diff options
| author | Joe MacDonald <joe_macdonald@mentor.com> | 2014-10-20 13:51:21 -0400 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-10-24 17:36:16 +0100 |
| commit | b05755c6efadd3eb1f7842d4909c6f8752eb0538 (patch) | |
| tree | f4fa6fbec8e39a87544f5f0f16d5058cd1cbce5c /meta/recipes-core/libxml/libxml2.inc | |
| parent | 0de79a72bf6173b950fc0619b87a8cbe35067f26 (diff) | |
| download | ast2050-yocto-poky-b05755c6efadd3eb1f7842d4909c6f8752eb0538.zip ast2050-yocto-poky-b05755c6efadd3eb1f7842d4909c6f8752eb0538.tar.gz | |
libxml2: fix CVE-2014-3660
It was discovered that the patch for CVE-2014-0191 for libxml2 is
incomplete. It is still possible to have libxml2 incorrectly perform
entity substituton even when the application using libxml2 explicitly
disables the feature. This can allow a remote denial-of-service attack on
systems with libxml2 prior to 2.9.2.
References:
http://www.openwall.com/lists/oss-security/2014/10/17/7
https://www.ncsc.nl/actueel/nieuwsberichten/kwetsbaarheid-ontdekt-in-libxml2.html
(From OE-Core rev: 643597a5c432b2e02033d0cefa3ba4da980d078f)
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core/libxml/libxml2.inc')
| -rw-r--r-- | meta/recipes-core/libxml/libxml2.inc | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc index bcf9a62..c729c19 100644 --- a/meta/recipes-core/libxml/libxml2.inc +++ b/meta/recipes-core/libxml/libxml2.inc @@ -21,6 +21,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \ file://libxml2-CVE-2014-0191-fix.patch \ file://python-sitepackages-dir.patch \ file://libxml-m4-use-pkgconfig.patch \ + file://libxml2-CVE-2014-3660.patch \ " BINCONFIG = "${bindir}/xml2-config" |
