CVE-2009-2473: fix for "billion laughs" attack against expat

Joe Orton joe at manyfish.co.uk
Tue Aug 18 11:19:09 EDT 2009


neon 0.28.6 has a fix for the "billion laughs" entity expansion attack 
against expat.  If a client application visited a malicious DAV server, 
or used the XML parsing interfaces (ne_xml*) to parse an XML document 
from an attacker, a denial of service attack was possible.

This issue has been assigned CVE name CVE-2009-2473.

All versions of neon older than 0.28.6 are affected, where linked 
against expat.  This issue does not affect versions of neon which are 
compiled to use libxml2 instead of expat, provided the libxml2 version 
is 2.6.32 or greater.

Regards, Joe



More information about the neon mailing list