Debian Security Advisory

DLA-151-1 libxml2 -- LTS security update

Date Reported:
07 Feb 2015
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 768089.
In Mitre's CVE dictionary: CVE-2014-0191, CVE-2014-3660.
More information:

It was discovered that the update released for libxml2 in DSA 2978 fixing CVE-2014-0191 was incomplete. This caused libxml2 to still fetch external entities regardless of whether entity substitution or validation is enabled.

In addition, this update addresses a regression introduced in DSA 3057 by the patch fixing CVE-2014-3660. This caused libxml2 to not parse an entity when it's used first in another entity referenced from an attribute value.

For Debian 6 Squeeze, these issues have been fixed in libxml2 version 2.7.8.dfsg-2+squeeze11