SECURITY UPDATE |  |
| Release Date: | 2012-11-26 (Last update can be found below the document title) |
| Description: | XML Parsing Vulnerability |
| Criticality Level: | Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical ) |
| Impact: |
|
| Systems Affected: | Canvas LMS |
| Solution Status: | Patched in Canvas Cloud |
| Discovered By: | Securus Global |
| Relevant Changesets: | Canvas: N/A libxml2: http://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f |
Summary:
An XML parsing vulnerability was discovered in libxml, the underlying library that Canvas uses for parsing incoming XML (through the Nokogiri Ruby gem). This vulnerability could allow an attacker to view sensitive system information on the application servers.
Because the bug is in libxml, there is no relevant change in Canvas itself. Users of Canvas CV are encouraged to either upgrade to libxml 2.9 or above, or apply the patch listed above manually and build new libxml packages.
