Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4409 to the following vulnerability: libxml2 2.7.0 and 2.7.1 does not properly handle "predefined entities definitions" in entities, which allows context-dependent attackers to cause a denial of service (memory consumption and application crash), as demonstrated by use of xmllint on a certain XML document, a different vulnerability than CVE-2003-1564 and CVE-2008-3281. Upstream bugreport: http://bugzilla.gnome.org/show_bug.cgi?id=554660 Fixed upstream in 2.7.2: http://mail.gnome.org/archives/xml/2008-October/msg00016.html References: http://openwall.com/lists/oss-security/2008/10/02/4
This issue only affected 2.7.x versions of libxml2. Versions of libxml2 as shipped in Red Hat Enterprise Linux 2.1, 3, 4, and 5 were not affected by this problem.
Issue was fixed in Fedora via: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-8582 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-8575