On Thu, 17 Nov 2016 20:57:26 +0000
"Robin H. Johnson" <robb...@gentoo.org> wrote:

>  - eg metadata.xml (nothing for user systems is impacted by it, other
>        than to give output about packages).

Idle thought: Given there are classes of vulnerabilities related to XML
parsing and decoding, any systems that attempt to read this file should
ensure a it "good" before doing so.

But I don't really know the specifics of XXE vulns, only that I saw a
few in the last few months.

Attachment: pgpXpIa1JDFGz.pgp
Description: OpenPGP digital signature

Reply via email to