Login
Newsletter
Werbung

Sicherheit: Zwei Probleme in xmlsec1
Aktuelle Meldungen Distributionen
Name: Zwei Probleme in xmlsec1
ID: MDVSA-2009:318
Distribution: Mandriva
Plattformen: Mandriva 2008.0
Datum: Sa, 5. Dezember 2009, 18:39
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0217
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
https://www.kb.cert.org/vuls/id/466161
Applikationen: xmlsec1

Originalnachricht

This is a multi-part message in MIME format...

------------=_1260034770-24326-1670


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2009:318
http://www.mandriva.com/security/
_______________________________________________________________________

Package : xmlsec1
Date : December 5, 2009
Affected: 2008.0
_______________________________________________________________________

Problem Description:

Multiple security vulnerabilities has been identified and fixed
in xmlsec1:

A missing check for the recommended minimum length of the truncated
form of HMAC-based XML signatures was found in xmlsec1 prior to
1.2.12. An attacker could use this flaw to create a specially-crafted
XML file that forges an XML signature, allowing the attacker to
bypass authentication that is based on the XML Signature specification
(CVE-2009-0217).

All versions of libtool prior to 2.2.6b suffers from a local
privilege escalation vulnerability that could be exploited under
certain conditions to load arbitrary code (CVE-2009-3736).

Packages for 2008.0 are being provided due to extended support for
Corporate products.

This update fixes this vulnerability.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0217
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://www.kb.cert.org/vuls/id/466161
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2008.0:
b74d614ed793451440ea18c7aab434ee
2008.0/i586/libxmlsec1-1-1.2.10-5.1mdv2008.0.i586.rpm
34cc1274710d3c2013ff4c1222d0349d
2008.0/i586/libxmlsec1-devel-1.2.10-5.1mdv2008.0.i586.rpm
88b378d43d3ba44bad7d47c1eb5d6c5c
2008.0/i586/libxmlsec1-gnutls1-1.2.10-5.1mdv2008.0.i586.rpm
7c7e766ab3886c57d1519b83b4b06af8
2008.0/i586/libxmlsec1-gnutls-devel-1.2.10-5.1mdv2008.0.i586.rpm
712c732bc8ff6050fdc6dd108623e63a
2008.0/i586/libxmlsec1-nss1-1.2.10-5.1mdv2008.0.i586.rpm
bed9636e852f4c90cd9a5891fb9395ea
2008.0/i586/libxmlsec1-nss-devel-1.2.10-5.1mdv2008.0.i586.rpm
3e6940d49ffc024240b7116250d1f770
2008.0/i586/libxmlsec1-openssl1-1.2.10-5.1mdv2008.0.i586.rpm
cb8d177f72966ff06a9a1e08f8c48dbe
2008.0/i586/libxmlsec1-openssl-devel-1.2.10-5.1mdv2008.0.i586.rpm
38ae0ed435d6e5133530d5af4a33883a
2008.0/i586/xmlsec1-1.2.10-5.1mdv2008.0.i586.rpm
bf47e5312113b150bdcce2634254b555
2008.0/SRPMS/xmlsec1-1.2.10-5.1mdv2008.0.src.rpm

Mandriva Linux 2008.0/X86_64:
2f16be60c636cc6d286258b7d331f52b
2008.0/x86_64/lib64xmlsec1-1-1.2.10-5.1mdv2008.0.x86_64.rpm
dcbfa0192a2a1ed72d9b4f7fc4c31c7f
2008.0/x86_64/lib64xmlsec1-devel-1.2.10-5.1mdv2008.0.x86_64.rpm
b7d5a923126d4ab43b9c9868aed26803
2008.0/x86_64/lib64xmlsec1-gnutls1-1.2.10-5.1mdv2008.0.x86_64.rpm
041a56825a59f497dce1085bc0fcf717
2008.0/x86_64/lib64xmlsec1-gnutls-devel-1.2.10-5.1mdv2008.0.x86_64.rpm
5f70fda9524faee1b86e14e7b092e426
2008.0/x86_64/lib64xmlsec1-nss1-1.2.10-5.1mdv2008.0.x86_64.rpm
63c4b923f7cf4bb46e06d966a880ef6c
2008.0/x86_64/lib64xmlsec1-nss-devel-1.2.10-5.1mdv2008.0.x86_64.rpm
62174f73e2d333da65befa79cd85c1ad
2008.0/x86_64/lib64xmlsec1-openssl1-1.2.10-5.1mdv2008.0.x86_64.rpm
6439cacc0520e43b8280758a4a91b042
2008.0/x86_64/lib64xmlsec1-openssl-devel-1.2.10-5.1mdv2008.0.x86_64.rpm
e4db63bda5a32757a17be8d4dcd31639
2008.0/x86_64/xmlsec1-1.2.10-5.1mdv2008.0.x86_64.rpm
bf47e5312113b150bdcce2634254b555
2008.0/SRPMS/xmlsec1-1.2.10-5.1mdv2008.0.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLGm8VmqjQ0CJFipgRAoJbAJ42kcAyU+o1vyhTG3qRCkeqdZrZVwCghcOr
q34YlWPMSVOFL9sx5T0/mA4=
=WFZU
-----END PGP SIGNATURE-----


------------=_1260034770-24326-1670
Content-Type: text/plain; name="message-footer.txt"
Content-Disposition: inline; filename="message-footer.txt"
Content-Transfer-Encoding: 8bit

To unsubscribe, send a email to sympa@mandrivalinux.org
with this subject : unsubscribe security-announce
_______________________________________________________
Want to buy your Pack or Services from Mandriva?
Go to http://www.mandrivastore.com
Join the Club : http://www.mandrivaclub.com
_______________________________________________________

------------=_1260034770-24326-1670--
Pro-Linux
Traut euch!
Neue Nachrichten
Werbung