CVE-2017-1000061
Published: 17 July 2017
xmlsec 1.2.23 and before is vulnerable to XML External Entity Expansion when parsing crafted input documents, resulting in possible information disclosure or denial of service
From the Ubuntu Security Team
It was discovered that xmlsec incorrectly handled certain input documents. An attacker could possibly use this issue to obtain sensitive information or cause a denial of service.
Notes
| Author | Note |
|---|---|
| rodrigo-zaiden | for full protection, libxml2 should be patched against CVE-2016-9318. in a patched version of xmlsec1 tool, if needed, parsing external entities can be forced with --xxe option. |
Priority
Low
CVSS 3 base score: 7.1
Status
| Package | Release | Status |
|---|---|---|
|
xmlsec1 Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(1.2.24-3)
|
| bionic |
Not vulnerable
(1.2.24-3)
|
|
| cosmic |
Not vulnerable
(1.2.24-3)
|
|
| disco |
Not vulnerable
(1.2.24-3)
|
|
| eoan |
Not vulnerable
(1.2.24-3)
|
|
| focal |
Not vulnerable
(1.2.24-3)
|
|
| groovy |
Not vulnerable
(1.2.24-3)
|
|
| hirsute |
Not vulnerable
(1.2.24-3)
|
|
| impish |
Not vulnerable
(1.2.24-3)
|
|
| jammy |
Not vulnerable
(1.2.24-3)
|
|
| kinetic |
Not vulnerable
(1.2.24-3)
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
(trusty was needed)
|
|
| upstream |
Released
(1.2.24-1)
|
|
| xenial |
Released
(1.2.20-2ubuntu4+esm1)
|
|
| yakkety |
Ignored
(reached end-of-life)
|
|
| zesty |
Ignored
(reached end-of-life)
|