Front page | perl.perl5.porters |
Postings from March 2013
# New Ticket Created by "advisories" # Please include the string: [perl #117079] # in the subject line of all future correspondence about this issue. # <URL: https://rt.perl.org:443/rt3/Ticket/Display.html?id=117079 > -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi there, I'd like to report a vulnerability in XML::Simple which relates to how it handles XML entities both internal and externally defined. I believe this may affect more than simply XML::Simple although I haven't had a chance to create PoC for the implementations of XML parsers on which XML::Simple depends. The Tim Brown Head Of Research Senior Security Consultant Portcullis Computer Security Ltd The Grange Barn, Pike's End, Pinner, Middlesex, HA5 2EX http://www.portcullis-security.com/ <http://www.portcullis-security.com/> Tel: +44 (0)20 8868 0098 Fax: +44 (0)20 8868 0017 Email: advisories@portcullis-security.com <mailto:advisories@portcullis-security.com> > -----Original Message----- > From: Tim M. Brown On Behalf Of advisories > Sent: 06 March 2013 19:57 > To: Grant McLean; advisories > Cc: grantm@cpan.org; security@perl.org > Subject: RE: Vulnerability in XML::Simple > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Acknowledged. This relates to an active issue being > discussed on the oss-security mailing list regarding XML > entity resolution. I will file a bug but we need to move fast. > > Tim > > > -----Original Message----- > > From: Grant McLean [mailto:grant@mclean.net.nz] > > Sent: 06 March 2013 19:48 > > To: advisories > > Cc: grantm@cpan.org; security@perl.org > > Subject: Re: Vulnerability in XML::Simple > > > > Hi Tim > > > > On Wed, 2013-03-06 at 19:33 +0000, Tim Brown wrote: > > > Hi all, > > > > > > We have a security advisory that affects the XML::Simple module > > > distributed on CPAN. It is likely that other Perl XML > modules are > > > also affected. How would you like to proceed? > > > > If you've found a problem, then I'd recommend you report it > via the RT > > bug queue: > > > > https://rt.cpan.org/Public/Bug/Report.html?Queue=XML-Simple > > > > Regards > > Grant > > > > > > > > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (MingW32) > > iQEcBAEBAgAGBQJRN59sAAoJECflJKyfX3/OgtIH/AyvMeJ1vvP887f989SREZMk > m9bPwQxahfIVHKBBtb+yT1QBa+CJrBdZkKljACDGw3qnO6EBNOW8fdK8mMdsYMRL > galJXlXJkcrUUQAA64B7lJNpIyWTVnOfl/dEc5QhvhHUHwBS+g1UqtBBEZUS0+BB > c9uzYu3qPIHsCh/6KHenOijpTrQ56VJg23ShrJ5iLyhW/rSBla3wrz+3ej0Wy5bq > R0l0wKwQkg0viwWtl9AfDt5Ja2DUSdPJr5qzlxDq2QgUWO1wzl/ucxYqHhjxhbYk > y5ZjqCAw2Gq7L8xhZCKFKX3H0KmwRpq2RinyAGPpwr6+Nut0GsbscI3LjEevn3A= > =WG0+ > -----END PGP SIGNATURE----- > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iQEcBAEBAgAGBQJRN6LvAAoJECflJKyfX3/OIkwH/24X3qvU2aO++vBt7+tjf0jG yj4j+J0KpV4xKXaWeTrAuStqr7dBSPpy9zlcaspmX0lhqmKMUdDS5CTxz5UCiSeg dxgAKEGbcQQ4MVMMQlO36/ImeaCFnCm56p2vqGtxPyuQ/5KGBVmtvbpKSAqqY3Ua GHhZKXMSLM+ulUtoJ2VwGH5QaSwQDOlUYMebxpEGIwc0/ghPR5ncpMXn323jpf9p uwGcfO8po0l3dPuqCLZ+dCVSl86X+Coc7ldW3ulfr/HlWKRFy0YlWwprQnEBm52k +jMgngKoEsU2OwIxM1U/mj3Va52yzGdxdWnQYvpV69oiK0jXksHkw99MQNAttM0= =GWOd -----END PGP SIGNATURE-----