Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2014-3660

parser.c in libxml2 before 2.9.2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested entity references, a variant of the "billion laughs" attack.

See the

CVE page on Mitre.org for more details.

References

MLIST: [oss-security] 2014101...
MISC: https://www.ncsc.nl/ac...
CONFIRM: https://bugzilla.redha...
DEBIAN: DSA-3057
REDHAT: RHSA-2014:1655
SUSE: openSUSE-SU-2014:1330
UBUNTU: USN-2389-1
BID: 70644
SECUNIA: 61965
SECUNIA: 61966
SECUNIA: 61991
REDHAT: RHSA-2014:1885
SECUNIA: 59903
MANDRIVA: MDVSA-2014:244
CONFIRM: https://support.apple....
CONFIRM: https://support.apple....
APPLE: APPLE-SA-2015-08-13-2
APPLE: APPLE-SA-2015-08-13-3
CONFIRM: http://www.oracle.com/...
CONFIRM: http://www.oracle.com/...
SUSE: openSUSE-SU-2015:2372
MISC: https://bugzilla.redha...
CONFIRM: http://kb.juniper.net/...

Launchpad.net

CVE 2014-3660

Related bugs

References