CVE-2014-3660
EPSS 3.9%libxml2 - security update
發布日:2014/11/4修改日:2026/4/28
描述
parser.c in libxml2 before 2.9.2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested entity references, a variant of the "billion laughs" attack.
受影響套件(3)
- Debian/libxml2from 0, < 2.9.2+dfsg1-1
- Debian/libxml2from 0, < 2.7.8.dfsg-2+squeeze10
- Debian/libxml2from 0, < 2.8.0+dfsg1-7+wheezy2