Debian Security Advisory
DSA-3243-1 libxml-libxml-perl -- security update
- Date Reported:
- 01 May 2015
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 783443.
In Mitre's CVE dictionary: CVE-2015-3451.
- More information:
Tilmann Haak from xing.com discovered that XML::LibXML, a Perl interface to the libxml2 library, did not respect the expand_entities parameter to disable processing of external entities in some circumstances. This may allow attackers to gain read access to otherwise protected resources, depending on how the library is used.
For the oldstable distribution (wheezy), this problem has been fixed in version 2.0001+dfsg-1+deb7u1.
For the stable distribution (jessie), this problem has been fixed in version 2.0116+dfsg-1+deb8u1.
For the unstable distribution (sid), this problem has been fixed in version 2.0116+dfsg-2.
We recommend that you upgrade your libxml-libxml-perl packages.