Security Information / 2015 / Security Information -- DSA-3243-1 libxml-libxml-perl

Debian Security Advisory

DSA-3243-1 libxml-libxml-perl -- security update

Date Reported:

01 May 2015

Affected Packages:

libxml-libxml-perl

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 783443.
In Mitre's CVE dictionary: CVE-2015-3451.

More information:

Tilmann Haak from xing.com discovered that XML::LibXML, a Perl interface to the libxml2 library, did not respect the expand_entities parameter to disable processing of external entities in some circumstances. This may allow attackers to gain read access to otherwise protected resources, depending on how the library is used.

For the oldstable distribution (wheezy), this problem has been fixed in version 2.0001+dfsg-1+deb7u1.

For the stable distribution (jessie), this problem has been fixed in version 2.0116+dfsg-1+deb8u1.

For the unstable distribution (sid), this problem has been fixed in version 2.0116+dfsg-2.

We recommend that you upgrade your libxml-libxml-perl packages.