Opened 7 weeks ago

Closed 7 weeks ago

#20136 closed enhancement (fixed)

libxml2-2.13.3

Reported by: Bruce Dubbs Owned by: Douglas R. Reno
Priority: elevated Milestone: 12.2
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

New point version.

Change History (4)

comment:1 by Xi Ruoyao, 7 weeks ago

Priority: normalelevated

Security

  • [CVE-2024-40896] Fix XXE protection in downstream code

Regressions

  • autotools: Use AC_CHECK_DECL to check for getentropy
  • xinclude: Fix fallback for text includes
  • io: Don't call getcwd in xmlParserGetDirectory
  • io: Fix return value of xmlFileRead
  • parser: Fix error return of xmlParseBalancedChunkMemory

Improvements

  • xinclude: Set error handler when parsing text
  • Undeprecate xmlKeepBlanksDefault

comment:2 by Xi Ruoyao, 7 weeks ago

CVE-2024-40896:

Some users set an entity's children manually in the getEntity SAX callback to restrict entity expansion. This stopped working after renaming the "checked" member of xmlEntity, making at least one downstream project and its dependants susceptible to XXE attacks.

I don't know if this specific "downstream project" (the upstream has not made it public yet) is in BLFS.

comment:3 by Douglas R. Reno, 7 weeks ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:4 by Douglas R. Reno, 7 weeks ago

Resolution: fixed
Status: assignedclosed

Fixed at 2e31189172161734602733ca44d8dcca54981495

SA-12.1-083 issued

Note: See TracTickets for help on using tickets.