Security update for dom4j SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2018:3908-1 Final 1 1 2018-10-26T09:26:56Z current 2018-10-26T09:26:56Z 2018-10-26T09:26:56Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for dom4j This update for dom4j fixes the following issues: - CVE-2018-1000632: Prevent XML injection that could have resulted in an attacker tampering with XML documents (bsc#1105443). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2018/suse-su-20183908-1/ Link for SUSE-SU-2018:3908-1 https://lists.suse.com/pipermail/sle-security-updates/2018-November/004886.html E-Mail link for SUSE-SU-2018:3908-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1105443 SUSE Bug 1105443 https://www.suse.com/security/cve/CVE-2018-1000632/ SUSE CVE CVE-2018-1000632 page SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 dom4j-1.6.1-4.3.2 dom4j-demo-1.6.1-4.3.2 dom4j-javadoc-1.6.1-4.3.2 dom4j-manual-1.6.1-4.3.2 dom4j-1.6.1-4.3.2 as a component of SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 dom4j-demo-1.6.1-4.3.2 as a component of SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 dom4j-javadoc-1.6.1-4.3.2 as a component of SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 dom4j-manual-1.6.1-4.3.2 as a component of SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later. CVE-2018-1000632 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15:dom4j-1.6.1-4.3.2 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15:dom4j-demo-1.6.1-4.3.2 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15:dom4j-javadoc-1.6.1-4.3.2 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15:dom4j-manual-1.6.1-4.3.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20183908-1/ https://www.suse.com/security/cve/CVE-2018-1000632.html CVE-2018-1000632 https://bugzilla.suse.com/1105443 SUSE Bug 1105443