[OPEN-ILS-GENERAL] SECURITY release: MARC::File::XML 1.0.2

Galen Charlton gmc at esilibrary.com
Tue Jan 21 13:37:07 EST 2014 

Hi,

I have uploaded [1] version 1.0.2 of MARC::File::XML, a Perl module
which is used by Evergreen. This is a security release that repairs an
XML external entity (XXE) vulnerability.  I suspect that there is at
least one way that the vulnerability could be used by an individual
who has certain staff permission on an Evergreen system to view the
contents of arbitrary files on the Evergreen server.

Consequently, I recommend that Evergreen users arrange to upgrade
MARC::File::XML promptly.  On many Linux systems, this can be done by
running the following command with root privileges:

cpan MARC::File::XML

If the installation fails, the most likely reason is that your version
of ExtUtils::MakeMaker is not recent enough.  You can fix this by
running the following command first, then attempting the installation
of MARC::File::XML again.

cpan ExtUtils::MakeMaker

Please note that at the time of this writing, not all CPAN mirrors
will have the most recent version of MARC::File::XML.

You can check the version of MARC::File::XML that is installed by running:

perl -MMARC::File::XML -e 'print $MARC::File::XML::VERSION, "\n"'

Dan Scott will be packaging MARC::File::XML 1.0.2 shortly.  I imagine
at a package of MARC::File::XML 1.0.2 will be made available on the
Koha project's APT server soon, and possibly sooner than Debian.

Please note that older releases of MARC::File::XML prior to the switch
to XML::LibXML are also vulnerable.

Here is the relevant change log entry:

1.0.2 Tue Jan 21 17:18:37 UTC 2014
       - MARC::File::XML will now die upon parsing a record that
         declares an external entity and tries to use it. This
         prevents the potential unwanted disclosure of the contents
         of files on the server by applications that embed this module.
         If, for some reason, an application needs to process MARCXML
         records that contain external entities, set_parser() can be
         used to force the use of an XML::LibXML parser that is
         configured to process external entities.

         The issue was reported by John Lightsey.

[1] https://metacpan.org/release/GMCHARLT/MARC-XML-1.0.2

Regards,

Galen
-- 
Galen Charlton
Manager of Implementation
Equinox Software, Inc. / The Open Source Experts
email:  gmc at esilibrary.com
direct: +1 770-709-5581
cell:   +1 404-984-4366
skype:  gmcharlt
web:    http://www.esilibrary.com/
Supporting Koha and Evergreen: http://koha-community.org &
http://evergreen-ils.org

More information about the Open-ils-general mailing list