Debian Security Advisory
DLA-151-1 libxml2 -- LTS security update
- Date Reported:
- 07 Feb 2015
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 768089.
In Mitre's CVE dictionary: CVE-2014-0191, CVE-2014-3660.
- More information:
It was discovered that the update released for libxml2 in DSA 2978 fixing CVE-2014-0191 was incomplete. This caused libxml2 to still fetch external entities regardless of whether entity substitution or validation is enabled.
In addition, this update addresses a regression introduced in DSA 3057 by the patch fixing CVE-2014-3660. This caused libxml2 to not parse an entity when it's used first in another entity referenced from an attribute value.
For Debian 6
Squeeze, these issues have been fixed in libxml2 version 2.7.8.dfsg-2+squeeze11