Improper Restriction of XML External Entity Reference vulnerability was found in libxml2. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.
Created libxml2 tracking bugs for this issue:
Affects: fedora-all [bug 1395610]
Created mingw-libxml2 tracking bugs for this issue:
Affects: fedora-all [bug 1395611]
Affects: epel-7 [bug 1395612]
See also CVE-2017-7375 (bug 1462203) which is a similar failure to restrict external entities. The fix for CVE-2016-9318 (when it's ready) should also close that flaw.
Upstream is still working on a way to disable external entities while allowing internal entity expansion to work, which will likely eventually surface as a new option flag. Since RPC interfaces and other instances where untrusted documents are parsed normally do not rely on internal entity expansion, the mitigation is acceptable in these environments. If instances are discovered where this mitigation is not acceptable, Product Security will evaluate these and determine a suitable solution.
Application parsing untrusted input with libxml2 should be careful to NOT use entity expansion (enabled by XML_PARSE_NOENT) or DTD validation (XML_PARSE_DTDLOAD, XML_PARSE_DTDVALID) on such input.