*** This bug is a security vulnerability *** You have been subscribed to a public security bug by Robie Basak (racb):
libxml's libxml_disable_entity_loader was not threadsafe on php-fpm prior to 5.5.22 and 5.6.6. This allowed attackers to perform an XXE attack even though the entity loader was disabled in your code. Zend came up with a separate library for this: https://github.com/zendframework/ZendXml however I don't think it is that widely used and the fix itself is hard: the library itself had to be patched again ([ZF2015-06]) AFAIK the patch to fix this issue has not yet been backported. I think it would be a much needed security enhancement, given that the workaround is hard and as history has shown prone to complicated unicode encoding attacks. For more information, please see: * https://bugs.php.net/bug.php?id=64938 (fixed in 5.5.22) * https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing ** Affects: php5 (Ubuntu) Importance: Undecided Status: Confirmed ** Affects: php5 (Ubuntu Trusty) Importance: Undecided Status: New ** Tags: xml xxe -- libxml_disable_entity_loader is not theadsafe https://bugs.launchpad.net/bugs/1509817 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. -- Ubuntu-server-bugs mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
