On Tue, Jan 21, 2014 at 12:38 PM, Galen Charlton <gmcha...@gmail.com> wrote:
> I have uploaded  version 1.0.2 of MARC::File::XML. This is a
> security release that repairs an XML external entity (XXE)
> vulnerability. I recommend that all uses of MARC::File::XML upgrade
> Here is the change log entry:
> 1.0.2 Tue Jan 21 17:18:37 UTC 2014
> - MARC::File::XML will now die upon parsing a record that
> declares an external entity and tries to use it. This
> prevents the potential unwanted disclosure of the contents
> of files on the server by applications that embed this module.
> If, for some reason, an application needs to process MARCXML
> records that contain external entities, set_parser() can be
> used to force the use of an XML::LibXML parser that is
> configured to process external entities.
> The issue was reported by John Lightsey.
>  https://metacpan.org/release/GMCHARLT/MARC-XML-1.0.2
RPMs are available for manual download for Fedora 19 [a] and Fedora 20
[b], but will not be available through the normal updates process
until sufficient testing karma has been granted.
If you have a Fedora account and can test the packages & grant them
karma, please do so!