libxml2 is vulnerable to XML external entity attacks. The xmlParserHandlePEReference
function in parser.c
allows external parameter entities to be loaded regardless of whether entity substitution or validation is enabled. This allows an attacker to cause a denial of service condition or an information leak using a crafted XML document.
lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
lists.apple.com/archives/security-announce/2015/Aug/msg00002.html
lists.opensuse.org/opensuse-updates/2015-12/msg00120.html
rhn.redhat.com/errata/RHSA-2015-0749.html
www-01.ibm.com/support/docview.wss?uid=swg21678183
www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
www.securityfocus.com/bid/67233
xmlsoft.org/news.html
bugzilla.redhat.com/show_bug.cgi?id=1090976
exchange.xforce.ibmcloud.com/vulnerabilities/93092
git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df
github.com/GNOME/libxml2/commit/dd8367da17c2948981a51e52c8a6beb445edf825
support.apple.com/kb/HT205030
support.apple.com/kb/HT205031