Bug#736275: libmarc-xml-perl: XXE vulnerability fixed in 1.0.2
Salvatore Bonaccorso
carnil at debian.org
Tue Jan 21 20:09:02 UTC 2014
Package: libmarc-xml-perl
Severity: grave
Tags: security upstream fixed-upstream
Justification: user security hole
>From the CVe request on oss-security (CVE assignment is pending):
----cut---------cut---------cut---------cut---------cut---------cut-----
I am the maintainer of the Perl module MARC::File::XML, which is used
by various applications to manipulate a metadata format used by
libraries, and would like to request the allocation of a CVE
identifier for an XXE vulnerability that is fixed in version 1.0.2 of
the module. I have evidence that the vulnerability can be used in at
least one F/LOSS integrated library system, Koha, to perform an
application-level privilege escalation, and another one, Evergreen, is
likely vulnerable to disclosure of the contents of arbitrary files on
the server. I am a committer to both of those projects.
Fix: http://sourceforge.net/p/marcpm/code/ci/cf2d36597a56eeeffd53b38182b8557c7bf569ac/
ChangeLog: https://metacpan.org/changes/distribution/MARC-XML
Announcements:
http://www.nntp.perl.org/group/perl.perl4lib/2014/01/msg3073.html
http://lists.katipo.co.nz/pipermail/koha/2014-January/038430.html
http://libmail.georgialibraries.org/pipermail/open-ils-general/2014-January/009442.html
----cut---------cut---------cut---------cut---------cut---------cut-----
See: http://www.openwall.com/lists/oss-security/2014/01/21/5
I have not checked the details, unstable having 1.0.1 is affected,
not checked for the other versions.
Regards,
Salvatore
More information about the pkg-perl-maintainers
mailing list