Neon, before 0.28.6, does not properly detect recursion during XML entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, aka the "billion laughs attack." References: ----------- http://lists.manyfish.co.uk/pipermail/neon/2009-August/001044.html http://lists.manyfish.co.uk/pipermail/neon/2009-August/001045.html
Information about affected Neon versions from Joe Orton: ------------------------------------------------------- All versions of neon older than 0.28.6 are affected, where linked against expat. This issue does not affect versions of neon which are compiled to use libxml2 instead of expat, provided the libxml2 version is 2.6.32 or greater.
Created attachment 357950 [details] Upstream Neon CVE-2009-2473 patch Retrieved via: -------------- svn diff -c 1688 http://svn.webdav.org/repos/projects/neon/tags/0.28.6 > neon-CVE-2009-2473.patch
MITRE's CVE-2009-2473 record: ----------------------------- neon before 0.28.6, when expat is used, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. References: ----------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2473 http://lists.manyfish.co.uk/pipermail/neon/2009-August/001045.html http://lists.manyfish.co.uk/pipermail/neon/2009-August/001044.html https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00924.html https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00945.html http://secunia.com/advisories/36371
Update availability information for embedded copy of neon package as present in gnome-vfs2 package: ------------------------------------------------- The Red Hat Security Response Team has rated this issue as having low security impact, a future gnome-vfs2 package update may address this flaw in Red Hat Enterprise Linux 4 and Red Hat Enterprise Linux 5. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Via RHSA-2009:1452 https://rhn.redhat.com/errata/RHSA-2009-1452.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2013:0131 https://rhn.redhat.com/errata/RHSA-2013-0131.html