oss-sec mailing list archives
Re: CVE Request: libxml2 external parsed entities issue
From: Huzaifa Sidhpurwala <huzaifas () redhat com>
Date: Tue, 29 Oct 2013 08:44:45 +0530
On 10/28/2013 11:47 PM, Nicolas Grégoire wrote:
For RedHat, it covers both but "libxml2 already provides mechanisms to disable external entities which applications can use. Closing this flaw as 'wontfix'": https://bugzilla.redhat.com/show_bug.cgi?id=915149 And the official page for the CVE isn't helpful:
libxml has an API to disable external entity expansion. Applications linked against libxml, can use this API if they dont have enough protections built-in. For this reason we believe that the responsibility for correctly handling XEE lies with the app. and not the library. -- Huzaifa Sidhpurwala / Red Hat Security Response Team
Current thread:
- Re: CVE Request: libxml2 external parsed entities issue Nicolas Grégoire (Oct 28)
- Re: CVE Request: libxml2 external parsed entities issue Huzaifa Sidhpurwala (Oct 28)
- Re: CVE Request: libxml2 external parsed entities issue Nicolas Grégoire (Oct 29)
- Re: CVE Request: libxml2 external parsed entities issue Kurt Seifried (Oct 29)
- Re: CVE Request: libxml2 external parsed entities issue Nicolas Grégoire (Oct 29)
- Re: CVE Request: libxml2 external parsed entities issue Huzaifa Sidhpurwala (Oct 28)