Arch Linux Security Advisory ASA-201512-12 ========================================== Severity: Medium Date : 2015-12-17 CVE-ID : CVE-2015-8549 Package : python2-pyamf Type : XML external entity injection Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package python2-pyamf before version 0.8.0-2 is vulnerable to XML external entity injection. Resolution ========== Upgrade to 0.8.0-2. # pacman -Syu "python2-pyamf>=0.8.0-2" The problem has been fixed upstream in version 0.8.0 Workaround ========== None. Description =========== PyAMF suffers from insufficient AMF input payload sanitization which results in the XML parser not preventing the processing of XML external entities (XXE). A specially crafted AMF payload, containing malicious references to XML external entities, can be used to trigger denial of service (DoS) conditions or arbitrarily return the contents of files that are accessible with the running application privileges. Impact ====== A remote attacker is able to craft special XML files that, when processed, are injecting external entities resulting in denial of service of disclosure of arbitrary file contents. References ========== https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8549 http://www.ocert.org/advisories/ocert-2015-011.html https://github.com/hydralabs/pyamf/pull/58