Fedora has issued an advisory on August 24: https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115039.html Fedora has a patch, and a link to the upstream commit to fix it in bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=999687 Mageia 2 and Mageia 3 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO, MGA2TOO
php-pear-Auth_OpenID-2.2.2-1.mga2, php-pear-Auth_OpenID-2.2.2-1.mga3 and php-pear-Auth_OpenID-2.2.2-1.mga4 has been submitted where this is fixed.
CC: (none) => oe
Thanks Oden! Advisory: ======================== Updated php-pear-Auth_OpenID packages fix security vulnerability: Auth/Yadis/XML.php in PHP OpenID Library 2.2.2 and earlier allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via XRDS data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue (CVE-2013-4701). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4701 https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115039.html ======================== Updated packages in core/updates_testing: ======================== php-pear-Auth_OpenID-2.2.2-1.mga2 php-pear-Auth_OpenID-2.2.2-1.mga3 from SRPMS: php-pear-Auth_OpenID-2.2.2-1.mga2.src.rpm php-pear-Auth_OpenID-2.2.2-1.mga3.src.rpm
CC: (none) => thomasVersion: Cauldron => 3Assignee: thomas => qa-bugsWhiteboard: MGA3TOO, MGA2TOO => MGA2TOO
As discussed with David Walser on irc, just testing that it installs cleanly. Advisory 11147.adv committed to svn. Someone from the sysadmin team please push 11147.adv to updates.
Keywords: (none) => validated_updateWhiteboard: MGA2TOO => MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OKCC: (none) => davidwhodgins, sysadmin-bugs
http://advisories.mageia.org/MGASA-2013-0272.html
Status: NEW => RESOLVEDCC: (none) => boklmResolution: (none) => FIXED
CC: boklm => (none)