From ${URL} : The option to `expand_external_ents`, documented as controlling external entity expansion in XML::Twig does not work. External entities are always expanded, regardless of the option's setting. Upstream bug: https://rt.cpan.org/Public/Bug/Display.html?id=118097 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Upstream have added a new "no_xxe" flag, which seems to be necessary for consuming code to not be vulnerable, so at this stage, it looks like we need to find things that use XML-Twig[1] and fix them. Direct responses to *solving* this CVE aren't entirely clear though. [1]: https://qa-reports.gentoo.org/output/genrdeps/rindex/dev-perl/XML-Twig commit a8c9d23a38a9c19d21033b5834b660f8340f187e Author: Kent Fredric <kentnl@gentoo.org> Date: Sat Nov 26 02:32:47 2016 +1300 dev-perl/XML-Twig: Bump to version 3.520.0 (re bug #598764) - EAPI6 - Parallel Testing - Author test cleanup Upstream: - New option "no_xxe" for XML::Twig->new, which causes the parse to fail if external entities are used. (See CVE-2016-9180) - Fix warnings/errors with unescaped regex braces. - Partial fixes for getNamespaces in XML::Twig::XPath::Elt
Hell yeah, looks like the Gentoo list is incomplete (maybe missing rdepends in the ebuild), see https://codesearch.debian.net/search?q=Twig-%3Enew ... OK, I'll create a tracker bug. @ Maintainer(s): Can we already stabilize =dev-perl/XML-Twig-3.520.0?
Tracker bug created, see bug 600818.
@ Arches, please test and mark stable: =dev-perl/XML-Twig-3.520.0 Please honor ALLARCHES keyword!
Stable on alpha.
Stable for amd64/ia64/perl/ppc64/ppc/sparc/x86 (ALLARCHES policy).
GLSA Vote: No @ Maintainer(s): Please cleanup and drop <dev-perl/XML-Twig-3.520.0!
@perl, bump for cleanup.
Arches and Maintainer(s), Thank you for your work.