Headline
CVE-2016-9318: Bug 772726 – XXE problems continue
libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document.
Bug 772726 - (CVE-2016-9318) XXE problems continue
(CVE-2016-9318)
Summary:
XXE problems continue
Status:
RESOLVED FIXED
Product:
libxml2
Classification:
Platform
Component:
general
Version:
git master
Hardware:
Other All
Importance:
High critical
Target Milestone:
—
Assigned To:
Daniel Veillard
QA Contact:
libxml QA maintainers
URL:
Whiteboard:
CVE-2016-9318
Depends on:
Blocks:
Reported:
2016-10-11 04:38 UTC by Aleksey Sanin
Modified:
2019-04-23 11:02 UTC
See Also:
- https://github.com/sparklemotion/nokogiri/issues/1582
GNOME target:
—
GNOME version:
—
Attachments
proposal for XML_PARSE_NOXXE (6.60 KB, patch)
2016-12-13 01:56 UTC, dmoppert
none
Details | Review
proposal for XML_PARSE_NOXXE (updated) (6.60 KB, patch)
2016-12-28 06:58 UTC, dmoppert
none
Details | Review
proposal to fix ctxt->external and support XML_PARSE_NOXXE (7.32 KB, patch)
2017-04-26 06:02 UTC, dmoppert
none
Details | Review
xxe test script (2.45 KB, application/x-compressed-tar)
2017-06-15 03:56 UTC, dmoppert
Details
(partial) fix for the XXE (389 bytes, patch)
2017-12-05 05:31 UTC, Aleksey Sanin
none
Details | Review