xmlsec is vulnerable to XML External Entity Expansion via libxml2 (see CVE-2016-9318). A workaround is in progress on the upstream bug report. Upstream bug: https://github.com/lsh123/xmlsec/issues/43
Is this affecting only the command line utility ?
(In reply to Simo Sorce from comment #2) > Is this affecting only the command line utility ? The library is affected as well, as it uses libxml2 in the same way.
I see no patch for the library upstream. What's the recommendation ?
(In reply to Simo Sorce from comment #4) > I see no patch for the library upstream. > What's the recommendation ? The merge request on the upstream ticket applies to the library as well (xmlSecInit() in src/xmlsec.c).
Upstream patch: https://github.com/lsh123/xmlsec/pull/93/files
Created xmlsec1 tracking bugs for this issue: Affects: epel-7 [bug 1472090] Affects: fedora-all [bug 1472089]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2492 https://access.redhat.com/errata/RHSA-2017:2492