Package: xmlsec1 Severity: serious Tags: security Hi,
A new version of xmlsec has been released which fixes a security issue: "When using XML Security Library prior to 1.2.17, it is possible to create or overwrite arbitrary files during signature verification, if XSLT is present and enabled (which is the default mode). The attack uses the libxslt extension "output" or its aliases, inside a <ds:Transform> element." See attached announcement email. Cheers, Thijs
--- Begin Message ---The new XML Security Library 1.2.17 release available at the usual place: http://www.aleksey.com/xmlsec/download.html This release includes a fix for an important security issue with XSLT transforms (CVE-2011-1425, reported by Nicolas Gregoire): When using XML Security Library prior to 1.2.17, it is possible to create or overwrite arbitrary files during signature verification, if XSLT is present and enabled (which is the default mode). The attack uses the libxslt extension "output" or its aliases, inside a <ds:Transform> element. It is strongly recommended to upgrade to the new version of XML Security Library as soon as possible. If the upgrade can not be performed, you can do one of the following: - Explicitly call xsltNewSecurityPrefs() in your application and forbid any access to file system as it is done in the following commits: http://git.gnome.org/browse/xmlsec/commit/?id=2d5eddcc4163ea050cf3a3a1a25452bb5124f780 http://trac.webkit.org/changeset/79159 - Recompile xmlsec library with disabled xslt support using ./configure --without-libxslt command - Disable XSLT transform if it is not used (see enabledUris field in struct xmlSecTransformCtx) Thanks to everyone for the contribution, patches and bug reports! Aleksey Sanin _______________________________________________ xmlsec mailing list xml...@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
--- End Message ---
signature.asc
Description: This is a digitally signed message part.
