Security update for dom4j SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:4045-1 Final 1 1 2018-12-07T18:04:50Z current 2018-12-07T18:04:50Z 2018-12-07T18:04:50Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for dom4j This update for dom4j fixes the following issues: - CVE-2018-1000632: Prevent XML injection that could have resulted in an attacker tampering with XML documents (bsc#1105443). This update was imported from the SUSE:SLE-15:Update update project. This update was imported from the openSUSE:Leap:15.0:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2018-1492 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5RYPCWEZ3MOAPSZ2627N5DL77DKXKBDQ/#5RYPCWEZ3MOAPSZ2627N5DL77DKXKBDQ E-Mail link for openSUSE-SU-2018:4045-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1105443 SUSE Bug 1105443 https://www.suse.com/security/cve/CVE-2018-1000632/ SUSE CVE CVE-2018-1000632 page SUSE Package Hub 15 dom4j-1.6.1-bp150.2.3.1 dom4j-demo-1.6.1-bp150.2.3.1 dom4j-javadoc-1.6.1-bp150.2.3.1 dom4j-manual-1.6.1-bp150.2.3.1 dom4j-1.6.1-bp150.2.3.1 as a component of SUSE Package Hub 15 dom4j-demo-1.6.1-bp150.2.3.1 as a component of SUSE Package Hub 15 dom4j-javadoc-1.6.1-bp150.2.3.1 as a component of SUSE Package Hub 15 dom4j-manual-1.6.1-bp150.2.3.1 as a component of SUSE Package Hub 15 dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later. CVE-2018-1000632 SUSE Package Hub 15:dom4j-1.6.1-bp150.2.3.1 SUSE Package Hub 15:dom4j-demo-1.6.1-bp150.2.3.1 SUSE Package Hub 15:dom4j-javadoc-1.6.1-bp150.2.3.1 SUSE Package Hub 15:dom4j-manual-1.6.1-bp150.2.3.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5RYPCWEZ3MOAPSZ2627N5DL77DKXKBDQ/#5RYPCWEZ3MOAPSZ2627N5DL77DKXKBDQ https://www.suse.com/security/cve/CVE-2018-1000632.html CVE-2018-1000632 https://bugzilla.suse.com/1105443 SUSE Bug 1105443