Bug#958055: dom4j: CVE-2020-10683: XML External Entity vulnerability in default SAX parser
Salvatore Bonaccorso
carnil at debian.org
Sun Apr 19 07:45:16 BST 2020
Hi Emmanuel,
On Sun, Apr 19, 2020 at 02:36:14AM +0200, Emmanuel Bourg wrote:
> Le 17/04/2020 à 23:10, Salvatore Bonaccorso a écrit :
>
> > The following vulnerability was published for dom4j.
> >
> > CVE-2020-10683[0]:
> > XML External Entity vulnerability in default SAX parser
> >
> > [2] https://github.com/dom4j/dom4j/commit/a822852 (Patch)
>
> The upstream patch doesn't fix anything, the constructor of SAXReader
> still allows external entities by default, but the documentation now
> suggests to disable them.
I must have missread idea then, thinking it is switching to safer
default. For the initial triage I followed on
https://bugzilla.redhat.com/show_bug.cgi?id=1694235
and
https://bugzilla.suse.com/show_bug.cgi?id=1169760
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list