Fix XXE vulnerability by upgrading Xmlhash to 1.3.8
Xmlhash 1.3.7 and below incorrectly disabled entity expansion by instead
forcing them to be expanded (since libxml misleadingly named the option
forcing entity expansion NOENT
). This could be used to force OBS to
connect to external hosts by sending a specially crafted XML file.
See: