On Tue, Jan 21, 2014 at 12:38 PM, Galen Charlton <gmcha...@gmail.com> wrote:
> Hi,
> I have uploaded [1] version 1.0.2 of MARC::File::XML.  This is a
> security release that repairs an XML external entity (XXE)
> vulnerability.  I recommend that all uses of MARC::File::XML upgrade
> promptly.
> Here is the change log entry:
> 1.0.2 Tue Jan 21 17:18:37 UTC 2014
>        - MARC::File::XML will now die upon parsing a record that
>          declares an external entity and tries to use it. This
>          prevents the potential unwanted disclosure of the contents
>          of files on the server by applications that embed this module.
>          If, for some reason, an application needs to process MARCXML
>          records that contain external entities, set_parser() can be
>          used to force the use of an XML::LibXML parser that is
>          configured to process external entities.
>          The issue was reported by John Lightsey.
> [1] https://metacpan.org/release/GMCHARLT/MARC-XML-1.0.2

RPMs are available for manual download for Fedora 19 [a] and Fedora 20
[b], but will not be available through the normal updates process
until sufficient testing karma has been granted.

If you have a Fedora account and can test the packages & grant them
karma, please do so!

a. https://admin.fedoraproject.org/updates/perl-MARC-XML-1.0.2-1.fc19
b. https://admin.fedoraproject.org/updates/perl-MARC-XML-1.0.2-1.fc20


Reply via email to