on 14.04 + libxml_disable_entity_loader is not theadsafe -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/1509817 Title: libxml_disable_entity_loader is not theadsafe To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1509817/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs