Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2014-5265

The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entity declarations without considering recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.

Related bugs and status

CVE-2014-5265 (Candidate) is related to these bugs:

Bug #1395336: security fixes since 3.8.2

Summary				In	Importance	Status
	1395336	security fixes since 3.8.2		wordpress (Ubuntu)	Undecided	Invalid
	1395336	security fixes since 3.8.2		wordpress (Ubuntu Trusty)	Undecided	Fix Released

See the

CVE page on Mitre.org for more details.

References

CONFIRM: http://cgit.drupalcode...
CONFIRM: https://core.trac.word...
CONFIRM: https://wordpress.org/...
CONFIRM: https://www.drupal.org...
DEBIAN: DSA-2999
DEBIAN: DSA-3001