xmlsec is vulnerable to XML External Entity Expansion via libxml2 (see CVE-2016-9318). A workaround is in progress on the upstream bug report.
Is this affecting only the command line utility ?
(In reply to Simo Sorce from comment #2)
> Is this affecting only the command line utility ?
The library is affected as well, as it uses libxml2 in the same way.
I see no patch for the library upstream.
What's the recommendation ?
(In reply to Simo Sorce from comment #4)
> I see no patch for the library upstream.
> What's the recommendation ?
The merge request on the upstream ticket applies to the library as well (xmlSecInit() in src/xmlsec.c).
Created xmlsec1 tracking bugs for this issue:
Affects: epel-7 [bug 1472090]
Affects: fedora-all [bug 1472089]
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2017:2492 https://access.redhat.com/errata/RHSA-2017:2492