[please excuse the repetition if you've seen this on other lists]
I have uploaded  version 1.0.2 of the Perl module MARC::File::XML
to CPAN. This is a security release that repairs an XML external
entity (XXE) vulnerability. I recommend that all users of
MARC::File::XML upgrade promptly, particularly if the use is via a web
application that accepts MARCXML input.
Here is the change log entry:
1.0.2 Tue Jan 21 17:18:37 UTC 2014
- MARC::File::XML will now die upon parsing a record that
declares an external entity and tries to use it. This
prevents the potential unwanted disclosure of the contents
of files on the server by applications that embed this module.
If, for some reason, an application needs to process MARCXML
records that contain external entities, set_parser() can be
used to force the use of an XML::LibXML parser that is
configured to process external entities.
The issue was reported by John Lightsey.
Manager of Implementation
Equinox Software, Inc. / The Open Source Experts
email: [log in to unmask]
direct: +1 770-709-5581
cell: +1 404-984-4366
Supporting Koha and Evergreen: http://koha-community.org &