libxml_disable_entity_loader is not theadsafe
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
php5 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Trusty |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
libxml's libxml_
Zend came up with a separate library for this: https:/
AFAIK the patch to fix this issue has not yet been backported. I think it would be a much needed security enhancement, given that the workaround is hard and as history has shown prone to complicated unicode encoding attacks.
For more information, please see:
* https:/
* https:/
information type: | Private Security → Public Security |
Changed in php5 (Ubuntu): | |
status: | New → Confirmed |
description: | updated |
summary: |
- Please backport PHP fix #64938 (fixed in 5.5.22) on 14.04 + libxml_disable_entity_loader is not theadsafe |
Status changed to 'Confirmed' because the bug affects multiple users.