Summary: | <dev-perl/XML-LibXML-2.12.100: "expand_entities" option was not preserved under some circumstances (CVE-2015-3451) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1216112 | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 551116, 551118 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2015-04-28 15:33:06 UTC
I have the ebuild ready to get bumped in my CVS repo. However, a bunch of tests now depend on dev-perl/Test-LeakTrace which needs stabilisation and keywording. (In reply to Patrice Clement from comment #1) > I have the ebuild ready to get bumped in my CVS repo. However, a bunch of > tests now depend on dev-perl/Test-LeakTrace which needs stabilisation and > keywording. Commit it with dropped keywords for architectures which lack keywords on dev-perl/Test-LeakTrace. +*XML-LibXML-2.12.100 (04 Jun 2015) + + 04 Jun 2015; Patrice Clement <monsieurp@gentoo.org> + +XML-LibXML-2.12.100.ebuild: + Version bump. Fix security bug 548032. + Please stabilise this package ASAP. Previous version was stable for the following platforms: - alpha - amd64 - arm - arm64 - hppa - ia64 - ppc - ppc64 - s390 - sh - sparc - x86 (In reply to Patrice Clement from comment #3) > +*XML-LibXML-2.12.100 (04 Jun 2015) > + > + 04 Jun 2015; Patrice Clement <monsieurp@gentoo.org> > + +XML-LibXML-2.12.100.ebuild: > + Version bump. Fix security bug 548032. > + > > Please stabilise this package ASAP. Previous version was stable for the > following platforms: fwiw, that would require CCing the arches... Arches, please stabilize: =dev-perl/XML-LibXML-2.12.100 Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 GLSA vote: no. GLSA Vote: No 04 Jun 2015; Mikle Kolyada <zlogene@gentoo.org> -XML-LibXML-2.1.400-r1.ebuild, XML-LibXML-2.12.100.ebuild: Stable for all (security bug #548032) Thanks for cleanup and stabliziation. Closing [noglsa] CVE-2015-3451 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3451): The _clone function in XML::LibXML before 2.0119 does not properly set the expand_entities option, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML data to the (1) new or (2) load_xml function. |