severity 842893 grave
thanks
On Wed, Nov 02, 2016 at 07:07:13AM +0100, Salvatore Bonaccorso wrote:
> Source: libxml-twig-perl
> Version: 1:3.39-1
> Severity: important
> Tags: security upstream
> Forwarded: https://rt.cpan.org/Public/Bug/Display.html?id=118097
>
> Hi
>
> XML::Twig's expand_external_ents fails to work as documented, see the
> upstream bug report for details and as well reported to Red Hat at
> https://bugzilla.redhat.com/show_bug.cgi?id=1379553 .
>
> There is though still no upstream fix for it.
This is unfixed for long time and I don't think this should slip
unfixed into another stable release. Especially given that the fix is
simple; 3.50 introduced the no_xxe option, so all that needs to be
done is to fix the misleading docs for expand_external_ents (and
refer to use no_xxe instead there).
Cheers,
Moritz