Jump to content
Compatible Support Forums
Sign in to follow this  
news

[Security Announce] [ MDVSA-2009:267 ] xmlsec1

Recommended Posts

This is a multi-part message in MIME format...

 

------------=_1255194391-13155-2573

 

 

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

_______________________________________________________________________

 

Mandriva Linux Security Advisory MDVSA-2009:267

http://www.mandriva.com/security/

_______________________________________________________________________

 

Package : xmlsec1

Date : October 10, 2009

Affected: 2008.1, 2009.0, 2009.1, Enterprise Server 5.0

_______________________________________________________________________

 

Problem Description:

 

A vulnerability has been found and corrected in xmlsec1:

 

A missing check for the recommended minimum length of the truncated

form of HMAC-based XML signatures was found in xmlsec1 prior to

1.2.12. An attacker could use this flaw to create a specially-crafted

XML file that forges an XML signature, allowing the attacker to

bypass authentication that is based on the XML Signature specification

(CVE-2009-0217).

 

This update fixes this vulnerability.

_______________________________________________________________________

 

References:

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0217

http://www.kb.cert.org/vuls/id/466161

_______________________________________________________________________

 

Updated Packages:

 

Mandriva Linux 2008.1:

388b774554e4872b7aa863c8c8d3597c 2008.1/i586/libxmlsec1-1-1.2.10-6.1mdv2008.1.i586.rpm

fb14b0f6a2f4fd24219e2452557751cc 2008.1/i586/libxmlsec1-devel-1.2.10-6.1mdv2008.1.i586.rpm

326ce38b3d0600524984eb130244935f 2008.1/i586/libxmlsec1-gnutls1-1.2.10-6.1mdv2008.1.i586.rpm

3a5069b48d3790f5387bf0b889c0b33e 2008.1/i586/libxmlsec1-gnutls-devel-1.2.10-6.1mdv2008.1.i586.rpm

eebce4a7e7013ff9e32b5d4f5b1eeb13 2008.1/i586/libxmlsec1-nss1-1.2.10-6.1mdv2008.1.i586.rpm

2a6ba4dd01ab9ea497bcff0f67538fb3 2008.1/i586/libxmlsec1-nss-devel-1.2.10-6.1mdv2008.1.i586.rpm

975bd585cabd4af6a33f83894105d546 2008.1/i586/libxmlsec1-openssl1-1.2.10-6.1mdv2008.1.i586.rpm

486748866cfd54a77dd7193c1125d9e2 2008.1/i586/libxmlsec1-openssl-devel-1.2.10-6.1mdv2008.1.i586.rpm

47d546bca4d9eabbd6156e32651b1d75 2008.1/i586/xmlsec1-1.2.10-6.1mdv2008.1.i586.rpm

8eac3805b6f992c9203a66d5b35c3085 2008.1/SRPMS/xmlsec1-1.2.10-6.1mdv2008.1.src.rpm

 

Mandriva Linux 2008.1/X86_64:

7484ba0791bd8706b852c2ae187e8786 2008.1/x86_64/lib64xmlsec1-1-1.2.10-6.1mdv2008.1.x86_64.rpm

771e9bd35a2901a224435f6d99885014 2008.1/x86_64/lib64xmlsec1-devel-1.2.10-6.1mdv2008.1.x86_64.rpm

4b94e2c01cb70e38d670f6d97ccc3082 2008.1/x86_64/lib64xmlsec1-gnutls1-1.2.10-6.1mdv2008.1.x86_64.rpm

e94a47d77ebc1b9d25861e83d5b56686 2008.1/x86_64/lib64xmlsec1-gnutls-devel-1.2.10-6.1mdv2008.1.x86_64.rpm

3cc3249f6da0b6d215a9b8b57f2b9b69 2008.1/x86_64/lib64xmlsec1-nss1-1.2.10-6.1mdv2008.1.x86_64.rpm

09ce0f59062744d8ee0129255b99e48c 2008.1/x86_64/lib64xmlsec1-nss-devel-1.2.10-6.1mdv2008.1.x86_64.rpm

7cd72245babca168b5160c201b3650d0 2008.1/x86_64/lib64xmlsec1-openssl1-1.2.10-6.1mdv2008.1.x86_64.rpm

682073d947d961647cafb6bc80ad3206 2008.1/x86_64/lib64xmlsec1-openssl-devel-1.2.10-6.1mdv2008.1.x86_64.rpm

90fddbd13802bf1cef89e4948063ada8 2008.1/x86_64/xmlsec1-1.2.10-6.1mdv2008.1.x86_64.rpm

8eac3805b6f992c9203a66d5b35c3085 2008.1/SRPMS/xmlsec1-1.2.10-6.1mdv2008.1.src.rpm

 

Mandriva Linux 2009.0:

aef90b767a2e184dc2a2eec96cf2dd63 2009.0/i586/libxmlsec1-1-1.2.10-7.1mdv2009.0.i586.rpm

68ab430e0b63ec94f626168812909f5e 2009.0/i586/libxmlsec1-devel-1.2.10-7.1mdv2009.0.i586.rpm

932558e556911a0247fd96ca9af785d4 2009.0/i586/libxmlsec1-gnutls1-1.2.10-7.1mdv2009.0.i586.rpm

a58e62c9234f4e3b2f6180b552348940 2009.0/i586/libxmlsec1-gnutls-devel-1.2.10-7.1mdv2009.0.i586.rpm

d377cfb8e2bc4ec3457d7133b1e35a84 2009.0/i586/libxmlsec1-nss1-1.2.10-7.1mdv2009.0.i586.rpm

839c04900e607dba7e2431f711191521 2009.0/i586/libxmlsec1-nss-devel-1.2.10-7.1mdv2009.0.i586.rpm

7359aade4fce3137d90f1c4bca721f1d 2009.0/i586/libxmlsec1-openssl1-1.2.10-7.1mdv2009.0.i586.rpm

ba579a3d4cd326a1f055ef0943dbee73 2009.0/i586/libxmlsec1-openssl-devel-1.2.10-7.1mdv2009.0.i586.rpm

82059801976d099e449944998126fda9 2009.0/i586/xmlsec1-1.2.10-7.1mdv2009.0.i586.rpm

c2cf86a3ea639e2d1241c8e129141353 2009.0/SRPMS/xmlsec1-1.2.10-7.1mdv2009.0.src.rpm

 

Mandriva Linux 2009.0/X86_64:

31c3d20e6b1d34a717772a4e439686c2 2009.0/x86_64/lib64xmlsec1-1-1.2.10-7.1mdv2009.0.x86_64.rpm

c689e59d577bb5b278789c4118a7618c 2009.0/x86_64/lib64xmlsec1-devel-1.2.10-7.1mdv2009.0.x86_64.rpm

5b7b2e53969e052865edead9d0f715a7 2009.0/x86_64/lib64xmlsec1-gnutls1-1.2.10-7.1mdv2009.0.x86_64.rpm

02f857939f5450931ddf524d6d7c2300 2009.0/x86_64/lib64xmlsec1-gnutls-devel-1.2.10-7.1mdv2009.0.x86_64.rpm

e16b2b9dd55c9e504fa5102665bda206 2009.0/x86_64/lib64xmlsec1-nss1-1.2.10-7.1mdv2009.0.x86_64.rpm

91cbad72b3fa2cbc600b9d5bb9dfeef4 2009.0/x86_64/lib64xmlsec1-nss-devel-1.2.10-7.1mdv2009.0.x86_64.rpm

1a36234cb7159d784965e467c834097b 2009.0/x86_64/lib64xmlsec1-openssl1-1.2.10-7.1mdv2009.0.x86_64.rpm

ebdc55d7854500a9bf383581a1244263 2009.0/x86_64/lib64xmlsec1-openssl-devel-1.2.10-7.1mdv2009.0.x86_64.rpm

8e059fd0e03d31b24f051877646a42fa 2009.0/x86_64/xmlsec1-1.2.10-7.1mdv2009.0.x86_64.rpm

c2cf86a3ea639e2d1241c8e129141353 2009.0/SRPMS/xmlsec1-1.2.10-7.1mdv2009.0.src.rpm

 

Mandriva Linux 2009.1:

463cbcb0217b1a3b38a8be50ee3f3c54 2009.1/i586/libxmlsec1-1-1.2.10-8.1mdv2009.1.i586.rpm

720e8f608efb57405b85c887190bd007 2009.1/i586/libxmlsec1-devel-1.2.10-8.1mdv2009.1.i586.rpm

e56b286a1a9ff2048e4161d1c6750ac7 2009.1/i586/libxmlsec1-gnutls1-1.2.10-8.1mdv2009.1.i586.rpm

ea3b894c699ed5cb3d250a2815363845 2009.1/i586/libxmlsec1-gnutls-devel-1.2.10-8.1mdv2009.1.i586.rpm

df6e7309597adeeec626f072ba9b10a1 2009.1/i586/libxmlsec1-nss1-1.2.10-8.1mdv2009.1.i586.rpm

bd7d8418b77dc58657a3e7b2278fc7bf 2009.1/i586/libxmlsec1-nss-devel-1.2.10-8.1mdv2009.1.i586.rpm

8f5b2f6b6191af698aef68c4c31b848f 2009.1/i586/libxmlsec1-openssl1-1.2.10-8.1mdv2009.1.i586.rpm

1f5f51ec2a562a9668508b7e8f1edf79 2009.1/i586/libxmlsec1-openssl-devel-1.2.10-8.1mdv2009.1.i586.rpm

dda711479dc6ac367a72880900884118 2009.1/i586/xmlsec1-1.2.10-8.1mdv2009.1.i586.rpm

b2c8957e3cf68dd729ed999b1a8df4d4 2009.1/SRPMS/xmlsec1-1.2.10-8.1mdv2009.1.src.rpm

 

Mandriva Linux 2009.1/X86_64:

c54eade2b73fb50287f0bdc9c8f7b746 2009.1/x86_64/lib64xmlsec1-1-1.2.10-8.1mdv2009.1.x86_64.rpm

4a062d6f23f6136faaa56376be7f8459 2009.1/x86_64/lib64xmlsec1-devel-1.2.10-8.1mdv2009.1.x86_64.rpm

56c33b45f3e24d4f397565dee1f72026 2009.1/x86_64/lib64xmlsec1-gnutls1-1.2.10-8.1mdv2009.1.x86_64.rpm

1bd20c0d3045cef364c42c56cc7df6d1 2009.1/x86_64/lib64xmlsec1-gnutls-devel-1.2.10-8.1mdv2009.1.x86_64.rpm

bf92e675998bc1fefcfe5cc3f5a569a0 2009.1/x86_64/lib64xmlsec1-nss1-1.2.10-8.1mdv2009.1.x86_64.rpm

168787927b24a7da78717d4c246685bd 2009.1/x86_64/lib64xmlsec1-nss-devel-1.2.10-8.1mdv2009.1.x86_64.rpm

404498bd0f6e29dda4d556fdcce71e4a 2009.1/x86_64/lib64xmlsec1-openssl1-1.2.10-8.1mdv2009.1.x86_64.rpm

18058e3ee91a4b39a6ac7cf3c9dbc34f 2009.1/x86_64/lib64xmlsec1-openssl-devel-1.2.10-8.1mdv2009.1.x86_64.rpm

602e5da1b10bbdd38ed65d1620821c83 2009.1/x86_64/xmlsec1-1.2.10-8.1mdv2009.1.x86_64.rpm

b2c8957e3cf68dd729ed999b1a8df4d4 2009.1/SRPMS/xmlsec1-1.2.10-8.1mdv2009.1.src.rpm

 

Mandriva Enterprise Server 5:

0084106a2bc4b970f0469c23dc30084e mes5/i586/libxmlsec1-1-1.2.10-7.1mdvmes5.i586.rpm

569d0ed58642f4eabcd9af1a3cb0402d mes5/i586/libxmlsec1-devel-1.2.10-7.1mdvmes5.i586.rpm

9380b3121a2e489cdeff709fab033379 mes5/i586/libxmlsec1-gnutls1-1.2.10-7.1mdvmes5.i586.rpm

ddf6b63d02850e9e07b2f130a2a2d2e6 mes5/i586/libxmlsec1-gnutls-devel-1.2.10-7.1mdvmes5.i586.rpm

dbf22baa4022b6d6625fc75b7cbf4bab mes5/i586/libxmlsec1-nss1-1.2.10-7.1mdvmes5.i586.rpm

69fd3bebdac3b66b2905c6c7a077a089 mes5/i586/libxmlsec1-nss-devel-1.2.10-7.1mdvmes5.i586.rpm

6f96e59feee66ecae20270df86aea965 mes5/i586/libxmlsec1-openssl1-1.2.10-7.1mdvmes5.i586.rpm

3613da5ca1c60d2ea16523804270013d mes5/i586/libxmlsec1-openssl-devel-1.2.10-7.1mdvmes5.i586.rpm

6e3742296ac15407bb1012efd48d608d mes5/i586/xmlsec1-1.2.10-7.1mdvmes5.i586.rpm

219a23cc35df25ca711a026647e13e3d mes5/SRPMS/xmlsec1-1.2.10-7.1mdvmes5.src.rpm

 

Mandriva Enterprise Server 5/X86_64:

a303d9680fca6ca97704d93e0a75fb03 mes5/x86_64/lib64xmlsec1-1-1.2.10-7.1mdvmes5.x86_64.rpm

8266c60eb8803dd449b382769aede1a2 mes5/x86_64/lib64xmlsec1-devel-1.2.10-7.1mdvmes5.x86_64.rpm

1f7f31d8c01ed6b7103e5518c22361e9 mes5/x86_64/lib64xmlsec1-gnutls1-1.2.10-7.1mdvmes5.x86_64.rpm

914e15b7fc8b0fb27db816b8cdcd6b4b mes5/x86_64/lib64xmlsec1-gnutls-devel-1.2.10-7.1mdvmes5.x86_64.rpm

779f85417bcc1dfcfd74816c8d45bf14 mes5/x86_64/lib64xmlsec1-nss1-1.2.10-7.1mdvmes5.x86_64.rpm

5b3f264fbe31533d326c962c7da38880 mes5/x86_64/lib64xmlsec1-nss-devel-1.2.10-7.1mdvmes5.x86_64.rpm

80b5562a1902d0ad3ec16cea6c9d2ee6 mes5/x86_64/lib64xmlsec1-openssl1-1.2.10-7.1mdvmes5.x86_64.rpm

96838c1c267b78f9244787016f4927a3 mes5/x86_64/lib64xmlsec1-openssl-devel-1.2.10-7.1mdvmes5.x86_64.rpm

cb87ad0ded731d499eab63c4808610c6 mes5/x86_64/xmlsec1-1.2.10-7.1mdvmes5.x86_64.rpm

219a23cc35df25ca711a026647e13e3d mes5/SRPMS/xmlsec1-1.2.10-7.1mdvmes5.src.rpm

_______________________________________________________________________

 

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

 

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

 

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 

You can view other update advisories for Mandriva Linux at:

 

http://www.mandriva.com/security/advisories

 

If you want to report vulnerabilities, please contact

 

security_(at)_mandriva.com

_______________________________________________________________________

 

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

 

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.9 (GNU/Linux)

 

iD8DBQFK0JCzmqjQ0CJFipgRAiQkAKCPMeiv6u4c8QtJ9Xa+pqmI37PbUQCg6NcS

Mt8oN+14QbOcaASD3mgoV7I=

=5IPi

-----END PGP SIGNATURE-----

 

 

------------=_1255194391-13155-2573

Content-Type: text/plain; name="message-footer.txt"

Content-Disposition: inline; filename="message-footer.txt"

Content-Transfer-Encoding: 8bit

 

To unsubscribe, send a email to sympa ( -at -) mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://www.mandrivastore.com

Join the Club : http://www.mandrivaclub.com

_______________________________________________________

 

------------=_1255194391-13155-2573--

 

 

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×