Skip Menu |

This queue is for tickets about the Net-DBus CPAN distribution.

Report information
The Basics
Id: 118971
Status: resolved
Priority: 0/
Queue: Net-DBus
People
Owner: Nobody in particular
Requestors: KENTNL [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Fri Nov 25 23:06:23 2016 KENTNL [...] cpan.org - Ticket created
Subject: Possible SEC fixes needed for XML-Twig CVE-2016-9180

XML::Twig 3.50 has a new option to ->new() , "no_xxe" to avoid problems with CVE-2016-9180 ( https://rt.cpan.org/Ticket/Display.html?id=118097 )

https://metacpan.org/pod/release/MIROD/XML-Twig-3.52/Twig.pm#no_xxe

If Net::DBus does not explicitly need XXE support anywhere, turning this option might be advised.

Especially so if source XML might come from untrusted sources.

https://metacpan.org/source/DANBERR/Net-DBus-1.1.0/lib/Net/DBus/Binding/Introspector.pm#L685-693

Thanks.

-- 
- CPAN kentnl@cpan.org
- Gentoo Perl Maintainer kentnl@gentoo.org ( perl@gentoo.org )
 

  Mon Dec 16 16:01:44 2019 dan [...] berrange.com - Correspondence added
I've set no_xxe parameter since there's no reason to want to allow entities to be expanded commit 95044cd400a0198eedc329de95c135d5104d9b94 Author: Daniel P. Berrange <berrange@redhat.com> Date: Mon Dec 16 20:57:44 2019 +0000 Set no_xxe parameter for XML::Twig
  Mon Dec 16 16:01:44 2019 The RT System itself - Status changed from 'new' to 'open'
  Mon Dec 16 16:01:44 2019 dan [...] berrange.com - Status changed from 'open' to 'resolved'