Security update for dom4j SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:3998-1 Final 1 1 2018-12-06T14:34:46Z current 2018-12-06T14:34:46Z 2018-12-06T14:34:46Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for dom4j This update for dom4j fixes the following issues: - CVE-2018-1000632: Prevent XML injection that could have resulted in an attacker tampering with XML documents (bsc#1105443). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-security-announce/2018-12/msg00000.html E-Mail link for openSUSE-SU-2018:3998-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 15.0 dom4j-1.6.1-lp150.3.3.1 dom4j-demo-1.6.1-lp150.3.3.1 dom4j-javadoc-1.6.1-lp150.3.3.1 dom4j-manual-1.6.1-lp150.3.3.1 dom4j-1.6.1-lp150.3.3.1 as a component of openSUSE Leap 15.0 dom4j-demo-1.6.1-lp150.3.3.1 as a component of openSUSE Leap 15.0 dom4j-javadoc-1.6.1-lp150.3.3.1 as a component of openSUSE Leap 15.0 dom4j-manual-1.6.1-lp150.3.3.1 as a component of openSUSE Leap 15.0 dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later. CVE-2018-1000632 openSUSE Leap 15.0:dom4j-1.6.1-lp150.3.3.1 openSUSE Leap 15.0:dom4j-demo-1.6.1-lp150.3.3.1 openSUSE Leap 15.0:dom4j-javadoc-1.6.1-lp150.3.3.1 openSUSE Leap 15.0:dom4j-manual-1.6.1-lp150.3.3.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-12/msg00000.html https://www.suse.com/security/cve/CVE-2018-1000632.html CVE-2018-1000632 https://bugzilla.suse.com/1105443 SUSE Bug 1105443