Fix XXE vulnerability by upgrading Xmlhash to 1.3.8 (!56) · Merge requests · obs / open-build-service

Andrej Shadura requested to merge andrewsh/xmlhash-update into collabora/staging Jun 08, 2023

Xmlhash 1.3.7 and below incorrectly disabled entity expansion by instead forcing them to be expanded (since libxml misleadingly named the option forcing entity expansion NOENT). This could be used to force OBS to connect to external hosts by sending a specially crafted XML file.

See:

https://github.com/coolo/xmlhash/commit/544e614e2674ad26b97a234baa013723c829b751
https://stackoverflow.com/questions/38807506/what-does-libxml-noent-do-and-why-isnt-it-called-libxml-ent

Fix XXE vulnerability by upgrading Xmlhash to 1.3.8

Merge request reports