CVE-2014-3660
libxml2 - security update
EPSS 3.9%
Description
parser.c in libxml2 before 2.9.2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested entity references, a variant of the "billion laughs" attack.
How to fix CVE-2014-3660
To remediate CVE-2014-3660, upgrade the affected package to a fixed version below.
- Debian/libxml2—upgrade to 2.9.2+dfsg1-1 or later
- Debian/libxml2—upgrade to 2.7.8.dfsg-2+squeeze10 or later
- —upgrade to 2.8.0+dfsg1-7+wheezy2 or later
Is CVE-2014-3660 being exploited?
Low — EPSS is 3.9%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 2.9.2+dfsg1-1
- from 0, < 2.7.8.dfsg-2+squeeze10
- from 0, < 2.8.0+dfsg1-7+wheezy2