CVE-2014-3660

EPSS 3.9%

libxml2 - security update

Published: 11/4/2014Modified: 4/28/2026

Description

parser.c in libxml2 before 2.9.2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested entity references, a variant of the "billion laughs" attack.

Affected packages (3)

Debian/libxml2from 0, < 2.9.2+dfsg1-1
Debian/libxml2from 0, < 2.7.8.dfsg-2+squeeze10
Debian/libxml2from 0, < 2.8.0+dfsg1-7+wheezy2

References (1)

ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2014-3660