Launchpad CVE tracker

CVE 2014-0191

The xmlParserHandlePEReference function in parser.c in libxml2 before 2.9.2, as used in Web Listener in Oracle HTTP Server in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 and other products, loads external parameter entities regardless of whether entity substitution or validation is enabled, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XML document.

Related bugs and status

CVE-2014-0191 (Candidate) is related to these bugs:

Bug #1321869: xmllint 2.9.1+dfsg1-3ubuntu4.1 does not load entities any more

		In	Importance	Status
1321869	xmllint 2.9.1+dfsg1-3ubuntu4.1 does not load entities any more	libxml2 (Ubuntu)	Undecided	Fix Released
1321869	xmllint 2.9.1+dfsg1-3ubuntu4.1 does not load entities any more	libxml2	High	Fix Released
1321869	xmllint 2.9.1+dfsg1-3ubuntu4.1 does not load entities any more	libxml2 (Ubuntu Lucid)	Undecided	Fix Released
1321869	xmllint 2.9.1+dfsg1-3ubuntu4.1 does not load entities any more	libxml2 (Ubuntu Trusty)	Undecided	Fix Released
1321869	xmllint 2.9.1+dfsg1-3ubuntu4.1 does not load entities any more	libxml2 (Ubuntu Utopic)	Undecided	Fix Released
1321869	xmllint 2.9.1+dfsg1-3ubuntu4.1 does not load entities any more	libxml2 (Ubuntu Precise)	Undecided	Fix Released
1321869	xmllint 2.9.1+dfsg1-3ubuntu4.1 does not load entities any more	libxml2 (Ubuntu Saucy)	Undecided	Fix Released

Bug #1322039: xmllint --xinclude --postvalid broken by CVE-2014-0191 fix

Summary				In	Importance	Status
	1322039	xmllint --xinclude --postvalid broken by CVE-2014-0191 fix		libxml2 (Ubuntu)	Undecided	Confirmed

Bug #1349465: Please sync libxml2 (main) 2.9.1+dfsg1-4 from Debian testing (main)

Summary				In	Importance	Status
	1349465	Please sync libxml2 (main) 2.9.1+dfsg1-4 from Debian testing (main)		libxml2 (Ubuntu)	Undecided	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2014-0191

References