Context Navigation

← Previous Ticket
Next Ticket →

#20136 closed enhancement (fixed)

libxml2-2.13.3

Reported by:	Bruce Dubbs	Owned by:	Douglas R. Reno
Priority:	elevated	Milestone:	12.2
Component:	BOOK	Version:	git
Severity:	normal	Keywords:
Cc:

Description ¶

New point version.

Change History (4)

comment:1 by Xi Ruoyao, 8 months ago

Priority:	normal → elevated

Security

[CVE-2024-40896] Fix XXE protection in downstream code

Regressions

autotools: Use AC_CHECK_DECL to check for getentropy
xinclude: Fix fallback for text includes
io: Don't call getcwd in xmlParserGetDirectory
io: Fix return value of xmlFileRead
parser: Fix error return of xmlParseBalancedChunkMemory

Improvements

xinclude: Set error handler when parsing text
Undeprecate xmlKeepBlanksDefault

comment:2 by Xi Ruoyao, 8 months ago

CVE-2024-40896:

Some users set an entity's children manually in the getEntity SAX callback to restrict entity expansion. This stopped working after renaming the "checked" member of xmlEntity, making at least one downstream project and its dependants susceptible to XXE attacks.

I don't know if this specific "downstream project" (the upstream has not made it public yet) is in BLFS.

comment:3 by Douglas R. Reno, 8 months ago

Owner:	changed from blfs-book to Douglas R. Reno
Status:	new → assigned

comment:4 by Douglas R. Reno, 8 months ago

Resolution:	→ fixed
Status:	assigned → closed

Fixed at 2e31189172161734602733ca44d8dcca54981495

SA-12.1-083 issued

Note: See TracTickets for help on using tickets.

Download in other formats: