ELA-446-1 xmlbeans security update

XML Entity Expansion attack

2021-06-28
Packagexmlbeans
Version2.6.0-2+deb8u1
Related CVEs CVE-2021-23926


The XML parsers used by XMLBeans did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include the possibility for XML Entity Expansion attacks which could lead to a denial-of-service. This update implements sensible defaults for the XML parsers to prevent these kind of attacks.



For Debian 8 jessie, these problems have been fixed in version 2.6.0-2+deb8u1.

We recommend that you upgrade your xmlbeans packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.