A xmlbeans security update has been released for Debian GNU/Linux 8 Extended LTS to address an issue where XML parsers used by XMLBeans did not set the properties needed to protect the user from malicious XML input.
ELA-446-1 xmlbeans security update
Package xmlbeans
ELA-446-1 xmlbeans security update
Version 2.6.0-2+deb8u1
Related CVEs CVE-2021-23926
The XML parsers used by XMLBeans did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include the possibility for XML Entity Expansion attacks which could lead to a denial-of-service. This update implements sensible defaults for the XML parsers to prevent these kind of attacks.
For Debian 8 jessie, these problems have been fixed in version 2.6.0-2+deb8u1.
We recommend that you upgrade your xmlbeans packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/
