develooper Front page | perl.perl4lib | Postings from January 2014

SECURITY release: MARC::File::XML 1.0.2

Thread Next
From:
Galen Charlton
Date:
January 21, 2014 17:38
Subject:
SECURITY release: MARC::File::XML 1.0.2
Message ID:
CALXNrD-eZTWC3may3nCZNYpm1PVYK7kDESa+dp8Z_LC6mg9z9g@mail.gmail.com
Hi,

I have uploaded [1] version 1.0.2 of MARC::File::XML.  This is a
security release that repairs an XML external entity (XXE)
vulnerability.  I recommend that all uses of MARC::File::XML upgrade
promptly.

Here is the change log entry:

1.0.2 Tue Jan 21 17:18:37 UTC 2014
       - MARC::File::XML will now die upon parsing a record that
         declares an external entity and tries to use it. This
         prevents the potential unwanted disclosure of the contents
         of files on the server by applications that embed this module.
         If, for some reason, an application needs to process MARCXML
         records that contain external entities, set_parser() can be
         used to force the use of an XML::LibXML parser that is
         configured to process external entities.

         The issue was reported by John Lightsey.

[1] https://metacpan.org/release/GMCHARLT/MARC-XML-1.0.2

Regards,

Galen
-- 
Galen Charlton
gmcharlt@gmail.com

Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About