Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <526F2825.5070500@redhat.com>
Date: Tue, 29 Oct 2013 08:44:45 +0530
From: Huzaifa Sidhpurwala <huzaifas@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: libxml2 external parsed entities
 issue

On 10/28/2013 11:47 PM, Nicolas Grégoire wrote:

> For RedHat, it covers both but "libxml2 already provides mechanisms to
> disable external entities which applications can use. Closing this flaw
> as 'wontfix'": https://bugzilla.redhat.com/show_bug.cgi?id=915149
> 
> And the official page for the CVE isn't helpful:


libxml has an API to disable external entity expansion. Applications
linked against libxml, can use this API if they dont have enough
protections built-in. For this reason we believe that the
responsibility for correctly handling XEE lies with the app. and not
the library.




-- 
Huzaifa Sidhpurwala / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.