lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-Id: <E1Uoy50-0004D3-QX@master.debian.org> Date: Tue, 18 Jun 2013 15:44:22 +0000 From: Salvatore Bonaccorso <carnil@...ian.org> To: debian-security-announce@...ts.debian.org Subject: [SECURITY] [DSA 2710-1] xml-security-c security update -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2710-1 security@...ian.org http://www.debian.org/security/ Salvatore Bonaccorso June 18, 2013 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : xml-security-c Vulnerability : several Problem type : local (remote) Debian-specific: no CVE ID : CVE-2013-2153 CVE-2013-2154 CVE-2013-2155 CVE-2013-2156 James Forshaw from Context Information Security discovered several vulnerabilities in xml-security-c, an implementation of the XML Digital Security specification. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2013-2153 The implementation of XML digital signatures in the Santuario-C++ library is vulnerable to a spoofing issue allowing an attacker to reuse existing signatures with arbitrary content. CVE-2013-2154 A stack overflow, possibly leading to arbitrary code execution, exists in the processing of malformed XPointer expressions in the XML Signature Reference processing code. CVE-2013-2155 A bug in the processing of the output length of an HMAC-based XML Signature would cause a denial of service when processing specially chosen input. CVE-2013-2156 A heap overflow exists in the processing of the PrefixList attribute optionally used in conjunction with Exclusive Canonicalization, potentially allowing arbitary code execution. For the oldstable distribution (squeeze), these problems have been fixed in version 1.5.1-3+squeeze2. For the stable distribution (wheezy), these problems have been fixed in version 1.6.1-5+deb7u1. For the unstable distribution (sid), these problems have been fixed in version 1.6.1-6. We recommend that you upgrade your xml-security-c packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@...ts.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJRwHydAAoJEHidbwV/2GP+4yoP/Rnk79Cvk1G7JKQXvnwyaRWm rXg8dxNz2RihzscmdS5t7EdZem3Xp1vAdVzgXlQK9Ll8DbqtMXgvM3/CburBHtn5 2CXJyryJ5YtK9758JQLjjE5zS74AWMgEUFcu5zBjAC9BX5XWRVRa67yovi8xsync sDiQTsVPSe8IWJ1N2Le70qA/2Bmzf7E+EPYig8kEFa3dEb3+KJ2d2e/mJbexv0CJ FNZTVyHRD2Q/kiB74IUyUBuuyw1gMAj+tdEmucdMgzAU6dBvoP+p5/uLXWoeTez6 X0TJqglbMPSod1LQrMdd4kzo5LZ8P1EjS2S7I6oq5n4kUcw4WLrSmxCDMXci52um WwFk8r4LdnXYDaBeuNtO0Z0TeJ3YaFuoOMzZadVgqqU7TX6DzOYC1q+dj0TxYXjD 2Fxu8/18mU9qO4oADVkk/OpsLday4br+HOvzAJXfySh65sLP39PyYeDMZp+BAJ4S Z2enVfaVz7p/oBardDElD5E1qiLo+tC8meFwJ7yJhwJuzOh9qYDjCa0dXD1ZcYso vqAxnnW4RTerY4dpvsFuZCcKcDzfh3Pf4M2MkBiJ8ZHw6t1BAjOPb7XcSYzmmoEu s2L+yhZrxd5iDjMZ1SwOhds5k/rg7sIibi0HZgtjmm/CRxLhMDDl6iqJEHv7jB/x /6laY6ryAuw5RTWhC6Ae =jPyl -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists