An update for xmlbeans is now available for openEuler-20.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2021-1077 Final 1.0 1.0 2021-03-05 Initial 2021-03-05 2021-03-05 openEuler SA Tool V1.0 2021-03-05 xmlbeans security update An update for xmlbeans is now available for openEuler-20.03-LTS-SP1. XMLBeans is a tool that allows you to access the full power of XML in a Java friendly way. It is an XML-Java binding tool. The idea is that you can take advantage the richness and features of XML and XML Schema and have these features mapped as naturally as possible to the equivalent Java language and typing constructs. XMLBeans uses XML Schema to compile Java interfaces and classes that you can then use to access and modify XML instance data. Using XMLBeans is similar to using any other Java interface/class, you will see things like getFoo or setFoo just as you would expect when working with Java. While a major use of XMLBeans is to access your XML instance data with strongly typed Java classes there are also API's that allow you access to the full XML infoset (XMLBeans keeps full XML Infoset fidelity) as well as to allow you to reflect into the XML schema itself through an XML Schema Object model. Security Fix(es): The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0.(CVE-2021-23926) An update for xmlbeans is now available for openEuler-20.03-LTS-SP1. openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Critical xmlbeans https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1077 https://openeuler.org/en/security/cve/detail.html?id=CVE-2021-23926 https://nvd.nist.gov/vuln/detail/CVE-2021-23926 openEuler-20.03-LTS-SP1 xmlbeans-2.6.0-2.oe1.noarch.rpm xmlbeans-scripts-2.6.0-2.oe1.noarch.rpm xmlbeans-javadoc-2.6.0-2.oe1.noarch.rpm xmlbeans-manual-2.6.0-2.oe1.noarch.rpm xmlbeans-2.6.0-2.oe1.src.rpm The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0. 2021-03-05 CVE-2021-23926 openEuler-20.03-LTS-SP1 Critical 9.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H xmlbeans security update 2021-03-05 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1077