Your message dated Sat, 09 Apr 2011 16:23:40 +0000
with message-id <e1q8awm-0001tk...@franck.debian.org>
and subject line Bug#620560: fixed in xmlsec1 1.2.14-1.1
has caused the Debian Bug report #620560,
regarding xmlsec security issue: arbitrary file overwriting CVE-2011-1425
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
620560: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=620560
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: xmlsec1
Severity: serious
Tags: security
Hi,
A new version of xmlsec has been released which fixes a security issue:
"When using XML Security Library prior to 1.2.17, it is possible
to create or overwrite arbitrary files during signature verification,
if XSLT is present and enabled (which is the default mode). The attack
uses the libxslt extension "output" or its aliases, inside a
<ds:Transform> element."
See attached announcement email.
Cheers,
Thijs
--- Begin Message ---
The new XML Security Library 1.2.17 release available at
the usual place:
http://www.aleksey.com/xmlsec/download.html
This release includes a fix for an important security issue
with XSLT transforms (CVE-2011-1425, reported by Nicolas Gregoire):
When using XML Security Library prior to 1.2.17, it is possible
to create or overwrite arbitrary files during signature verification,
if XSLT is present and enabled (which is the default mode). The attack
uses the libxslt extension "output" or its aliases, inside a
<ds:Transform> element.
It is strongly recommended to upgrade to the new version of XML
Security Library as soon as possible. If the upgrade can not be
performed, you can do one of the following:
- Explicitly call xsltNewSecurityPrefs() in your application and
forbid any access to file system as it is done in the following
commits:
http://git.gnome.org/browse/xmlsec/commit/?id=2d5eddcc4163ea050cf3a3a1a25452bb5124f780
http://trac.webkit.org/changeset/79159
- Recompile xmlsec library with disabled xslt support using
./configure --without-libxslt command
- Disable XSLT transform if it is not used (see enabledUris field
in struct xmlSecTransformCtx)
Thanks to everyone for the contribution, patches and bug reports!
Aleksey Sanin
_______________________________________________
xmlsec mailing list
xml...@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec
--- End Message ---
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---
Source: xmlsec1
Source-Version: 1.2.14-1.1
We believe that the bug you reported is fixed in the latest version of
xmlsec1, which is due to be installed in the Debian FTP archive:
libxmlsec1-dev_1.2.14-1.1_i386.deb
to main/x/xmlsec1/libxmlsec1-dev_1.2.14-1.1_i386.deb
libxmlsec1-gnutls_1.2.14-1.1_i386.deb
to main/x/xmlsec1/libxmlsec1-gnutls_1.2.14-1.1_i386.deb
libxmlsec1-nss_1.2.14-1.1_i386.deb
to main/x/xmlsec1/libxmlsec1-nss_1.2.14-1.1_i386.deb
libxmlsec1-openssl_1.2.14-1.1_i386.deb
to main/x/xmlsec1/libxmlsec1-openssl_1.2.14-1.1_i386.deb
libxmlsec1_1.2.14-1.1_i386.deb
to main/x/xmlsec1/libxmlsec1_1.2.14-1.1_i386.deb
xmlsec1_1.2.14-1.1.diff.gz
to main/x/xmlsec1/xmlsec1_1.2.14-1.1.diff.gz
xmlsec1_1.2.14-1.1.dsc
to main/x/xmlsec1/xmlsec1_1.2.14-1.1.dsc
xmlsec1_1.2.14-1.1_i386.deb
to main/x/xmlsec1/xmlsec1_1.2.14-1.1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 620...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <th...@debian.org> (supplier of updated xmlsec1 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 09 Apr 2011 17:40:24 +0200
Source: xmlsec1
Binary: libxmlsec1-dev libxmlsec1 libxmlsec1-openssl libxmlsec1-gnutls
libxmlsec1-nss xmlsec1
Architecture: source i386
Version: 1.2.14-1.1
Distribution: unstable
Urgency: high
Maintainer: John V. Belmonte <jbelmo...@debian.org>
Changed-By: Thijs Kinkhorst <th...@debian.org>
Description:
libxmlsec1 - XML security library
libxmlsec1-dev - Development files for the XML security library
libxmlsec1-gnutls - Gnutls engine for the XML security library
libxmlsec1-nss - Nss engine for the XML security library
libxmlsec1-openssl - Openssl engine for the XML security library
xmlsec1 - XML security command line processor
Closes: 620560
Changes:
xmlsec1 (1.2.14-1.1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Apply patch from upstream addressing arbitrary file overwrite
(CVE-2011-1425, closes: #620560).
Checksums-Sha1:
5c3352935e6f4d0318dd27ecc4635eedef98eb98 1535 xmlsec1_1.2.14-1.1.dsc
425d5c1a7bf144183cd03ebd8f6ffc9813747133 5904 xmlsec1_1.2.14-1.1.diff.gz
3d5e6ce691ac282d3557d3775f4a14d34e50b7ad 851810
libxmlsec1-dev_1.2.14-1.1_i386.deb
07045059b9d5150a1316cc010de7b02dfb72248e 138332 libxmlsec1_1.2.14-1.1_i386.deb
323ea8483b23799bdbb8edba6e261fc76d1dc980 86278
libxmlsec1-openssl_1.2.14-1.1_i386.deb
6e85d658a157d09d9e3dae433ed0ba4e1637c4a6 38184
libxmlsec1-gnutls_1.2.14-1.1_i386.deb
e49ed97d808cc67773c5d4e977b9f564a48c74e6 80678
libxmlsec1-nss_1.2.14-1.1_i386.deb
9e13f7763dd2dd1e8f9ac7d7b2ee71d24c48a710 43952 xmlsec1_1.2.14-1.1_i386.deb
Checksums-Sha256:
6b32a4d651c2777c1f45ba1a76e928261071cf2247712c212eb7b025cc80a56c 1535
xmlsec1_1.2.14-1.1.dsc
0183e12da956a9f774366903bb13a902c47773178bf3cca17f5f8641b6daec48 5904
xmlsec1_1.2.14-1.1.diff.gz
fa9e2c64c148e191a8dddfa69ecedc493df7c86ec7e6a03047e00739a90c486d 851810
libxmlsec1-dev_1.2.14-1.1_i386.deb
a6e449e074e1ee7cb282190b22b0008f17d426702dd21180e5a191ad89c1c84b 138332
libxmlsec1_1.2.14-1.1_i386.deb
eacf9915033b0bb8f7cadca143d5b4fc281280b65d230aaf90cec4b81c60044b 86278
libxmlsec1-openssl_1.2.14-1.1_i386.deb
f47602939543eff356176718d854207a65f4e39434e0995a7ad8115c693be3f7 38184
libxmlsec1-gnutls_1.2.14-1.1_i386.deb
d93a074c4e07bffdb078290ca7c67a55f5b6f5f993c02045bf2e16676ef6e886 80678
libxmlsec1-nss_1.2.14-1.1_i386.deb
086a6003466c8c14883a396f8410f5137bb58fab6f36b1b0964bb0dbeb94b8ea 43952
xmlsec1_1.2.14-1.1_i386.deb
Files:
19e8b50dfe0724092390703f74bc2809 1535 text optional xmlsec1_1.2.14-1.1.dsc
0034808cdfc09b82c32fc0208848ff4d 5904 text optional xmlsec1_1.2.14-1.1.diff.gz
db93a61a49170bfd6a6f16b8c1d9bcb6 851810 libdevel optional
libxmlsec1-dev_1.2.14-1.1_i386.deb
5271a07bf37f2a8e88c74a738b853b64 138332 libs optional
libxmlsec1_1.2.14-1.1_i386.deb
494cb8b17994af50aafa956ddb617eaf 86278 libs optional
libxmlsec1-openssl_1.2.14-1.1_i386.deb
c434da0e4703407b9314aa29f32c30f2 38184 libs optional
libxmlsec1-gnutls_1.2.14-1.1_i386.deb
6417c2d42e00b61c097ef8c2f34fed88 80678 libs optional
libxmlsec1-nss_1.2.14-1.1_i386.deb
3b2abdf6c5433fed5a9a350d1a4fe936 43952 text optional
xmlsec1_1.2.14-1.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQEcBAEBAgAGBQJNoIARAAoJEOxfUAG2iX5772YIANFpGJy5ENY8CSM88tnvys/i
wBlHKP4T76u7txWX4iTgKUlWWzQjeNuU7LFartOL7mfLbkJIX5fBesVF768jp4I0
vTXKcwx57a12f/W31eYMF8JkT2Io024CXmgrFcC3YLrrLLMN4nZwglRpIYM/1aQG
aKdQH2FCJIOiksO8xazohfpRTmtT+cN1cvA8zUZv5d/MPdmyb9E0Orq7Xg4W8SVL
3fmXblzXagNgvVnN22XdpXKwGsr8IcLFc1jHHVQOp1UB5F/poqkGfFKisK3KQmNx
hM19ljdb9LL5CMRT+363ieesZBohbv4lUaYMQtVXNJ29PlqKqdEaga7ICe8tCjw=
=tZTv
-----END PGP SIGNATURE-----
--- End Message ---
