lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 04 Apr 2011 13:07:00 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2011:063 ] xmlsec1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2011:063
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : xmlsec1
 Date    : April 4, 2011
 Affected: 2009.0, 2010.0, Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 A vulnerability was discovered and corrected in xmlsec1:
 
 xslt.c in XML Security Library (aka xmlsec) before 1.2.17, as
 used in WebKit and other products, when XSLT is enabled, allows
 remote attackers to create or overwrite arbitrary files via vectors
 involving the libxslt output extension and a ds:Transform element
 during signature verification (CVE-2011-1425).
 
 Packages for 2009.0 are provided as of the Extended Maintenance
 Program. Please visit this link to learn more:
 http://store.mandriva.com/product_info.php?cPath=149&amp;products_id=490
 
 The updated packages have been patched to correct this issue.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1425
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2009.0:
 ab2caef2b723f8a627f4682e9b9b295c  2009.0/i586/libxmlsec1-1-1.2.10-7.3mdv2009.0.i586.rpm
 a82fe9a2eb07213a40d5b062d0c5a230  2009.0/i586/libxmlsec1-devel-1.2.10-7.3mdv2009.0.i586.rpm
 2cec5cb556b742bcc87d10a14ded022c  2009.0/i586/libxmlsec1-gnutls1-1.2.10-7.3mdv2009.0.i586.rpm
 7169d872a13bb5da168cad113ca3c9cb  2009.0/i586/libxmlsec1-gnutls-devel-1.2.10-7.3mdv2009.0.i586.rpm
 d9c9fe192a991bb7937fce742acac213  2009.0/i586/libxmlsec1-nss1-1.2.10-7.3mdv2009.0.i586.rpm
 c412b1cf110d47b6c9848a2718394e83  2009.0/i586/libxmlsec1-nss-devel-1.2.10-7.3mdv2009.0.i586.rpm
 fb3fcd72027a0c4707d185c03d7e6ffe  2009.0/i586/libxmlsec1-openssl1-1.2.10-7.3mdv2009.0.i586.rpm
 ee2375b5ce6b80fb0a37f8a298df8ffc  2009.0/i586/libxmlsec1-openssl-devel-1.2.10-7.3mdv2009.0.i586.rpm
 45ec8c67b589d6874c265c316f0ef715  2009.0/i586/xmlsec1-1.2.10-7.3mdv2009.0.i586.rpm 
 00a18a237c5aee09d3de790df4ee8d0b  2009.0/SRPMS/xmlsec1-1.2.10-7.3mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 ab200f5369469e19e89743b23a097764  2009.0/x86_64/lib64xmlsec1-1-1.2.10-7.3mdv2009.0.x86_64.rpm
 15eb2c4424a6d91b68f5caef8db2fdff  2009.0/x86_64/lib64xmlsec1-devel-1.2.10-7.3mdv2009.0.x86_64.rpm
 ad73f2e06650f4b76b482a1bf7532eac  2009.0/x86_64/lib64xmlsec1-gnutls1-1.2.10-7.3mdv2009.0.x86_64.rpm
 7c60997091a4214148c77d2d14c01a94  2009.0/x86_64/lib64xmlsec1-gnutls-devel-1.2.10-7.3mdv2009.0.x86_64.rpm
 22ac198274c38732b3f0a65e5814ffc7  2009.0/x86_64/lib64xmlsec1-nss1-1.2.10-7.3mdv2009.0.x86_64.rpm
 ddb61026f298b57254192f25398498d6  2009.0/x86_64/lib64xmlsec1-nss-devel-1.2.10-7.3mdv2009.0.x86_64.rpm
 a965cb539117930426efb7b6dbf8553d  2009.0/x86_64/lib64xmlsec1-openssl1-1.2.10-7.3mdv2009.0.x86_64.rpm
 a2853268d49f512f660b0c85f32f3b98  2009.0/x86_64/lib64xmlsec1-openssl-devel-1.2.10-7.3mdv2009.0.x86_64.rpm
 cfcb56269c2b2e79ea2701839fa93090  2009.0/x86_64/xmlsec1-1.2.10-7.3mdv2009.0.x86_64.rpm 
 00a18a237c5aee09d3de790df4ee8d0b  2009.0/SRPMS/xmlsec1-1.2.10-7.3mdv2009.0.src.rpm

 Mandriva Linux 2010.0:
 bdc91e075985a73525da8a27c50f3e4d  2010.0/i586/libxmlsec1-1-1.2.13-1.2mdv2010.0.i586.rpm
 a8cf6ac42e0ae7df962f3b6e1abd0a27  2010.0/i586/libxmlsec1-devel-1.2.13-1.2mdv2010.0.i586.rpm
 50e1f9b8c2b36781b5597c37756f0a27  2010.0/i586/libxmlsec1-gnutls1-1.2.13-1.2mdv2010.0.i586.rpm
 94b518a20f8d6a99033be5c7fa9a561c  2010.0/i586/libxmlsec1-gnutls-devel-1.2.13-1.2mdv2010.0.i586.rpm
 b5e93f5674d8b2065e64f2e53ba05605  2010.0/i586/libxmlsec1-nss1-1.2.13-1.2mdv2010.0.i586.rpm
 880fe166f23413733c3c3c118d816387  2010.0/i586/libxmlsec1-nss-devel-1.2.13-1.2mdv2010.0.i586.rpm
 21b46e66c6b78df3fbcd86064cf30e7c  2010.0/i586/libxmlsec1-openssl1-1.2.13-1.2mdv2010.0.i586.rpm
 6620368f5cc3bcbb857b4a23eac3c8ca  2010.0/i586/libxmlsec1-openssl-devel-1.2.13-1.2mdv2010.0.i586.rpm
 c2ea73966298d29fdfdc34c7c2a2f1c2  2010.0/i586/xmlsec1-1.2.13-1.2mdv2010.0.i586.rpm 
 877a15d6552bedb5763df240f4d82d84  2010.0/SRPMS/xmlsec1-1.2.13-1.2mdv2010.0.src.rpm

 Mandriva Linux 2010.0/X86_64:
 a62d421d4fd1899fbba01309dbaf1896  2010.0/x86_64/lib64xmlsec1-1-1.2.13-1.2mdv2010.0.x86_64.rpm
 2f537e7a96421519da35174c233ce595  2010.0/x86_64/lib64xmlsec1-devel-1.2.13-1.2mdv2010.0.x86_64.rpm
 7a8b160fe2e6034be36f6eae79085ace  2010.0/x86_64/lib64xmlsec1-gnutls1-1.2.13-1.2mdv2010.0.x86_64.rpm
 0a6294fd609fc0852648a497a88483c0  2010.0/x86_64/lib64xmlsec1-gnutls-devel-1.2.13-1.2mdv2010.0.x86_64.rpm
 29db3a07cccce7ad181397aad0cc8d0d  2010.0/x86_64/lib64xmlsec1-nss1-1.2.13-1.2mdv2010.0.x86_64.rpm
 fbbf15dc907548874aa56a0a60288c44  2010.0/x86_64/lib64xmlsec1-nss-devel-1.2.13-1.2mdv2010.0.x86_64.rpm
 91cde9b85b74ee50ca22063395776ad5  2010.0/x86_64/lib64xmlsec1-openssl1-1.2.13-1.2mdv2010.0.x86_64.rpm
 48200b7dbaf54a0f3b773fe838bba047  2010.0/x86_64/lib64xmlsec1-openssl-devel-1.2.13-1.2mdv2010.0.x86_64.rpm
 959b3952c7246d48878bd70d51966a8e  2010.0/x86_64/xmlsec1-1.2.13-1.2mdv2010.0.x86_64.rpm 
 877a15d6552bedb5763df240f4d82d84  2010.0/SRPMS/xmlsec1-1.2.13-1.2mdv2010.0.src.rpm

 Mandriva Enterprise Server 5:
 319b4ab924dbbbf82f4614d148f14804  mes5/i586/libxmlsec1-1-1.2.10-7.3mdvmes5.2.i586.rpm
 9278a1efe02a044e5ff7a1a37ffa36d4  mes5/i586/libxmlsec1-devel-1.2.10-7.3mdvmes5.2.i586.rpm
 cb993560c51e070393b7e2e0861900ff  mes5/i586/libxmlsec1-gnutls1-1.2.10-7.3mdvmes5.2.i586.rpm
 293f8773291935a45d76908db7825384  mes5/i586/libxmlsec1-gnutls-devel-1.2.10-7.3mdvmes5.2.i586.rpm
 aab3eb1ab4455876a2339e9863fa7935  mes5/i586/libxmlsec1-nss1-1.2.10-7.3mdvmes5.2.i586.rpm
 2ff66c74e00e7dd79d6037162dde87b8  mes5/i586/libxmlsec1-nss-devel-1.2.10-7.3mdvmes5.2.i586.rpm
 f2f5866fd188473eb74e33c5b78c2d9a  mes5/i586/libxmlsec1-openssl1-1.2.10-7.3mdvmes5.2.i586.rpm
 c41b9570228f06d39b91d87a8538728c  mes5/i586/libxmlsec1-openssl-devel-1.2.10-7.3mdvmes5.2.i586.rpm
 308bc571cc766753f0c07a44ca80181c  mes5/i586/xmlsec1-1.2.10-7.3mdvmes5.2.i586.rpm 
 d07141a9abde87df9f330093acd2d59f  mes5/SRPMS/xmlsec1-1.2.10-7.3mdvmes5.2.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 327e47c32620609fd4245c32475938c7  mes5/x86_64/lib64xmlsec1-1-1.2.10-7.3mdvmes5.2.x86_64.rpm
 033b408efc5436eb5d6e09a9582760a5  mes5/x86_64/lib64xmlsec1-devel-1.2.10-7.3mdvmes5.2.x86_64.rpm
 814d8c33a387f72d855f7bfc250f74e3  mes5/x86_64/lib64xmlsec1-gnutls1-1.2.10-7.3mdvmes5.2.x86_64.rpm
 2883ed21f25132b542780bd1dfccfb17  mes5/x86_64/lib64xmlsec1-gnutls-devel-1.2.10-7.3mdvmes5.2.x86_64.rpm
 3409c185fdbcb57c45a1883752ade7c3  mes5/x86_64/lib64xmlsec1-nss1-1.2.10-7.3mdvmes5.2.x86_64.rpm
 f781e2d050e0c19945c783dc86745e08  mes5/x86_64/lib64xmlsec1-nss-devel-1.2.10-7.3mdvmes5.2.x86_64.rpm
 cc9fc7fcd1d32d4877689486e424875e  mes5/x86_64/lib64xmlsec1-openssl1-1.2.10-7.3mdvmes5.2.x86_64.rpm
 a5315ce478dda5fd0af55a1acf043288  mes5/x86_64/lib64xmlsec1-openssl-devel-1.2.10-7.3mdvmes5.2.x86_64.rpm
 1a153d8d6af32724260f029205cd0a54  mes5/x86_64/xmlsec1-1.2.10-7.3mdvmes5.2.x86_64.rpm 
 d07141a9abde87df9f330093acd2d59f  mes5/SRPMS/xmlsec1-1.2.10-7.3mdvmes5.2.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFNmXaUmqjQ0CJFipgRAgs3AKCLIc162L+edW3LKFOx7G/U4GkynwCgpJ7j
SEMdD/0Sj9XbDDepzFsOW3o=
=Kuyv
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ