libapache-mod-security - XML external entity processing vulnerability

Timur Yunusov and Alexey Osipov from Positive Technologies discovered
that the XML files parser of ModSecurity, an Apache module whose purpose
is to tighten the Web application security, is vulnerable to XML
external entities attacks. A specially-crafted XML file provided by a
remote attacker, could lead to local file disclosure or excessive
resources (CPU, memory) consumption when processed.

This update introduces a SecXmlExternalEntity option which is Off
by default. This will disable the ability of libxml2 to load external
entities.

For the stable distribution (squeeze), this problem has been fixed in
version 2.5.12-1+squeeze2.

For the testing distribution (wheezy), this problem has been fixed in
version 2.6.6-6 of the modsecurity-apache package.

For the unstable distribution (sid), this problem has been fixed in
version 2.6.6-6 of the modsecurity-apache package.

We recommend that you upgrade your libapache-mod-security packages.