CVE-2009-2473: fix for "billion laughs" attack against expat
Joe Orton
joe at manyfish.co.uk
Tue Aug 18 11:19:09 EDT 2009
neon 0.28.6 has a fix for the "billion laughs" entity expansion attack
against expat. If a client application visited a malicious DAV server,
or used the XML parsing interfaces (ne_xml*) to parse an XML document
from an attacker, a denial of service attack was possible.
This issue has been assigned CVE name CVE-2009-2473.
All versions of neon older than 0.28.6 are affected, where linked
against expat. This issue does not affect versions of neon which are
compiled to use libxml2 instead of expat, provided the libxml2 version
is 2.6.32 or greater.
Regards, Joe
More information about the neon
mailing list