On Tue, Jan 21, 2014 at 12:38 PM, Galen Charlton gmcha...@gmail.com wrote:
Hi,
I have uploaded [1] version 1.0.2 of MARC::File::XML. This is a
security release that repairs an XML external entity (XXE)
vulnerability. I recommend that all uses of MARC::File::XML upgrade
promptly.
Here is the change log entry:
1.0.2 Tue Jan 21 17:18:37 UTC 2014
- MARC::File::XML will now die upon parsing a record that
declares an external entity and tries to use it. This
prevents the potential unwanted disclosure of the contents
of files on the server by applications that embed this module.
If, for some reason, an application needs to process MARCXML
records that contain external entities, set_parser() can be
used to force the use of an XML::LibXML parser that is
configured to process external entities.
The issue was reported by John Lightsey.
[1] https://metacpan.org/release/GMCHARLT/MARC-XML-1.0.2
RPMs are available for manual download for Fedora 19 [a] and Fedora 20
[b], but will not be available through the normal updates process
until sufficient testing karma has been granted.
If you have a Fedora account and can test the packages grant them
karma, please do so!
a. https://admin.fedoraproject.org/updates/perl-MARC-XML-1.0.2-1.fc19
b. https://admin.fedoraproject.org/updates/perl-MARC-XML-1.0.2-1.fc20
Thanks,
Dan
