Security update for perl-XML-Twig SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2020:2173-1 Final 1 1 2020-08-07T14:11:21Z current 2020-08-07T14:11:21Z 2020-08-07T14:11:21Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for perl-XML-Twig This update for perl-XML-Twig fixes the following issues: - Security fix [bsc#1008644, CVE-2016-9180] * Added: the no_xxe option to XML::Twig::new, which causes the parse to fail if external entities are used (to prevent malicious XML to access the filesystem). * Setting expand_external_ents to 0 or -1 currently doesn't work as expected; To completely turn off expanding external entities use no_xxe. * Update documentation for XML::Twig to mention problems with expand_external_ents and add information about new no_xxe argument The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Image SLES12-SP5-Azure-SAP-BYOS-2020-2173,Image SLES12-SP5-Azure-SAP-On-Demand-2020-2173,Image SLES12-SP5-EC2-SAP-BYOS-2020-2173,Image SLES12-SP5-EC2-SAP-On-Demand-2020-2173,Image SLES12-SP5-GCE-SAP-BYOS-2020-2173,Image SLES12-SP5-GCE-SAP-On-Demand-2020-2173,Image SLES12-SP5-OCI-BYOS-SAP-BYOS-2020-2173,Image SLES12-SP5-SAP-Azure-LI-BYOS-Production-2020-2173,Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production-2020-2173,SUSE-2020-2173,SUSE-SLE-SERVER-12-SP5-2020-2173 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2020/suse-su-20202173-1/ Link for SUSE-SU-2020:2173-1 https://lists.suse.com/pipermail/sle-security-updates/2020-August/007244.html E-Mail link for SUSE-SU-2020:2173-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1008644 SUSE Bug 1008644 https://www.suse.com/security/cve/CVE-2016-9180/ SUSE CVE CVE-2016-9180 page Image SLES12-SP5-Azure-SAP-BYOS Image SLES12-SP5-Azure-SAP-On-Demand Image SLES12-SP5-EC2-SAP-BYOS Image SLES12-SP5-EC2-SAP-On-Demand Image SLES12-SP5-GCE-SAP-BYOS Image SLES12-SP5-GCE-SAP-On-Demand Image SLES12-SP5-OCI-BYOS-SAP-BYOS Image SLES12-SP5-SAP-Azure-LI-BYOS-Production Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP5 perl-XML-Twig-3.44-5.3.1 perl-XML-Twig-3.44-5.3.1 as a component of Image SLES12-SP5-Azure-SAP-BYOS perl-XML-Twig-3.44-5.3.1 as a component of Image SLES12-SP5-Azure-SAP-On-Demand perl-XML-Twig-3.44-5.3.1 as a component of Image SLES12-SP5-EC2-SAP-BYOS perl-XML-Twig-3.44-5.3.1 as a component of Image SLES12-SP5-EC2-SAP-On-Demand perl-XML-Twig-3.44-5.3.1 as a component of Image SLES12-SP5-GCE-SAP-BYOS perl-XML-Twig-3.44-5.3.1 as a component of Image SLES12-SP5-GCE-SAP-On-Demand perl-XML-Twig-3.44-5.3.1 as a component of Image SLES12-SP5-OCI-BYOS-SAP-BYOS perl-XML-Twig-3.44-5.3.1 as a component of Image SLES12-SP5-SAP-Azure-LI-BYOS-Production perl-XML-Twig-3.44-5.3.1 as a component of Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production perl-XML-Twig-3.44-5.3.1 as a component of SUSE Linux Enterprise Server 12 SP5 perl-XML-Twig-3.44-5.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 perl-XML-Twig: The option to `expand_external_ents`, documented as controlling external entity expansion in XML::Twig does not work. External entities are always expanded, regardless of the option's setting. CVE-2016-9180 Image SLES12-SP5-Azure-SAP-BYOS:perl-XML-Twig-3.44-5.3.1 Image SLES12-SP5-Azure-SAP-On-Demand:perl-XML-Twig-3.44-5.3.1 Image SLES12-SP5-EC2-SAP-BYOS:perl-XML-Twig-3.44-5.3.1 Image SLES12-SP5-EC2-SAP-On-Demand:perl-XML-Twig-3.44-5.3.1 Image SLES12-SP5-GCE-SAP-BYOS:perl-XML-Twig-3.44-5.3.1 Image SLES12-SP5-GCE-SAP-On-Demand:perl-XML-Twig-3.44-5.3.1 Image SLES12-SP5-OCI-BYOS-SAP-BYOS:perl-XML-Twig-3.44-5.3.1 Image SLES12-SP5-SAP-Azure-LI-BYOS-Production:perl-XML-Twig-3.44-5.3.1 Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production:perl-XML-Twig-3.44-5.3.1 SUSE Linux Enterprise Server 12 SP5:perl-XML-Twig-3.44-5.3.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:perl-XML-Twig-3.44-5.3.1 important 5.8 AV:N/AC:M/Au:N/C:P/I:N/A:P 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20202173-1/ https://www.suse.com/security/cve/CVE-2016-9180.html CVE-2016-9180 https://bugzilla.suse.com/1008644 SUSE Bug 1008644