Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2014-3660

Published: 16 October 2014

parser.c in libxml2 before 2.9.2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested entity references, a variant of the "billion laughs" attack.

Priority

Medium

Status

Package Release Status
libxml2
Launchpad, Ubuntu, Debian 		lucid
Released (2.7.6.dfsg-1ubuntu1.15)
precise
Released (2.7.8.dfsg-5.1ubuntu4.11)
trusty
Released (2.9.1+dfsg1-3ubuntu4.4)
upstream
Released (2.9.2)
utopic
Released (2.9.1+dfsg1-4ubuntu1)
Patches:
upstream: https://git.gnome.org/browse/libxml2/commit/?id=a3f1e3e5712257fd279917a9158278534e8f4b72
upstream: https://git.gnome.org/browse/libxml2/commit/?id=cff2546f13503ac028e4c1f63c7b6d85f2f2d777
upstream: https://git.gnome.org/browse/libxml2/commit/?id=be2a7edaf289c5da74a4f9ed3a0b6c733e775230

References

Bugs

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Further reading