CVE-2009-2473: fix for "billion laughs" attack against expat

Joe Orton joe at
Tue Aug 18 11:19:09 EDT 2009

neon 0.28.6 has a fix for the "billion laughs" entity expansion attack 
against expat.  If a client application visited a malicious DAV server, 
or used the XML parsing interfaces (ne_xml*) to parse an XML document 
from an attacker, a denial of service attack was possible.

This issue has been assigned CVE name CVE-2009-2473.

All versions of neon older than 0.28.6 are affected, where linked 
against expat.  This issue does not affect versions of neon which are 
compiled to use libxml2 instead of expat, provided the libxml2 version 
is 2.6.32 or greater.

Regards, Joe

More information about the neon mailing list