]> code.ossystems Code Review - openembedded-core.git/commit
Code Review / openembedded-core.git / commit
? search:
summary | shortlog | log | commit | commitdiff | review | tree
(parent: 54debe6) | patch
libxml2: fix CVE-2014-3660
authorJoe MacDonald <joe_macdonald@mentor.com>
Mon, 20 Oct 2014 17:51:21 +0000 (13:51 -0400)
committerRichard Purdie <richard.purdie@linuxfoundation.org>
Wed, 11 Feb 2015 17:39:47 +0000 (17:39 +0000)
commitde7bc57398aaeb84fc9370d025b87f7711986ada
treecaa7c375d95d7cde68d98c85f1c57e88e12cc440tree | snapshot
parent54debe63cbd38dba56895541c434f895e158f70bcommit | diff
libxml2: fix CVE-2014-3660

It was discovered that the patch for CVE-2014-0191 for libxml2 is
incomplete.  It is still possible to have libxml2 incorrectly perform
entity substituton even when the application using libxml2 explicitly
disables the feature.  This can allow a remote denial-of-service attack on
systems with libxml2 prior to 2.9.2.

References:
    http://www.openwall.com/lists/oss-security/2014/10/17/7
    https://www.ncsc.nl/actueel/nieuwsberichten/kwetsbaarheid-ontdekt-in-libxml2.html

(From OE-Core rev: 643597a5c432b2e02033d0cefa3ba4da980d078f)

Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
meta/recipes-core/libxml/libxml2.inc diff | blob | history
meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-3660.patch [new file with mode: 0644] blob
Mirror of the official openembedded-core repository