Bug #118972 for GraphViz: Possible SEC fixes needed for XML-Twig CVE-2016-9180

Fri Nov 25 23:12:06 2016 KENTNL [...] cpan.org - Ticket created

Subject:

Possible SEC fixes needed for XML-Twig CVE-2016-9180

XML::Twig 3.50 has a new option to ->new() , "no_xxe" to avoid problems with CVE-2016-9180 ( https://rt.cpan.org/Ticket/Display.html?id=118097 )

https://metacpan.org/pod/release/MIROD/XML-Twig-3.52/Twig.pm#no_xxe

If GraphViz::XML does not explicitly need XXE support anywhere, turning this option might be advised.

Especially so if source XML might come from untrusted sources.

https://metacpan.org/source/RSAVAGE/GraphViz-2.22/lib/GraphViz/XML.pm#L51-54

Thanks.

--
- CPAN kentnl@cpan.org
- Gentoo Perl Maintainer kentnl@gentoo.org ( perl@gentoo.org )

Fri Dec 23 19:30:10 2016 RSAVAGE [...] cpan.org - Correspondence added

V 2.23 is now on CPAN. Thanx to Lisa Hare for the patches!

Fri Dec 23 19:30:11 2016 The RT System itself - Status changed from 'new' to 'open'

Fri Dec 23 19:30:16 2016 RSAVAGE [...] cpan.org - Status changed from 'open' to 'resolved'